Bug 556643
| Summary: | SELinux is preventing /sbin/setfiles "read" access on /var/spool/gdm/force-display-on-active-vt (deleted) | ||||||
|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Anthony Messina <amessina> | ||||
| Component: | kdebase-workspace | Assignee: | Than Ngo <than> | ||||
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||
| Severity: | medium | Docs Contact: | |||||
| Priority: | low | ||||||
| Version: | 12 | CC: | dan, dct996, dwalsh, fedora, fedora, jasonbstubbs, jreznik, kevin, lorenzo, ltinkl, lukaszlucka, rdieter, smparrish, than | ||||
| Target Milestone: | --- | ||||||
| Target Release: | --- | ||||||
| Hardware: | All | ||||||
| OS: | Linux | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | 4.3.4-6.fc12 | Doc Type: | Bug Fix | ||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2010-01-22 22:31:37 UTC | Type: | --- | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Attachments: |
|
||||||
This looks like kdm is leaking a file descriptor to /var/spool/gdm/force-display-on-active-vt I just copy-n-pasted the same code gdm uses. Here's the code, http://cvs.fedoraproject.org/viewvc/devel/kdebase-workspace/kdebase-workspace-4.3.3-kdm_plymouth.patch?revision=1.1&view=markup 31 + should_force_display_on_active_vt=open("/var/spool/gdm/force-display-on-active-vt", O_RDONLY);
32 + unlink("/var/spool/gdm/force-display-on-active-vt");
33 + return should_force_display_on_active_vt;
open without close here.
ah, thanks. fwiw, gdm used g_file_test there (which must handle the closing itself). After upgrading to kdm-4.3.90-8.fc12.x86_64 from kdm-4.3.90-5.fc12.x86_64, kdm segfaults due to what appears to be infinite recursion. I'll attach the strace in a second, but it would appear that the attempted fix for this bug is the cause as the trace is mostly:
open("/var/spool/gdm/force-display-on-active-vt", O_RDONLY) = -1 ENOENT (No such file or directory)
Created attachment 385565 [details]
"strace kdm -nodaemon >& kdm.strace" gzipped
This is yet another bug in the patch: + if ( triggered_to_force_display_on_active_vt() >= 0 ) + close(should_force_display_on_active_vt); That should be: + if ( should_force_display_on_active_vt >= 0 ) + close(should_force_display_on_active_vt); otherwise we have infinite recursion. *** Bug 557536 has been marked as a duplicate of this bug. *** marking dep on kde-4.4 (unless someone is interested in backporting fix to 4.3.x in the meantime). don't mind me, Kevin already did the backport builds. *** Bug 557777 has been marked as a duplicate of this bug. *** kdebase-workspace-4.3.4-6.fc11 has been pushed to the Fedora 11 stable repository. If problems still persist, please make note of it in this bug report. kdebase-workspace-4.3.4-6.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report. *** Bug 557502 has been marked as a duplicate of this bug. *** *** Bug 558287 has been marked as a duplicate of this bug. *** |
Using KDM with autologin enabled (no GDM installed) for my MythTV frontends, I receive the following SELinux denials at startup. I must admit, I'm not sure what it's trying to do and even in enforcing mode, it doesn't seem to affect the function of auto-login for KDM. Source Context unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c102 3 Target Context system_u:object_r:xdm_spool_t:s0 Target Objects /var/spool/gdm/force-display-on-active-vt (deleted) [ file ] Source restorecon Source Path /sbin/setfiles Port <Unknown> Host mythtv-fe1.chicago.messinet.com Source RPM Packages policycoreutils-2.0.78-7.fc12 Target RPM Packages Policy RPM selinux-policy-3.6.32-66.fc12 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Plugin Name catchall Host Name mythtv-fe1.chicago.messinet.com Platform Linux mythtv-fe1.chicago.messinet.com 2.6.31.9-174.fc12.x86_64 #1 SMP Mon Dec 21 05:33:33 UTC 2009 x86_64 x86_64 Alert Count 8 First Seen Wed Jan 13 17:50:14 2010 Last Seen Mon Jan 18 17:19:30 2010 Local ID 0f81d51f-453f-4f14-82df-948d4616e179 Line Numbers Raw Audit Messages node=mythtv-fe1.chicago.messinet.com type=AVC msg=audit(1263856770.436:12): avc: denied { read } for pid=1741 comm="restorecon" path=2F7661722F73706F6F6C2F67646D2F666F7263652D646973706C61792D6F6E2D6163746976652D7674202864656C6574656429 dev=dm-0 ino=262309 scontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xdm_spool_t:s0 tclass=file node=mythtv-fe1.chicago.messinet.com type=SYSCALL msg=audit(1263856770.436:12): arch=c000003e syscall=59 success=yes exit=0 a0=bf51e0 a1=bf5140 a2=bf0ef0 a3=18 items=0 ppid=1735 pid=1741 auid=509 uid=509 gid=509 euid=509 suid=509 fsuid=509 egid=509 sgid=509 fsgid=509 tty=(none) ses=1 comm="restorecon" exe="/sbin/setfiles" subj=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 key=(null)