Bug 552885
| Summary: | SELinux blocks LXDM | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Christoph Wickert <christoph.wickert> |
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 12 | CC: | dwalsh, kvolny, M8R-7fin56, mgrepl |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | setroubleshoot_trace_hash:101a235a7621ff4d94e7d202972e2de7d7af37d506bcc7e56ef9119df03dcba9 | ||
| Fixed In Version: | 3.6.32-84.fc12 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2010-02-11 14:40:24 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 505781 | ||
|
Description
Christoph Wickert
2010-01-06 13:10:22 UTC
This happens whenever I log in with lxdm. How reproducible: always Steps to Reproduce: 1. yum install lxdm 2. echo "DISPLAYMANAGER=/usr/bin/lxdm" >> /etc/sysconfig/desktop 3. init 3 && init 5 4. log in Actual results: 2 SELinux denials (attaching the other one) SELinux denied access requested by restorecond. It is not expected that this access is required by restorecond and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Zugriff erlauben: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Please file a bug report. Zusätzliche Informationen: Quellkontext system_u:system_r:restorecond_t:s0 Zielkontext system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 Zielobjekte [ unix_stream_socket ] Quelle restorecond Quellen-Pfad /usr/sbin/restorecond Port <Unbekannt> Host wicktop.localdomain Quellen-RPM-Pakete policycoreutils-2.0.78-3.fc12 Ziel-RPM-Pakete filesystem-2.4.30-2.fc12 RPM-Richtlinie selinux-policy-3.6.32-59.fc12 SELinux aktiviert True Richtlinienversion targeted Enforcing-Modus Permissive Plugin-Name catchall Hostname wicktop.localdomain Plattform Linux wicktop.localdomain 2.6.31.9-174.fc12.x86_64 #1 SMP Mon Dec 21 05:33:33 UTC 2009 x86_64 x86_64 Anzahl der Alarme 1 Zuerst gesehen Mi 06 Jan 2010 13:58:39 CET Zuletzt gesehen Mi 06 Jan 2010 13:58:39 CET Lokale ID 814d793d-5e37-45ed-b553-5f5617bb6f2b Zeilennummern Raw-Audit-Meldungen node=wicktop.localdomain type=AVC msg=audit(1262782719.998:55): avc: denied { connectto } for pid=8358 comm="restorecond" path=002F746D702F646275732D6E356B5167436B453150 scontext=system_u:system_r:restorecond_t:s0 tcontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tclass=unix_stream_socket node=wicktop.localdomain type=SYSCALL msg=audit(1262782719.998:55): arch=c000003e syscall=42 success=yes exit=4294967424 a0=4 a1=7fff919d9d10 a2=17 a3=7fff919d9a90 items=0 ppid=1 pid=8358 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=4 comm="restorecond" exe="/usr/sbin/restorecond" subj=system_u:system_r:restorecond_t:s0 key=(null) This looks like you are logging in with a context of initrc_t, which is causing all of your problems. Are you using gdm or kdm to login? If so you must have a badly labeled system, since the login programs should be running under a different context. ps -eZ | grep gdm (In reply to comment #3) > Are you using gdm or kdm to login? As I wrote in my report I'm using lxdm, the login manager of LXDE. ;) > If so you must have a badly labeled system, > since the login programs should be running under a different context. Oops, after the slim bug I filed I should have been smart enough to find this out myself. I was able to get rid of the messages by applying the following changes: 1. Changed /usr/bin/lxdm and /usr/bin/lxdm-binary from bin_t to xdm_exec_t. (lxdm is just a wrapper that calls lxdm-binary with the proper options, similar to gdm and gdm-binary) 2. Changed /var/run/lxdm.pid from var_run_t to xdm_var_run_t 3. Changed /var/log/lxdm.log from var_log_t to xdm_log_t After that I got *lots* of errors regarding my homedir, but these disappeared after adding pam_selinux.so to /etc/pam.d/lxdm. I will push these changes in a lxdm update later today. Now I still get three denials from lxdm: SELinux is preventing /usr/bin/lxdm-greeter-gtk "read" access on /root/.config/ibus/bus/0eb097b761e479c84c90dae54a345666-unix-0. [...] node=wicktop.localdomain type=AVC msg=audit(1262786988.461:29160): avc: denied { read } for pid=2770 comm="lxdm-greeter-gt" name="0eb097b761e479c84c90dae54a345666-unix-0" dev=dm-0 ino=667899 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file node=wicktop.localdomain type=AVC msg=audit(1262786988.461:29160): avc: denied { open } for pid=2770 comm="lxdm-greeter-gt" name="0eb097b761e479c84c90dae54a345666-unix-0" dev=dm-0 ino=667899 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file node=wicktop.localdomain type=SYSCALL msg=audit(1262786988.461:29160): arch=c000003e syscall=2 success=yes exit=4294967424 a0=1cce510 a1=0 a2=1b6 a3=0 items=0 ppid=1934 pid=2770 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="lxdm-greeter-gt" exe="/usr/bin/lxdm-greeter-gtk" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null) SELinux is preventing /usr/bin/lxdm-greeter-gtk "getattr" access on /root/.config/ibus/bus/0eb097b761e479c84c90dae54a345666-unix-0. [similar to "read" above] I guess for these two I will need to set up a lxdm user with a home of his own, so that lxdm doesn't run as root, right? SELinux is preventing /usr/bin/lxdm-binary "relabelfrom" access on tty1. [...] node=wicktop.localdomain type=AVC msg=audit(1262787012.120:29165): avc: denied { relabelfrom } for pid=1934 comm="lxdm-binary" name="tty1" dev=tmpfs ino=2245 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tty_device_t:s0 tclass=chr_file node=wicktop.localdomain type=AVC msg=audit(1262787012.120:29165): avc: denied { relabelto } for pid=1934 comm="lxdm-binary" name="tty1" dev=tmpfs ino=2245 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_tty_device_t:s0 tclass=chr_file node=wicktop.localdomain type=SYSCALL msg=audit(1262787012.120:29165): arch=c000003e syscall=188 success=yes exit=0 a0=7fff1bcc1d10 a1=3c85e15649 a2=1829030 a3=2b items=0 ppid=1 pid=1934 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=500 fsgid=0 tty=(none) ses=2 comm="lxdm-binary" exe="/usr/bin/lxdm-binary" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null) I don't know what to do with this one. And is there anything else that needed to make lxdm work properly? I guess we have covered the important bits. # rpm -ql lxdm /etc/lxdm /etc/lxdm/Xsession /etc/lxdm/lxdm.conf /etc/lxdm/xinitrc /etc/pam.d/lxdm /usr/bin/lxdm /usr/bin/lxdm-binary /usr/bin/lxdm-greeter-gtk /usr/share/doc/lxdm-0.0.3 [...] /usr/share/locale/de/LC_MESSAGES/lxdm.mo [...] /usr/share/lxdm /usr/share/lxdm/lxdm.glade /var/log/lxdm.log /var/run/lxdm.pid rm -rf /root/.config Will eliminate the AVC about using .config, I believe. This was caused by a previous login to root via X. (I think) Not sure what is causing the relable of the tty_device_t avc. How are you handling the xauth files? Miroslav add to xserver.fc /usr/bin/lxdm gen_context(system_u:object_r:xdm_exec_t,s0) /usr/bin/lxdm-binary gen_context(system_u:object_r:xdm_exec_t,s0) /var/log/lxdm\.log.* -- gen_context(system_u:object_r:xdm_log_t,s0) /var/run/lxdm\.pid -- gen_context(system_u:object_r:xdm_var_run_t,s0) Added to selinux-policy-3.6.32-68.fc12.noarch I'm afraid the latest changes related to this bug introduced a regression ... I can't login via lxdm with selinux enforcing now (after update to selinux-policy-3.6.32-69.fc12.noarch from selinux-policy-3.6.32-66.fc12.noarch)
there are messages like those below (oh, and btw, how does it come that it is in dmesg and not audit.log? - I have to investigate further)
type=1401 audit(1264520328.747:5): security_compute_sid: invalid context system_u:system_r:xauth_t:s0-s0:c0.c1023 for scontext=system_u:system_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xauth_exec_t:s0 tclass=process
eth0: no IPv6 routers present
type=1400 audit(1264520499.986:6): avc: denied { signull } for pid=1200 comm="lxdm-binary" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:xserver_t:s0-s0:c0.c1023 tclass=process
type=1401 audit(1264520500.026:7): security_compute_sid: invalid context system_u:system_r:xauth_t:s0-s0:c0.c1023 for scontext=system_u:system_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xauth_exec_t:s0 tclass=process
type=1400 audit(1264520510.109:8): avc: denied { signull } for pid=1200 comm="lxdm-binary" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:xserver_t:s0-s0:c0.c1023 tclass=process
type=1401 audit(1264520510.130:9): security_compute_sid: invalid context system_u:system_r:xauth_t:s0-s0:c0.c1023 for scontext=system_u:system_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xauth_exec_t:s0 tclass=process
What process is running as system_u:system_r:unconfined_t? Is lxdm running as xdm_t? Is lxdm using pam_selinux in its pam stack? Yes, at least in 0.1.0-0.1. Karel, please try the version from https://admin.fedoraproject.org/updates/F12/FEDORA-2010-0381 (In reply to comment #9) > Yes, at least in 0.1.0-0.1. Karel, please try the version from > https://admin.fedoraproject.org/updates/F12/FEDORA-2010-0381 I've got lxdm-0.1.0-0.1.fc12.i686 already installed, and it worked for me before the last upgrade ... I see there are some selinux updates today, going to reboot to try again @Miroslav and Daniel: The latest version of LXDM also has an auth file. I guess /var/run/lxdm.auth needs to be labeled xauth_t because now I get: SELinux is preventing /usr/bin/xauth "write" access on /var/run. SELinux is preventing /usr/bin/xauth "link" access on lxdm.auth-c. SELinux is preventing /usr/bin/xauth "getattr" access on /var/run/lxdm.auth-n. SELinux is preventing /usr/bin/xauth "remove_name" access on lxdm.auth-n. It probably would be better to move these /var/run files into their own director owned by lxdm package. /var/run/lxdm/ Miroslav can you add var/run/lxdm\.auth -- gen_context(system_u:object_r:xdm_var_run_t,s0) /var/run/lxdm(/*.)? gen_context(system_u:object_r:xdm_var_run_t,s0) (In reply to comment #12) > It probably would be better to move these /var/run files into their own > director owned by lxdm package. > > /var/run/lxdm/ Yeah, guessed that since we already had the same with SLIM. I will talk to upstream about that. >
> Miroslav can you add
>
> var/run/lxdm\.auth -- gen_context(system_u:object_r:xdm_var_run_t,s0)
> /var/run/lxdm(/*.)? gen_context(system_u:object_r:xdm_var_run_t,s0)
Added to selinux-policy-3.6.32-80.fc12.
selinux-policy-3.6.32-82.fc12 has been submitted as an update for Fedora 12. http://admin.fedoraproject.org/updates/selinux-policy-3.6.32-82.fc12 selinux-policy-3.6.32-84.fc12 has been pushed to the Fedora 12 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update selinux-policy'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F12/FEDORA-2010-1492 selinux-policy-3.6.32-84.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report. verified, it works now with selinux-policy-3.6.32-92.fc12 and lxdm-0.1.1-0.1.20100303gite4f7b39.fc12 - thanks! (and sorry for not responding on this bug earlier) |