Bug 564320
| Summary: | can't login via lxdm with selinux enforcing | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Karel Volný <kvolny> |
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | medium | Docs Contact: | |
| Priority: | low | ||
| Version: | 13 | CC: | christoph.wickert, dcantrell, dgod.osa, dwalsh, M8R-7fin56, mgrepl, michael.monreal, notting |
| Target Milestone: | --- | Keywords: | Reopened |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | lxdm-0.2.0-4.fc12 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2010-05-18 23:35:26 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Do you have pam_selinux in the lxdm pam stack? Miroslav add
allow xdm_t xserver_t:process { signal signull };
to F12 policy.
Fixed in selinux-policy-3.6.32-90.fc12 Karel, are you using the lxdm version from updates-testing as mentioned in bug 552885? Somehow it's stuck in the updates system, status is "pending" for two weeks now. Please try https://admin.fedoraproject.org/updates/F12/FEDORA-2010-0381 (In reply to comment #1) > Do you have pam_selinux in the lxdm pam stack? Yes, we already had this in bug 552885. (In reply to comment #4) > Karel, are you using the lxdm version from updates-testing as mentioned in bug > 552885? Somehow it's stuck in the updates system, status is "pending" for two > weeks now. This bug has been driving me crazy for awhile now but I haven't had time (or courage, maybe!) to test out the above fix. I'm curious, why is it "stuck" and how do you "unstick" it? Please don't ask me, I don't know because I didn't write bodhi. The update is literally stuck between updates-testing and stable, this means it doesn't get pushed on the regular pushes although it should. I have no idea if there is a way to manually push the updates and I will ask rel-eng to do this. Until then, please download the package manually and install it. It's just a few clicks, nothing will break. Dan, Miroslav, things have changed in lxdm 0.2.0 (not yet built):
lxdm and lxdm-binary were moved to sbindir. Please adjust the policy as follows:
$ ls -Z /usr/sbin/lxdm*
-rwxr-xr-x. root root system_u:object_r:xdm_exec_t:s0 /usr/sbin/lxdm
-rwxr-xr-x. root root system_u:object_r:xdm_exec_t:s0 /usr/sbin/lxdm-binary
With these changes one alert remains:
SELinux is preventing /usr/sbin/lxdm-binary "relabelfrom" access on tty1.
Quellkontext system_u:system_r:xdm_t:s0-s0:c0.c1023
Zielkontext system_u:object_r:tty_device_t:s0
Zielobjekte tty1 [ chr_file ]
Quelle lxdm-binary
Quellen-Pfad /usr/sbin/lxdm-binary
Port <Unbekannt>
Quellen-RPM-Pakete lxdm-0.2.0-0.1.gite3afbb576.fc12
Ziel-RPM-Pakete
RPM-Richtlinie selinux-policy-3.6.32-84.fc12
SELinux aktiviert True
Richtlinienversion targeted
Enforcing-Modus Permissive
Plugin-Name catchall
Hostname wicktop.localdomain
Anzahl der Alarme 2
Zuerst gesehen Fr 19 Feb 2010 12:46:36 CET
Zuletzt gesehen Fr 19 Feb 2010 12:46:36 CET
Lokale ID 70aa338a-5c32-462d-b3d6-c127fdc6d4c4
Zeilennummern
Raw-Audit-Meldungen
node=wicktop.localdomain type=AVC msg=audit(1266579996.892:13): avc: denied { relabelfrom } for pid=1998 comm="lxdm-binary" name="tty1" dev=tmpfs ino=2301 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tty_device_t:s0 tclass=chr_file
node=wicktop.localdomain type=AVC msg=audit(1266579996.892:13): avc: denied { relabelto } for pid=1998 comm="lxdm-binary" name="tty1" dev=tmpfs ino=2301 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_tty_device_t:s0 tclass=chr_file
node=wicktop.localdomain type=SYSCALL msg=audit(1266579996.892:13): arch=c000003e syscall=188 success=yes exit=0 a0=7fffe2afe560 a1=3d22815689 a2=13fc8c0 a3=2b items=0 ppid=1 pid=1998 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="lxdm-binary" exe="/usr/sbin/lxdm-binary" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)
Why is lxdm not using pseudo devices? It seems to be taking the "physical" device tty1 and relabeling it to a user_tty_device_t. local login does this but I have never seen gdm or kdm do this? Miroslav, make the /usr/bin->/usr/sbin changes usr/(s)?bin/lxdm gen_context(system_u:object_r:xdm_exec_t,s0) /usr/(s)?bin/lxdm-binary gen_context(system_u:object_r:xdm_exec_t,s0) What are "pseudo" devices in this case? /dev/pts/0 hi, I don't know selinux well, but to this bug, what operation will cause relable, as my lxdm code really don't do any thing about selinux, it's a little strage to me. as lxdm it self not do the relabel, is it possible that, pam or consolekit do it? Yes lxdm does the relabel. what system call or operation will relabel tty? pam_selinux is handed a tty and it attempts to relabel it. In this case it is being handed the physical console rather then a pseudo terminal. Which I think is wrong. But I can make the change if this is the correct behaviour. I think use tty is correct, lxdm use it for vt switch. Can just remove pam_selinux.so from pam config a solution? No because this is needed for SELinux. Miroslav add term_relabel_all_ttys(xdm_t) Fixed in selinux-policy-3.6.32-92.fc12 selinux-policy-3.6.32-92.fc12 has been submitted as an update for Fedora 12. http://admin.fedoraproject.org/updates/selinux-policy-3.6.32-92.fc12 selinux-policy-3.6.32-92.fc12 has been pushed to the Fedora 12 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update selinux-policy'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F12/FEDORA-2010-2953 lxdm-0.1.1-0.1.20100303gite4f7b39.fc13 has been submitted as an update for Fedora 13. http://admin.fedoraproject.org/updates/lxdm-0.1.1-0.1.20100303gite4f7b39.fc13 lxdm-0.1.1-0.1.20100303gite4f7b39.fc12 has been submitted as an update for Fedora 12. http://admin.fedoraproject.org/updates/lxdm-0.1.1-0.1.20100303gite4f7b39.fc12 lxdm-0.1.1-0.1.20100303gite4f7b39.fc11 has been submitted as an update for Fedora 11. http://admin.fedoraproject.org/updates/lxdm-0.1.1-0.1.20100303gite4f7b39.fc11 lxdm-0.1.1-0.1.20100303gite4f7b39.fc13 has been pushed to the Fedora 13 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update lxdm'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F13/FEDORA-2010-3515 lxdm-0.1.1-0.1.20100303gite4f7b39.fc11 has been pushed to the Fedora 11 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update lxdm'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F11/FEDORA-2010-3534 lxdm-0.1.1-0.1.20100303gite4f7b39.fc12 has been pushed to the Fedora 12 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update lxdm'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F12/FEDORA-2010-3535 selinux-policy-3.6.32-92.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report. I cannot login using lxdm live-boot on F13 nightly build: lxde-x86_64-20100312.22.iso keeps looping user<>password this is with setenforce=0 as kernel argument. only "telinit 3" allows login as root or liveuser, then type startx. Report this as a lxdm bug not an SELinux problem. Frank, if it happens with setenforce=0, it cannot be a SELinux problem. Please file a new bug against LXDM. if you see any SELinux alerts, please reopen this bug and attach them here. And please don't forget to mention what version of the components you are using. lxdm-0.1.1-0.2.20100303gite4f7b39.fc13 has been pushed to the Fedora 13 stable repository. If problems still persist, please make note of it in this bug report. (In reply to comment #18) > Miroslav add > > term_relabel_all_ttys(xdm_t) Was this really added? I still see the "relabelfrom" error on login and the "relabelto" one after logout. $ rpm -q selinux-policy lxdm selinux-policy-3.6.32-106.fc12.noarch lxdm-0.2.0-0.2.20100405gitd65ce94.fc12.x86_64 Chris please show the latest avc messages. Zusammenfassung: SELinux is preventing /usr/sbin/lxdm-binary "relabelfrom" access on tty1. Detaillierte Beschreibung: [SELinux ist in freizügigem Modus. Dieser Zugriff wurde nicht verweigert.] SELinux denied access requested by lxdm-binary. It is not expected that this access is required by lxdm-binary and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Zugriff erlauben: You can generate a local policy module to allow this access - see FAQ (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug report. Zusätzliche Informationen: Quellkontext system_u:system_r:xdm_t:s0-s0:c0.c1023 Zielkontext system_u:object_r:tty_device_t:s0 Zielobjekte tty1 [ chr_file ] Quelle lxdm-binary Quellpfad /usr/sbin/lxdm-binary Port <Unbekannt> Host wicktop.localdomain RPM-Pakete der Quelle lxdm-0.2.0-0.2.20100405gitd65ce94.fc12 RPM-Pakete des Ziels Richtlinien-RPM selinux-policy-3.6.32-106.fc12 SELinux aktiviert True Richtlinientyp targeted Enforcing-Modus Permissive Plugin-Name catchall Rechnername wicktop.localdomain Plattform Linux wicktop.localdomain 2.6.32.10-90.fc12.x86_64 #1 SMP Tue Mar 23 09:47:08 UTC 2010 x86_64 x86_64 Anzahl der Alarme 6 Zuerst gesehen Mo 05 Apr 2010 22:26:45 CEST Zuletzt gesehen Di 06 Apr 2010 10:44:02 CEST Lokale ID b194f7a6-31e9-46d8-9b7c-e71defb8727f Zeilennummern Raw-Audit-Meldungen node=wicktop.localdomain type=AVC msg=audit(1270543442.589:25): avc: denied { relabelfrom } for pid=4071 comm="lxdm-binary" name="tty1" dev=devtmpfs ino=4994 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tty_device_t:s0 tclass=chr_file node=wicktop.localdomain type=SYSCALL msg=audit(1270543442.589:25): arch=c000003e syscall=188 success=yes exit=0 a0=7fff6c09fa20 a1=3e6a615669 a2=1aecf50 a3=2b items=0 ppid=1 pid=4071 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="lxdm-binary" exe="/usr/sbin/lxdm-binary" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null) Zusammenfassung: SELinux is preventing /usr/sbin/lxdm-binary "relabelto" access on tty1. Detaillierte Beschreibung: [SELinux ist in freizügigem Modus. Dieser Zugriff wurde nicht verweigert.] SELinux denied access requested by lxdm-binary. It is not expected that this access is required by lxdm-binary and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Zugriff erlauben: You can generate a local policy module to allow this access - see FAQ (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug report. Zusätzliche Informationen: Quellkontext system_u:system_r:xdm_t:s0-s0:c0.c1023 Zielkontext system_u:object_r:tty_device_t:s0 Zielobjekte tty1 [ chr_file ] Quelle lxdm-binary Quellpfad /usr/sbin/lxdm-binary Port <Unbekannt> Host wicktop.localdomain RPM-Pakete der Quelle lxdm-0.2.0-0.2.20100405gitd65ce94.fc12 RPM-Pakete des Ziels Richtlinien-RPM selinux-policy-3.6.32-106.fc12 SELinux aktiviert True Richtlinientyp targeted Enforcing-Modus Permissive Plugin-Name catchall Rechnername wicktop.localdomain Plattform Linux wicktop.localdomain 2.6.32.10-90.fc12.x86_64 #1 SMP Tue Mar 23 09:47:08 UTC 2010 x86_64 x86_64 Anzahl der Alarme 2 Zuerst gesehen Di 06 Apr 2010 01:31:02 CEST Zuletzt gesehen Di 06 Apr 2010 01:32:12 CEST Lokale ID d4eac8d3-a7d4-4795-9142-0ce614a2bd3b Zeilennummern Raw-Audit-Meldungen node=wicktop.localdomain type=AVC msg=audit(1270510332.22:756): avc: denied { relabelto } for pid=22400 comm="lxdm-binary" name="tty1" dev=devtmpfs ino=4994 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tty_device_t:s0 tclass=chr_file node=wicktop.localdomain type=SYSCALL msg=audit(1270510332.22:756): arch=c000003e syscall=188 success=yes exit=0 a0=7fff0d0a71b0 a1=3e6a615669 a2=11dd780 a3=22 items=0 ppid=1 pid=22400 auid=502 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=23 comm="lxdm-binary" exe="/usr/sbin/lxdm-binary" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null) Dan, term_relabel_unallocated_ttys(xdm_t) is needed. Yes I have this in F13. Fixed in selinux-policy-3.6.32-110.fc12 lxdm-0.2.0-0.2.20100405gitd65ce94.fc12 has been pushed to the Fedora 12 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update lxdm'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/lxdm-0.2.0-0.2.20100405gitd65ce94.fc12 selinux-policy-3.6.32-110.fc12 has been submitted as an update for Fedora 12. http://admin.fedoraproject.org/updates/selinux-policy-3.6.32-110.fc12 selinux-policy-3.6.32-110.fc12 has been pushed to the Fedora 12 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update selinux-policy'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/selinux-policy-3.6.32-110.fc12 selinux-policy-3.6.32-110.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report. What about F13? I installed a F13 system yesterday and yum update'd it, still I was not able to use lxdm until selinux was disabled. This should be fixed long ago, at least I was told so three times now. Let me test... Confirmed, it's still not working in enforcing more, on the other hand I get no alerts if I try in permissive mode. Dan, Miroslav, any ideas how to further debug this?
After trying in enforcing mode, I see the flowing 2 alerts:
Zusammenfassung:
SELinux hindert /usr/libexec/lxdm-greeter-gtk "setattr" am Zugriff auf
/root/.config/ibus/bus.
Detaillierte Beschreibung:
[SELinux ist in freizügigem Modus. Dieser Zugriff wurde nicht verweigert.]
SELinux verweigerte den von lxdm-greeter-gt angeforderten Zugriff. Da nicht
davon ausgegangen wird, dass dieser Zugriff von lxdm-greeter-gt benötigt wird,
signalisiert dies möglicherweise einen Einbruchsversuch. Es ist ausserdem
möglich, dass diese spezielle Version oder Konfiguration der Anwendung den
zusätzlichen Zugriff verursacht.
Zugriff erlauben:
Beschränkte Prozesse können so konfiguriert werden, dass sie mit
unterschiedlichen Zugriffen laufen, SELinux stellt Booleans zur Verfügung, mit
deren Hilfe Sie den Zugriff bei Bedarf ein- und ausschalten können. Der
boolesche Wert allow_polyinstantiation ist ungültig gesetzt.
Boolesche Beschreibung:
Enable polyinstantiated directory support.<br
Befehl berichtigen:
# setsebool -P allow_polyinstantiation 1
Zusätzliche Informationen:
Quellkontext system_u:system_r:xdm_t:s0-s0:c0.c1023
Zielkontext system_u:object_r:config_home_t:s0
Zielobjekte /root/.config/ibus/bus [ dir ]
Quelle lxdm-greeter-gt
Quellpfad /usr/libexec/lxdm-greeter-gtk
Port <Unbekannt>
Host wicktop.localdomain
RPM-Pakete der Quelle lxdm-0.2.0-0.3.20100405gitd65ce94.fc13
RPM-Pakete des Ziels
Richtlinien-RPM selinux-policy-3.7.19-6.fc13
SELinux aktiviert True
Richtlinientyp targeted
Enforcing-Modus Permissive
Plugin-Name catchall_boolean
Rechnername wicktop.localdomain
Plattform Linux wicktop.localdomain 2.6.33.2-57.fc13.x86_64
#1 SMP Tue Apr 20 08:57:50 UTC 2010 x86_64 x86_64
Anzahl der Alarme 2
Zuerst gesehen So 02 Mai 2010 15:36:13 CEST
Zuletzt gesehen So 02 Mai 2010 15:39:38 CEST
Lokale ID 20c6515a-7e9d-47a0-bf1f-2c3717d55b6c
Zeilennummern
Raw-Audit-Meldungen
node=wicktop.localdomain type=AVC msg=audit(1272807578.109:23): avc: denied { setattr } for pid=3610 comm="lxdm-greeter-gt" name="bus" dev=dm-0 ino=679407 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:config_home_t:s0 tclass=dir
node=wicktop.localdomain type=SYSCALL msg=audit(1272807578.109:23): arch=c000003e syscall=90 success=yes exit=0 a0=22b5e50 a1=1c0 a2=22b5fd0 a3=7fffa7fc2d60 items=0 ppid=3591 pid=3610 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="lxdm-greeter-gt" exe="/usr/libexec/lxdm-greeter-gtk" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)
Zusammenfassung:
SELinux hindert /usr/libexec/lxdm-greeter-gtk "setattr" am Zugriff auf
/root/.config/ibus/bus.
Detaillierte Beschreibung:
[SELinux ist in freizügigem Modus. Dieser Zugriff wurde nicht verweigert.]
SELinux verweigerte den von lxdm-greeter-gt angeforderten Zugriff. Da nicht
davon ausgegangen wird, dass dieser Zugriff von lxdm-greeter-gt benötigt wird,
signalisiert dies möglicherweise einen Einbruchsversuch. Es ist ausserdem
möglich, dass diese spezielle Version oder Konfiguration der Anwendung den
zusätzlichen Zugriff verursacht.
Zugriff erlauben:
Beschränkte Prozesse können so konfiguriert werden, dass sie mit
unterschiedlichen Zugriffen laufen, SELinux stellt Booleans zur Verfügung, mit
deren Hilfe Sie den Zugriff bei Bedarf ein- und ausschalten können. Der
boolesche Wert allow_polyinstantiation ist ungültig gesetzt.
Boolesche Beschreibung:
Enable polyinstantiated directory support.<br
Befehl berichtigen:
# setsebool -P allow_polyinstantiation 1
Zusätzliche Informationen:
Quellkontext system_u:system_r:xdm_t:s0-s0:c0.c1023
Zielkontext system_u:object_r:config_home_t:s0
Zielobjekte /root/.config/ibus/bus [ dir ]
Quelle lxdm-greeter-gt
Quellpfad /usr/libexec/lxdm-greeter-gtk
Port <Unbekannt>
Host wicktop.localdomain
RPM-Pakete der Quelle lxdm-0.2.0-0.3.20100405gitd65ce94.fc13
RPM-Pakete des Ziels
Richtlinien-RPM selinux-policy-3.7.19-6.fc13
SELinux aktiviert True
Richtlinientyp targeted
Enforcing-Modus Permissive
Plugin-Name catchall_boolean
Rechnername wicktop.localdomain
Plattform Linux wicktop.localdomain 2.6.33.2-57.fc13.x86_64
#1 SMP Tue Apr 20 08:57:50 UTC 2010 x86_64 x86_64
Anzahl der Alarme 2
Zuerst gesehen So 02 Mai 2010 15:36:13 CEST
Zuletzt gesehen So 02 Mai 2010 15:39:38 CEST
Lokale ID 20c6515a-7e9d-47a0-bf1f-2c3717d55b6c
Zeilennummern
Raw-Audit-Meldungen
node=wicktop.localdomain type=AVC msg=audit(1272807578.109:23): avc: denied { setattr } for pid=3610 comm="lxdm-greeter-gt" name="bus" dev=dm-0 ino=679407 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:config_home_t:s0 tclass=dir
node=wicktop.localdomain type=SYSCALL msg=audit(1272807578.109:23): arch=c000003e syscall=90 success=yes exit=0 a0=22b5e50 a1=1c0 a2=22b5fd0 a3=7fffa7fc2d60 items=0 ppid=3591 pid=3610 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="lxdm-greeter-gt" exe="/usr/libexec/lxdm-greeter-gtk" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)
Are you logging in as root? No, root login is disabled as in GDM. I guess this is from LXDM itself.
I found something interesting in /var/log/messages:
May 2 15:36:18 wicktop setroubleshoot: SELinux hindert /usr/libexec/lxdm-greeter-gtk "setattr" am Zugriff auf /root/.config/ibus/bus. For complete SELinux messages. run sealert -l 20c6515a-7e9d-47a0-bf1f-2c3717d55b6c
May 2 15:36:58 wicktop dbus: Can't send to audit system: USER_AVC avc: received setenforce notice (enforcing=0)#012: exe="?" sauid=81 hostname=? addr=? terminal=?
This might explain why we are not seeing another denial in sealert.
And two more denials:
Zusammenfassung:
SELinux verhindert /usr/sbin/lxdm-binary "signull" Zugriff .
Zusätzliche Informationen:
Quellkontext system_u:system_r:xdm_t:s0-s0:c0.c1023
Zielkontext unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
023
Zielobjekte None [ process ]
Quelle lxdm-binary
Quellpfad /usr/sbin/lxdm-binary
Port <Unbekannt>
Host (entfernt)
RPM-Pakete der Quelle lxdm-0.2.0-0.3.20100405gitd65ce94.fc13
RPM-Pakete des Ziels
Richtlinien-RPM selinux-policy-3.7.19-6.fc13
SELinux aktiviert True
Richtlinientyp targeted
Enforcing-Modus Permissive
Plugin-Name catchall
Rechnername (entfernt)
Plattform Linux wicktop.localdomain 2.6.33.2-57.fc13.x86_64
#1 SMP Tue Apr 20 08:57:50 UTC 2010 x86_64 x86_64
Anzahl der Alarme 1
Zuerst gesehen Mo 03 Mai 2010 01:31:01 CEST
Zuletzt gesehen Mo 03 Mai 2010 01:31:01 CEST
Lokale ID 5fb018a6-2ca4-47d1-baa4-7bb74c3cedec
Zeilennummern
Raw-Audit-Meldungen
node=wicktop.localdomain type=AVC msg=audit(1272843061.67:168): avc: denied { signull } for pid=3584 comm="lxdm-binary" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process
node=wicktop.localdomain type=SYSCALL msg=audit(1272843061.67:168): arch=c000003e syscall=62 success=yes exit=0 a0=e6b a1=0 a2=360ad82330 a3=1 items=0 ppid=1 pid=3584 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="lxdm-binary" exe="/usr/sbin/lxdm-binary" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)
Zusammenfassung:
SELinux verhindert /bin/bash "open" Zugriff on console.
Zusätzliche Informationen:
Quellkontext system_u:system_r:ksmtuned_t:s0
Zielkontext system_u:object_r:console_device_t:s0
Zielobjekte console [ chr_file ]
Quelle ksmtuned
Quellpfad /bin/bash
Port <Unbekannt>
Host wicktop.localdomain
RPM-Pakete der Quelle bash-4.1.2-4.fc13
RPM-Pakete des Ziels
Richtlinien-RPM selinux-policy-3.7.19-6.fc13
SELinux aktiviert True
Richtlinientyp targeted
Enforcing-Modus Permissive
Plugin-Name catchall
Rechnername wicktop.localdomain
Plattform Linux wicktop.localdomain 2.6.33.2-57.fc13.x86_64
#1 SMP Tue Apr 20 08:57:50 UTC 2010 x86_64 x86_64
Anzahl der Alarme 11
Zuerst gesehen So 02 Mai 2010 15:39:33 CEST
Zuletzt gesehen Mo 03 Mai 2010 19:34:55 CEST
Lokale ID a59d8195-6820-472c-b54f-e68919a463f9
Zeilennummern
Raw-Audit-Meldungen
node=wicktop.localdomain type=AVC msg=audit(1272908095.277:22): avc: denied { open } for pid=3541 comm="ksmtuned" name="console" dev=devtmpfs ino=5511 scontext=system_u:system_r:ksmtuned_t:s0 tcontext=system_u:object_r:console_device_t:s0 tclass=chr_file
node=wicktop.localdomain type=SYSCALL msg=audit(1272908095.277:22): arch=c000003e syscall=2 success=yes exit=3 a0=cea010 a1=802 a2=c a3=1000 items=0 ppid=3540 pid=3541 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ksmtuned" exe="/bin/bash" subj=system_u:system_r:ksmtuned_t:s0 key=(null)
the ksmtuned and dbus messages are unrelated. ksmtuned is fixed in the latest policy. I will add the signull rule. If you add that rule does login work in enforcing mode? # grep signull /var/log/audit/audit.log | audit2allow -M myxdm # semodule -i myxdm.pp On my machine it is trying to read /etc/shadow directly and failing. How does one setup lxdm to use pam? (In reply to comment #48) > I will add the signull rule. > > If you add that rule does login work in enforcing mode? Doesn't work. I have built 0.2.0 final with a patch from upstream that makes lxdm use pam instead of reading /etc/shadow. Still no luck. These are the denials I get: Zusammenfassung: SELinux verhindert /usr/libexec/lxdm-greeter-gtk "write" Zugriff on /etc/lxdm. Detaillierte Beschreibung: [SELinux ist in freizügigem Modus. Dieser Zugriff wurde nicht verweigert.] SELinux verweigerte den von lxdm-greeter-gt angeforderten Zugriff. Da nicht davon ausgegangen wird, dass dieser Zugriff von lxdm-greeter-gt benötigt wird, signalisiert dies möglicherweise einen Einbruchsversuch. Es ist ausserdem möglich, dass diese spezielle Version oder Konfiguration der Anwendung den zusätzlichen Zugriff verursacht. Zugriff erlauben: Sie können ein lokales Richtlininenmodul generieren, um diesen Zugriff zu erlauben siehe FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Bitte reichen Sie einen Fehlerbericht ein. Zusätzliche Informationen: Quellkontext system_u:system_r:xdm_t:s0-s0:c0.c1023 Zielkontext system_u:object_r:etc_t:s0 Zielobjekte /etc/lxdm [ dir ] Quelle lxdm-greeter-gt Quellpfad /usr/libexec/lxdm-greeter-gtk Port <Unbekannt> Host (entfernt) RPM-Pakete der Quelle lxdm-0.2.0-1.fc13 RPM-Pakete des Ziels lxdm-0.2.0-1.fc13 Richtlinien-RPM selinux-policy-3.7.19-10.fc13 SELinux aktiviert True Richtlinientyp targeted Enforcing-Modus Permissive Plugin-Name catchall Rechnername (entfernt) Plattform Linux wicktop.localdomain 2.6.33.3-72.fc13.x86_64 #1 SMP Wed Apr 28 15:48:01 UTC 2010 x86_64 x86_64 Anzahl der Alarme 8 Zuerst gesehen Do 06 Mai 2010 00:18:57 CEST Zuletzt gesehen Do 06 Mai 2010 00:22:18 CEST Lokale ID a6a15dd5-f554-4a09-806b-a8bff4c16f5f Zeilennummern Raw-Audit-Meldungen node=wicktop.localdomain type=AVC msg=audit(1273098138.408:25854): avc: denied { write } for pid=3653 comm="lxdm-greeter-gt" name="lxdm" dev=dm-0 ino=524918 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=dir node=wicktop.localdomain type=AVC msg=audit(1273098138.408:25854): avc: denied { add_name } for pid=3653 comm="lxdm-greeter-gt" name="lxdm.conf.PEGHCV" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=dir node=wicktop.localdomain type=AVC msg=audit(1273098138.408:25854): avc: denied { create } for pid=3653 comm="lxdm-greeter-gt" name="lxdm.conf.PEGHCV" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=file node=wicktop.localdomain type=AVC msg=audit(1273098138.408:25854): avc: denied { write } for pid=3653 comm="lxdm-greeter-gt" name="lxdm.conf.PEGHCV" dev=dm-0 ino=524486 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=file node=wicktop.localdomain type=SYSCALL msg=audit(1273098138.408:25854): arch=c000003e syscall=2 success=yes exit=7 a0=19e65a0 a1=c2 a2=1b6 a3=0 items=0 ppid=3625 pid=3653 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="lxdm-greeter-gt" exe="/usr/libexec/lxdm-greeter-gtk" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null) Zusammenfassung: SELinux verhindert /usr/libexec/lxdm-greeter-gtk "remove_name" Zugriff on lxdm.conf.PEGHCV. Detaillierte Beschreibung: [SELinux ist in freizügigem Modus. Dieser Zugriff wurde nicht verweigert.] SELinux verweigerte den von lxdm-greeter-gt angeforderten Zugriff. Da nicht davon ausgegangen wird, dass dieser Zugriff von lxdm-greeter-gt benötigt wird, signalisiert dies möglicherweise einen Einbruchsversuch. Es ist ausserdem möglich, dass diese spezielle Version oder Konfiguration der Anwendung den zusätzlichen Zugriff verursacht. Zugriff erlauben: Sie können ein lokales Richtlininenmodul generieren, um diesen Zugriff zu erlauben siehe FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Bitte reichen Sie einen Fehlerbericht ein. Zusätzliche Informationen: Quellkontext system_u:system_r:xdm_t:s0-s0:c0.c1023 Zielkontext system_u:object_r:etc_t:s0 Zielobjekte lxdm.conf.PEGHCV [ dir ] Quelle lxdm-greeter-gt Quellpfad /usr/libexec/lxdm-greeter-gtk Port <Unbekannt> Host wicktop.localdomain RPM-Pakete der Quelle lxdm-0.2.0-1.fc13 RPM-Pakete des Ziels Richtlinien-RPM selinux-policy-3.7.19-10.fc13 SELinux aktiviert True Richtlinientyp targeted Enforcing-Modus Permissive Plugin-Name catchall Rechnername wicktop.localdomain Plattform Linux wicktop.localdomain 2.6.33.3-72.fc13.x86_64 #1 SMP Wed Apr 28 15:48:01 UTC 2010 x86_64 x86_64 Anzahl der Alarme 6 Zuerst gesehen Do 06 Mai 2010 00:18:58 CEST Zuletzt gesehen Do 06 Mai 2010 00:22:18 CEST Lokale ID 60c06c0d-87c3-4d8d-92f2-46ee4c9f3e3a Zeilennummern Raw-Audit-Meldungen node=wicktop.localdomain type=AVC msg=audit(1273098138.451:25855): avc: denied { remove_name } for pid=3653 comm="lxdm-greeter-gt" name="lxdm.conf.PEGHCV" dev=dm-0 ino=524486 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=dir node=wicktop.localdomain type=AVC msg=audit(1273098138.451:25855): avc: denied { rename } for pid=3653 comm="lxdm-greeter-gt" name="lxdm.conf.PEGHCV" dev=dm-0 ino=524486 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=file node=wicktop.localdomain type=AVC msg=audit(1273098138.451:25855): avc: denied { unlink } for pid=3653 comm="lxdm-greeter-gt" name="lxdm.conf" dev=dm-0 ino=524482 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=file node=wicktop.localdomain type=SYSCALL msg=audit(1273098138.451:25855): arch=c000003e syscall=82 success=yes exit=0 a0=1899fa0 a1=407c10 a2=19e6590 a3=7fff67087b40 items=0 ppid=3625 pid=3653 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="lxdm-greeter-gt" exe="/usr/libexec/lxdm-greeter-gtk" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null) Zusammenfassung: SELinux verhindert /bin/bash "open" Zugriff on console. Detaillierte Beschreibung: [SELinux ist in freizügigem Modus. Dieser Zugriff wurde nicht verweigert.] SELinux verweigerte den von ksmtuned angeforderten Zugriff. Da nicht davon ausgegangen wird, dass dieser Zugriff von ksmtuned benötigt wird, signalisiert dies möglicherweise einen Einbruchsversuch. Es ist ausserdem möglich, dass diese spezielle Version oder Konfiguration der Anwendung den zusätzlichen Zugriff verursacht. Zugriff erlauben: Sie können ein lokales Richtlininenmodul generieren, um diesen Zugriff zu erlauben siehe FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Bitte reichen Sie einen Fehlerbericht ein. Zusätzliche Informationen: Quellkontext system_u:system_r:ksmtuned_t:s0 Zielkontext system_u:object_r:console_device_t:s0 Zielobjekte console [ chr_file ] Quelle ksmtuned Quellpfad /bin/bash Port <Unbekannt> Host wicktop.localdomain RPM-Pakete der Quelle bash-4.1.2-4.fc13 RPM-Pakete des Ziels Richtlinien-RPM selinux-policy-3.7.19-10.fc13 SELinux aktiviert True Richtlinientyp targeted Enforcing-Modus Permissive Plugin-Name catchall Rechnername wicktop.localdomain Plattform Linux wicktop.localdomain 2.6.33.3-72.fc13.x86_64 #1 SMP Wed Apr 28 15:48:01 UTC 2010 x86_64 x86_64 Anzahl der Alarme 19 Zuerst gesehen So 02 Mai 2010 15:39:33 CEST Zuletzt gesehen Do 06 Mai 2010 00:40:55 CEST Lokale ID a59d8195-6820-472c-b54f-e68919a463f9 Zeilennummern Raw-Audit-Meldungen node=wicktop.localdomain type=AVC msg=audit(1273099255.979:22): avc: denied { open } for pid=3599 comm="ksmtuned" name="console" dev=devtmpfs ino=5459 scontext=system_u:system_r:ksmtuned_t:s0 tcontext=system_u:object_r:console_device_t:s0 tclass=chr_file node=wicktop.localdomain type=SYSCALL msg=audit(1273099255.979:22): arch=c000003e syscall=2 success=yes exit=3 a0=bbd010 a1=802 a2=c a3=1000 items=0 ppid=3598 pid=3599 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ksmtuned" exe="/bin/bash" subj=system_u:system_r:ksmtuned_t:s0 key=(null) Dgod, why is lxdm trying to *write* files in /etc/lxdm? Shouldn't his take place in /var/ somewhere? the write to /etc fail should not affect the login. I found file at /var/run will cleaned after reboot. maybe /var/lib is a good position, change the greetr.c to what it should be. #ifndef VCONFIG_FILE #define VCONFIG_FILE "/etc/lxdm/lxdm.conf" #endif to make less log, you can test lxdm without greeter, comment the greeter line at config file, there's a very simple ui. Ok when you have an updated lxdm with this fixed, I will try again. (In reply to comment #51) > maybe /var/lib is a good position, change the greetr.c to what it should be. > #ifndef VCONFIG_FILE > #define VCONFIG_FILE "/etc/lxdm/lxdm.conf" > #endif Even with that change I still get a SELinux denial about lxdm-greeter-gtk trying to write to /etc/lxdm/. I think /var/run/lxdm/ should only be used for changes made through lxdm, e.g. language or session. Or are they stored by user now? > to make less log, you can test lxdm without greeter, comment the greeter line > at config file, there's a very simple ui. I don't want less log but *more* details. /var/log/lxdm.log doesn't contain much useful info. (In reply to comment #52) > Ok when you have an updated lxdm with this fixed, I will try again. Here is a scratch build: http://koji.fedoraproject.org/koji/taskinfo?taskID=2171670 The remaining denials I see with this one are: Zusammenfassung: SELinux verhindert /usr/libexec/lxdm-greeter-gtk "write" Zugriff on /etc/lxdm. Zusätzliche Informationen: Quellkontext system_u:system_r:xdm_t:s0-s0:c0.c1023 Zielkontext system_u:object_r:etc_t:s0 Zielobjekte /etc/lxdm [ dir ] Quelle lxdm-greeter-gt Quellpfad /usr/libexec/lxdm-greeter-gtk Port <Unbekannt> Host wicktop.localdomain RPM-Pakete der Quelle lxdm-0.2.0-1.fc13 RPM-Pakete des Ziels lxdm-0.2.0-1.fc13 Richtlinien-RPM selinux-policy-3.7.19-10.fc13 SELinux aktiviert True Richtlinientyp targeted Enforcing-Modus Permissive Plugin-Name catchall Rechnername wicktop.localdomain Plattform Linux wicktop.localdomain 2.6.33.3-72.fc13.x86_64 #1 SMP Wed Apr 28 15:48:01 UTC 2010 x86_64 x86_64 Anzahl der Alarme 8 Zuerst gesehen Do 06 Mai 2010 00:18:57 CEST Zuletzt gesehen Do 06 Mai 2010 00:22:18 CEST Lokale ID a6a15dd5-f554-4a09-806b-a8bff4c16f5f Zeilennummern Raw-Audit-Meldungen node=wicktop.localdomain type=AVC msg=audit(1273098138.408:25854): avc: denied { write } for pid=3653 comm="lxdm-greeter-gt" name="lxdm" dev=dm-0 ino=524918 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=dir node=wicktop.localdomain type=AVC msg=audit(1273098138.408:25854): avc: denied { add_name } for pid=3653 comm="lxdm-greeter-gt" name="lxdm.conf.PEGHCV" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=dir node=wicktop.localdomain type=AVC msg=audit(1273098138.408:25854): avc: denied { create } for pid=3653 comm="lxdm-greeter-gt" name="lxdm.conf.PEGHCV" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=file node=wicktop.localdomain type=AVC msg=audit(1273098138.408:25854): avc: denied { write } for pid=3653 comm="lxdm-greeter-gt" name="lxdm.conf.PEGHCV" dev=dm-0 ino=524486 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=file node=wicktop.localdomain type=SYSCALL msg=audit(1273098138.408:25854): arch=c000003e syscall=2 success=yes exit=7 a0=19e65a0 a1=c2 a2=1b6 a3=0 items=0 ppid=3625 pid=3653 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="lxdm-greeter-gt" exe="/usr/libexec/lxdm-greeter-gtk" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null) Zusammenfassung: SELinux verhindert /usr/libexec/lxdm-greeter-gtk "remove_name" Zugriff on lxdm.conf.PEGHCV. Zusätzliche Informationen: Quellkontext system_u:system_r:xdm_t:s0-s0:c0.c1023 Zielkontext system_u:object_r:etc_t:s0 Zielobjekte lxdm.conf.PEGHCV [ dir ] Quelle lxdm-greeter-gt Quellpfad /usr/libexec/lxdm-greeter-gtk Port <Unbekannt> Host wicktop.localdomain RPM-Pakete der Quelle lxdm-0.2.0-1.fc13 RPM-Pakete des Ziels Richtlinien-RPM selinux-policy-3.7.19-10.fc13 SELinux aktiviert True Richtlinientyp targeted Enforcing-Modus Permissive Plugin-Name catchall Rechnername wicktop.localdomain Plattform Linux wicktop.localdomain 2.6.33.3-72.fc13.x86_64 #1 SMP Wed Apr 28 15:48:01 UTC 2010 x86_64 x86_64 Anzahl der Alarme 6 Zuerst gesehen Do 06 Mai 2010 00:18:58 CEST Zuletzt gesehen Do 06 Mai 2010 00:22:18 CEST Lokale ID 60c06c0d-87c3-4d8d-92f2-46ee4c9f3e3a Zeilennummern Raw-Audit-Meldungen node=wicktop.localdomain type=AVC msg=audit(1273098138.451:25855): avc: denied { remove_name } for pid=3653 comm="lxdm-greeter-gt" name="lxdm.conf.PEGHCV" dev=dm-0 ino=524486 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=dir node=wicktop.localdomain type=AVC msg=audit(1273098138.451:25855): avc: denied { rename } for pid=3653 comm="lxdm-greeter-gt" name="lxdm.conf.PEGHCV" dev=dm-0 ino=524486 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=file node=wicktop.localdomain type=AVC msg=audit(1273098138.451:25855): avc: denied { unlink } for pid=3653 comm="lxdm-greeter-gt" name="lxdm.conf" dev=dm-0 ino=524482 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=file node=wicktop.localdomain type=SYSCALL msg=audit(1273098138.451:25855): arch=c000003e syscall=82 success=yes exit=0 a0=1899fa0 a1=407c10 a2=19e6590 a3=7fff67087b40 items=0 ppid=3625 pid=3653 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="lxdm-greeter-gt" exe="/usr/libexec/lxdm-greeter-gtk" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null) Zusammenfassung: SELinux hindert /usr/libexec/lxdm-greeter-gtk "setattr" am Zugriff auf /root/.config/ibus/bus. Zusätzliche Informationen: Quellkontext system_u:system_r:xdm_t:s0-s0:c0.c1023 Zielkontext system_u:object_r:config_home_t:s0 Zielobjekte /root/.config/ibus/bus [ dir ] Quelle lxdm-greeter-gt Quellpfad /usr/libexec/lxdm-greeter-gtk Port <Unbekannt> Host wicktop.localdomain RPM-Pakete der Quelle lxdm-0.2.0-2.fc13 RPM-Pakete des Ziels Richtlinien-RPM selinux-policy-3.7.19-10.fc13 SELinux aktiviert True Richtlinientyp targeted Enforcing-Modus Permissive Plugin-Name catchall_boolean Rechnername wicktop.localdomain Plattform Linux wicktop.localdomain 2.6.33.3-79.fc13.x86_64 #1 SMP Mon May 3 22:37:18 UTC 2010 x86_64 x86_64 Anzahl der Alarme 32 Zuerst gesehen So 02 Mai 2010 15:36:13 CEST Zuletzt gesehen Fr 07 Mai 2010 12:47:54 CEST Lokale ID 20c6515a-7e9d-47a0-bf1f-2c3717d55b6c Zeilennummern Raw-Audit-Meldungen node=wicktop.localdomain type=AVC msg=audit(1273229274.229:27968): avc: denied { setattr } for pid=4501 comm="lxdm-greeter-gt" name="bus" dev=dm-0 ino=679407 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:config_home_t:s0 tclass=dir node=wicktop.localdomain type=SYSCALL msg=audit(1273229274.229:27968): arch=c000003e syscall=90 success=yes exit=0 a0=14bbba0 a1=1c0 a2=145cd90 a3=7fff8bef4c70 items=0 ppid=3651 pid=4501 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=2 comm="lxdm-greeter-gt" exe="/usr/libexec/lxdm-greeter-gtk" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null) Zusammenfassung: SELinux verhindert /bin/bash "open" Zugriff on console. Zusätzliche Informationen: Quellkontext system_u:system_r:ksmtuned_t:s0 Zielkontext system_u:object_r:console_device_t:s0 Zielobjekte console [ chr_file ] Quelle ksmtuned Quellpfad /bin/bash Port <Unbekannt> Host wicktop.localdomain RPM-Pakete der Quelle bash-4.1.2-4.fc13 RPM-Pakete des Ziels Richtlinien-RPM selinux-policy-3.7.19-10.fc13 SELinux aktiviert True Richtlinientyp targeted Enforcing-Modus Permissive Plugin-Name catchall Rechnername wicktop.localdomain Plattform Linux wicktop.localdomain 2.6.33.3-79.fc13.x86_64 #1 SMP Mon May 3 22:37:18 UTC 2010 x86_64 x86_64 Anzahl der Alarme 24 Zuerst gesehen So 02 Mai 2010 15:39:33 CEST Zuletzt gesehen Fr 07 Mai 2010 12:49:59 CEST Lokale ID a59d8195-6820-472c-b54f-e68919a463f9 Zeilennummern Raw-Audit-Meldungen node=wicktop.localdomain type=AVC msg=audit(1273229399.488:22): avc: denied { open } for pid=3607 comm="ksmtuned" name="console" dev=devtmpfs ino=5460 scontext=system_u:system_r:ksmtuned_t:s0 tcontext=system_u:object_r:console_device_t:s0 tclass=chr_file node=wicktop.localdomain type=SYSCALL msg=audit(1273229399.488:22): arch=c000003e syscall=2 success=yes exit=3 a0=1124010 a1=802 a2=c a3=1000 items=0 ppid=3606 pid=3607 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ksmtuned" exe="/bin/bash" subj=system_u:system_r:ksmtuned_t:s0 key=(null) In addition I still see the 'Can't send to audit system' message: May 7 12:58:59 wicktop dbus: Can't send to audit system: USER_AVC avc: received setenforce notice (enforcing=0)#012: exe="?" sauid=81 hostname=? addr=? terminal=? when I debug into pam-selinux, I have an log May 8 05:57:40 dgod lxdm-binary: pam_selinux(lxdm:session): Open Session May 8 05:57:40 dgod lxdm-binary: pam_selinux(lxdm:session): Username= dgod SELinux User = unconfined_u Level= s0-s0:c0.c1023 May 8 05:57:40 dgod lxdm-binary: pam_selinux(lxdm:session): Would you like to enter a security context? [N] dgod May 8 05:57:40 dgod lxdm-binary: pam_selinux(lxdm:session): Unable to get valid context for dgod look into the pam_selinux code, it should be get_ordered_context_list_with_level return something wrong, I don't know how can work around it. Make sure lxdm is running as xdm_t. If you modify the code make sure you run restorecon on the executable. The SELinux code is asking the system what the context to execute the user who is logging in. It does this by looking at its context. If I am xdm_t and dwalsh is logging in then I will run him in as staff_t. If I am unconfined_t and dwalsh is logging in, I have no idea what to log him in as, so I will ask the user. lxdm-0.2.0-2.fc13 has been submitted as an update for Fedora 13. http://admin.fedoraproject.org/updates/lxdm-0.2.0-2.fc13 The SELinux problems should be fixed now from the LXDM side. Is there a way to get rid of my custom policy again for testing? And has the signull rule been added to the policy we currently have in F13? semodule -r MYPOL Should remove your custom policy. Do not include the pp. Even with custom policy, selinux-policy-3.7.19-13.fc13 and lxdm-0.2.0-2.fc13 it doesn't work for me. I cannot log in, although Dgod says everythign should be fixed and he can login. On the other hand I don't see any more denials from sealert. I am clueless. lxdm-0.2.0-2.fc13 has been pushed to the Fedora 13 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update lxdm'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/lxdm-0.2.0-2.fc13 Dan, can you look at the remaining alarms? This is crucial for the LXDE spin, otherwise we would have to switch back to SLIM as login manager.
Dgod, why is LXDM still trying to write to /etc/lxdm?
Zusammenfassung:
SELinux verhindert /usr/libexec/lxdm-greeter-gtk "write" Zugriff on /etc/lxdm.
Zusätzliche Informationen:
Quellkontext system_u:system_r:xdm_t:s0-s0:c0.c1023
Zielkontext system_u:object_r:etc_t:s0
Zielobjekte /etc/lxdm [ dir ]
Quelle lxdm-greeter-gt
Quellpfad /usr/libexec/lxdm-greeter-gtk
Port <Unbekannt>
Host wicktop.localdomain
RPM-Pakete der Quelle lxdm-0.2.0-1.fc13
RPM-Pakete des Ziels lxdm-0.2.0-1.fc13
Richtlinien-RPM selinux-policy-3.7.19-10.fc13
SELinux aktiviert True
Richtlinientyp targeted
Enforcing-Modus Permissive
Plugin-Name catchall
Rechnername wicktop.localdomain
Plattform Linux wicktop.localdomain 2.6.33.3-72.fc13.x86_64
#1 SMP Wed Apr 28 15:48:01 UTC 2010 x86_64 x86_64
Anzahl der Alarme 8
Zuerst gesehen Do 06 Mai 2010 00:18:57 CEST
Zuletzt gesehen Do 06 Mai 2010 00:22:18 CEST
Lokale ID a6a15dd5-f554-4a09-806b-a8bff4c16f5f
Zeilennummern
Raw-Audit-Meldungen
node=wicktop.localdomain type=AVC msg=audit(1273098138.408:25854): avc: denied { write } for pid=3653 comm="lxdm-greeter-gt" name="lxdm" dev=dm-0 ino=524918 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=dir
node=wicktop.localdomain type=AVC msg=audit(1273098138.408:25854): avc: denied { add_name } for pid=3653 comm="lxdm-greeter-gt" name="lxdm.conf.PEGHCV" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=dir
node=wicktop.localdomain type=AVC msg=audit(1273098138.408:25854): avc: denied { create } for pid=3653 comm="lxdm-greeter-gt" name="lxdm.conf.PEGHCV" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=file
node=wicktop.localdomain type=AVC msg=audit(1273098138.408:25854): avc: denied { write } for pid=3653 comm="lxdm-greeter-gt" name="lxdm.conf.PEGHCV" dev=dm-0 ino=524486 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=file
node=wicktop.localdomain type=SYSCALL msg=audit(1273098138.408:25854): arch=c000003e syscall=2 success=yes exit=7 a0=19e65a0 a1=c2 a2=1b6 a3=0 items=0 ppid=3625 pid=3653 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="lxdm-greeter-gt" exe="/usr/libexec/lxdm-greeter-gtk" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)
Zusammenfassung:
SELinux verhindert /usr/libexec/lxdm-greeter-gtk "remove_name" Zugriff on
lxdm.conf.PEGHCV.
Zusätzliche Informationen:
Quellkontext system_u:system_r:xdm_t:s0-s0:c0.c1023
Zielkontext system_u:object_r:etc_t:s0
Zielobjekte lxdm.conf.PEGHCV [ dir ]
Quelle lxdm-greeter-gt
Quellpfad /usr/libexec/lxdm-greeter-gtk
Port <Unbekannt>
Host wicktop.localdomain
RPM-Pakete der Quelle lxdm-0.2.0-1.fc13
RPM-Pakete des Ziels
Richtlinien-RPM selinux-policy-3.7.19-10.fc13
SELinux aktiviert True
Richtlinientyp targeted
Enforcing-Modus Permissive
Plugin-Name catchall
Rechnername wicktop.localdomain
Plattform Linux wicktop.localdomain 2.6.33.3-72.fc13.x86_64
#1 SMP Wed Apr 28 15:48:01 UTC 2010 x86_64 x86_64
Anzahl der Alarme 6
Zuerst gesehen Do 06 Mai 2010 00:18:58 CEST
Zuletzt gesehen Do 06 Mai 2010 00:22:18 CEST
Lokale ID 60c06c0d-87c3-4d8d-92f2-46ee4c9f3e3a
Zeilennummern
Raw-Audit-Meldungen
node=wicktop.localdomain type=AVC msg=audit(1273098138.451:25855): avc: denied { remove_name } for pid=3653 comm="lxdm-greeter-gt" name="lxdm.conf.PEGHCV" dev=dm-0 ino=524486 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=dir
node=wicktop.localdomain type=AVC msg=audit(1273098138.451:25855): avc: denied { rename } for pid=3653 comm="lxdm-greeter-gt" name="lxdm.conf.PEGHCV" dev=dm-0 ino=524486 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=file
node=wicktop.localdomain type=AVC msg=audit(1273098138.451:25855): avc: denied { unlink } for pid=3653 comm="lxdm-greeter-gt" name="lxdm.conf" dev=dm-0 ino=524482 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=file
node=wicktop.localdomain type=SYSCALL msg=audit(1273098138.451:25855): arch=c000003e syscall=82 success=yes exit=0 a0=1899fa0 a1=407c10 a2=19e6590 a3=7fff67087b40 items=0 ppid=3625 pid=3653 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="lxdm-greeter-gt" exe="/usr/libexec/lxdm-greeter-gtk" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)
Zusammenfassung:
SELinux verhindert /usr/libexec/lxdm-greeter-gtk "unlink" Zugriff on lxdm.conf.
Zusätzliche Informationen:
Quellkontext system_u:system_r:xdm_t:s0-s0:c0.c1023
Zielkontext system_u:object_r:var_lib_t:s0
Zielobjekte lxdm.conf [ file ]
Quelle lxdm-greeter-gt
Quellpfad /usr/libexec/lxdm-greeter-gtk
Port <Unbekannt>
Host wicktop.localdomain
RPM-Pakete der Quelle lxdm-0.2.0-2.fc13
RPM-Pakete des Ziels
Richtlinien-RPM selinux-policy-3.7.19-13.fc13
SELinux aktiviert True
Richtlinientyp targeted
Enforcing-Modus Permissive
Plugin-Name catchall
Rechnername wicktop.localdomain
Plattform Linux wicktop.localdomain 2.6.33.3-85.fc13.x86_64
#1 SMP Thu May 6 18:09:49 UTC 2010 x86_64 x86_64
Anzahl der Alarme 1
Zuerst gesehen Di 11 Mai 2010 09:41:20 CEST
Zuletzt gesehen Di 11 Mai 2010 09:41:20 CEST
Lokale ID 52f6a72e-cd26-4a79-afa8-37f8235d203f
Zeilennummern
Raw-Audit-Meldungen
node=wicktop.localdomain type=AVC msg=audit(1273563680.90:24): avc: denied { unlink } for pid=3697 comm="lxdm-greeter-gt" name="lxdm.conf" dev=dm-0 ino=924759 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=file
node=wicktop.localdomain type=SYSCALL msg=audit(1273563680.90:24): arch=c000003e syscall=82 success=yes exit=0 a0=22e3e20 a1=407c24 a2=22e3e80 a3=1 items=0 ppid=3653 pid=3697 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="lxdm-greeter-gt" exe="/usr/libexec/lxdm-greeter-gtk" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)
node=wicktop.localdomain type=AVC msg=audit(1273563680.90:24): avc: denied {
unlink } for pid=3697 comm="lxdm-greeter-gt" name="lxdm.conf" dev=dm-0
ino=924759 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023
tcontext=system_u:object_r:var_lib_t:s0 tclass=file
looks like the patch is right, I write things to /var/lib now, but selinux refuse it. the question is, ' where should I to save some runtime config? '
if you don't select the language or session, you will not have this selinux problem, can it work?
I'll debug the 0.2.0-2 package on my system, but that will wait several hours.
with the lxdm-0.2.0-2, I can login to the desktop, write to /var/lib/lxdm is refuse, and sealert report
Opps, sealert hit an error!
Traceback (most recent call last):
File "/usr/bin/sealert", line 978, in <module>
run_as_dbus_service(username)
File "/usr/bin/sealert", line 99, in run_as_dbus_service
app = SEAlert(user, dbus_service.presentation_manager, watch_setroubleshootd=True)
File "/usr/bin/sealert", line 620, in __init__
self.browser = BrowserApplet(self.username, self.alert_client, domain=domain)
File "/usr/lib/python2.6/site-packages/setroubleshoot/browser.py", line 249, in __init__
self.check_policy()
File "/usr/lib/python2.6/site-packages/setroubleshoot/browser.py", line 314, in check_policy
self.report_button.get_label(_("Update Policy"))
TypeError: get_label() takes no arguments (1 given)
selinux config is
[dgod@dgod ~]$ cat /etc/sysconfig/selinux
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - SELinux is fully disabled.
SELINUX=enforcing
# SELINUXTYPE= type of policy in use. Possible values are:
# targeted - Only targeted network daemons are protected.
# strict - Full SELinux protection.
SELINUXTYPE=targeted
wickert, the write to /etc/lxdm shown is under the lxdm-0.2.0-1, you take an old log. Chris where can I download the latest lxdm spin? chcon -t xdm_var_lib_t -R /var/lib/lxdm Should fix. Fixed in selinux-policy-3.7.19-15.fc13.noarch here is the latest lxde spin http://alt.fedoraproject.org/pub/alt/nightly-composes/lxde/ latest lxdm is at updates-testing repo dgod, does selinux-policy-3.7.19-15.fc13.noarch work? Should this be a blocker? On my machine, it can work correctly. Even if lxdm can't work on other machine, this bug should not be a blocker, the bug should be in lxdm with the pam stack. I guess there is a misunderstanding about the word 'blocker' here. A blocker is something that delays a release. By Fedora's release criteria [1] this cannot be a blocker as it is not in the default install (basically only the desktop spin can have blockers), but i consider this severe enough for the LXDE spin. Using SLIM there is only the last resort, because LXDM is one of the main improvements from the F12 LXDE spin. So I really like to get this fixed for F13 and I offer any help I can give. [1] https://fedoraproject.org/wiki/Fedora_13_Final_Release_Criteria Jesse and Bill What is the chance of getting this policy into final release? Not only the policy bug also http://admin.fedoraproject.org/updates/lxdm-0.2.0-2.fc13 lxdm should be easier as it is not part of the "Fedora" repo but in "Everything". My understanding is that it's too late to take more changes in without forcing another slip. Jesse can confirm or deny this. If you can manage to change only the lxdm package, perhaps by adding the necessary policy bits to it, then we could get it in without slipping. However if we have to change selinux-policy, that package is on every other produced image, including the DVD set, which would mean a full respin, and a slip of the release. Again. Not worth it. OK, the selinux-policy update is not necessary. I have verified that it works with the current selinux-policy-3.7.19-10.fc13.noarch in F13 final. All we need is http://koji.fedoraproject.org/koji/taskinfo?taskID=2194485 Please give feedback at https://admin.fedoraproject.org/updates/lxdm-0.2.0-4.fc13 I have tested both live and installed versions of the spin, both automatic and normal logins. No denials. To get it into the spins, i've removed the bodhi update and tagged it directly for F13. lxdm-0.2.0-4.fc11 has been pushed to the Fedora 11 stable repository. If problems still persist, please make note of it in this bug report. lxdm-0.2.0-4.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report. |
Description of problem: If I try to login via lxdm, it does not work and after entering the password I get back to enter the username. Turning off selinux via setenforce 0 and restarting lxdm (e.g. via init 3, init 5) helps the problem, I can login without any problem then. Version-Release number of selected component (if applicable): selinux-policy-3.6.32-84.fc12.noarch How reproducible: always Steps to Reproduce: 1. install "minimal" system with LXDE 2. try to login Actual results: type=1400 audit(1265975890.633:13538): avc: denied { signull } for pid=1347 comm="lxdm-binary" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:xserver_t:s0-s0:c0.c1023 tclass=process Expected results: no errors, user can login Additional info: I thought this is a consequence of bug #552885. But the latest selinux-policy did not fix the issue.