Bug 512264

Summary: SELinux blocks SLiM
Product: [Fedora] Fedora Reporter: Christoph Wickert <christoph.wickert>
Component: slimAssignee: Lorenzo Villani <lorenzo>
Status: CLOSED DUPLICATE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: 11CC: afb, davidz, dcantrell, dwalsh, pertusus, schaeksh
Target Milestone: ---Keywords: Reopened
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-10-10 12:37:43 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 505781    
Attachments:
Description Flags
sealert error message none

Description Christoph Wickert 2009-07-16 21:44:50 UTC 
Created attachment 354051 [details]
sealert error message

Description of problem:
SELinux is preventing slim (xdm_t) "open","getattr","read" and "unlink" var_run_t.

Version-Release number of selected component (if applicable):
selinux-policy-targeted-3.6.12-62.fc11.noarch

How reproducible:
always

Steps to Reproduce:
1. Make a livecd from http://cwickert.fedorapeople.org/kickstarts/fedora-livecd-lxde.ks
2. Boot it
  
Actual results:
No login manager but a lot of Selinux denials:

node=localhost.localdomain type=AVC msg=audit(1245789461.884:10): avc:  denied  { open } for  pid=2554 comm="slim" name="slim.auth" dev=dm-0 ino=136384 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_run_t:s0 tclass=file

node=localhost.localdomain type=SYSCALL msg=audit(1245789461.884:10): arch=40000003 syscall=5 success=yes exit=5 a0=88828c3 a1=0 a2=1b6 a3=0 items=0 ppid=1 pid=2554 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="slim" exe="/usr/bin/slim" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)


node=localhost.localdomain type=AVC msg=audit(1245789461.884:11): avc:  denied  { getattr } for  pid=2554 comm="slim" path="/var/run/slim.auth" dev=dm-0 ino=136384 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_run_t:s0 tclass=file

node=localhost.localdomain type=SYSCALL msg=audit(1245789461.884:11): arch=40000003 syscall=197 success=yes exit=0 a0=5 a1=bfa65a50 a2=4d2ff4 a3=888b988 items=0 ppid=1 pid=2554 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="slim" exe="/usr/bin/slim" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)


node=localhost.localdomain type=AVC msg=audit(1245789461.883:9): avc:  denied  { read } for  pid=2554 comm="slim" name="slim.auth" dev=dm-0 ino=136384 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_run_t:s0 tclass=file

node=localhost.localdomain type=SYSCALL msg=audit(1245789461.883:9): arch=40000003 syscall=33 success=yes exit=0 a0=88828c3 a1=4 a2=6d0a60 a3=88828c3 items=0 ppid=1 pid=2554 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="slim" exe="/usr/bin/slim" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)

node=localhost.localdomain type=AVC msg=audit(1245789280.741:40775): avc:  denied  { unlink } for  pid=4043 comm="slim" name="slim.auth" dev=dm-0 ino=136376 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_run_t:s0 tclass=file

node=localhost.localdomain type=SYSCALL msg=audit(1245789280.741:40775): arch=40000003 syscall=10 success=yes exit=0 a0=92af044 a1=a90388 a2=a8eff4 a3=92af044 items=0 ppid=1 pid=4043 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="slim" exe="/usr/bin/slim" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)


Expected results:
SLiM showing up

Additional info:
This is needed for the LXDE Spin and possibly also for the Xfce Spin, if we decide to switch to SLiM.
Comment 1 Christoph Wickert 2009-07-16 21:45:48 UTC 
Comment on attachment 354051 [details]
sealert error message

This is the alert for getattr, I have similar errors for open, read and unlink.
Comment 2 Daniel Walsh 2009-07-19 16:06:35 UTC 
If you 

chcon -t xdm_var_run_t /var/run/slim\*

Does everything work?
Comment 3 Christoph Wickert 2009-07-23 21:04:20 UTC 
semanage -a -t xdm_var_run_t /var/run/slim.auth 
did the trick, slim.run already gets created xdm_var_run_t. Would be nice to have this in the policy, so I don't need no hack on the livecd.
Comment 4 Daniel Walsh 2009-07-27 17:51:20 UTC 
Miroslav can you add this labeling?

/var/run/slim\.auth	--	gen_context(system_u:object_r:xdm_var_run_t,s0)
Comment 5 Miroslav Grepl 2009-07-27 18:01:31 UTC 
I will push out a new selinux-policy release with this change tomorrow.
Comment 6 Miroslav Grepl 2009-07-28 13:20:54 UTC 
Fixed in selinux-policy-3.6.12-70.fc11
Comment 7 Christoph Wickert 2009-08-06 00:28:01 UTC 
Works fine, thanks!
Comment 8 Christoph Wickert 2009-08-18 21:33:52 UTC 
Sorry, I was too fast. It's still not working. The strange thing is: It works fine when installed, but not from the livecd.

Try yourself with the latest LXDE livecd from 
http://alt.fedoraproject.org/pub/alt/nightly-composes/lxde/

Let me know If I can help you testing, debugging or whatever.
Comment 9 Daniel Walsh 2009-08-18 22:34:43 UTC 
Then this is a bug in the livecd program.
Comment 10 Jeremy Katz 2009-08-19 19:12:54 UTC 
There's not anything the livecd creation can do about it -- the file is created at runtime by slim in /var/run.  Since slim isn't explicitly trying to set any contexts before creating the file, it follows the directory default (var_run_t)

The easiest way to fix this is probably to have slim move its files to be in a subdir of /var/run -- then the directory can be labeled as it's put down by rpm and then the new files within it will get the right context.
Comment 11 Daniel Walsh 2009-08-20 11:55:59 UTC 
But if slim is running as xdm_t then it should have transitioned to the correct label when it created the file.

ls -lZ /usr/bin/slim
-rwxr-xr-x. root root system_u:object_r:xdm_exec_t:s0  /usr/bin/slim

And we have this line in policy

files_pid_filetrans(xdm_t, xdm_var_run_t, { dir file fifo_file sock_file })

WHich says if a process running as xdm_t creates a dir,file. fifo_file or sock_file in var_run_t it will label it xdm_var_run_t

So something else is creating this file or the /usr/bin/slim is not labeled correctly.
Comment 12 Huub Schaeks 2009-08-30 11:59:42 UTC 
/var/log/slim.log says /usr/bin/xauth creates the /var/run/slim.auth file.

The solution you suggested here:

https://bugzilla.redhat.com/show_bug.cgi?id=518068

works.
Comment 13 Lorenzo Villani 2009-10-10 12:37:43 UTC 
Using #518068 to track this issue.

*** This bug has been marked as a duplicate of bug 518068 ***