Bug 596360
| Summary: | SELinux is preventing /sbin/setfiles access to a leaked /var/log/xdm.log file descriptor. | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | scumbag <elias.rincon> |
| Component: | lxdm | Assignee: | Christoph Wickert <christoph.wickert> |
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | medium | Docs Contact: | |
| Priority: | low | ||
| Version: | 15 | CC: | christoph.wickert, daniel-fedoauth, dwalsh, lemenkov, mgrepl |
| Target Milestone: | --- | Keywords: | Reopened |
| Target Release: | --- | ||
| Hardware: | i386 | ||
| OS: | Linux | ||
| Whiteboard: | setroubleshoot_trace_hash:bff6e2c4d9ab6413023b335f04eed8e0191f7c5c736a634320849ced00a9c9fc | ||
| Fixed In Version: | lxdm-0.4.1-1.fc16 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2012-03-23 17:42:21 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
scumbag
2010-05-26 16:23:22 UTC
Did you redirect output of restorecon to /var/log/xdm.log? Nop, After install XDM and restart, XDM loads then GDM init, and this problem appear. The first time, I used #restorecon /var/log/xdm.log Like suggest sertoubleshoot, but this happen again. What are you running as your login program? Check to make sure it is running as xdm_t. ps -eZ |grep LOGINPROGRAM Ups, I misstype. It's "XDM loads then Gnome init, and this problem appear" I'm using XDM, sorry, my bad. There is the output: $ps -eZ | grep xdm system_u:system_r:xdm_t:s0-s0:c0.c1023 4629 ? 00:00:00 xdm system_u:system_r:xdm_t:s0-s0:c0.c1023 4642 ? 00:00:00 xdm Looks like there might be something wrong with the xdm startup script which must be creating /var/log/xdm.log with the wrong label. How do you turn on xdm? 1.- #yum install XDM 2.- #echo 'DISPLAYMANAGER="XDM"' > /etc/sysconfig/desktop 3.- #telinit 3 4.- #telinit 5 PS. I think that the /etc/sysconfig/desktop should exist, even if only one Login program is present; or a "easy-switch" tool to change beetwen Desktop Manager. PS1. #echo 'DISPLAYMANAGER="GDM"' > /etc/sysconfig/desktop or #rm /etc/sysconfig/desktop To switch-back to GDM Are you still having this problem? I am revisiting old bugs. No, I can't remmember in wich SELinux policy update was be fixed. None. I was hoping it Magically went away. I think the problem is some init script is creating the log file rather then xdm itself. Let me set my system to reproduce the bug, and I come back with a certain answer, because I remember that the problem was gone. Nop, sorry, the problem still happen, I'm attaching the complete error message. The steps to reproduce the bug are the same. ----- Summary: SELinux is preventing /usr/bin/xdm "write" access on /var/log/xdm.log. Detailed Description: SELinux denied access requested by xdm. It is not expected that this access is required by xdm and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug report. Additional Information: Source Context system_u:system_r:xdm_t:s0-s0:c0.c1023 Target Context system_u:object_r:var_log_t:s0 Target Objects /var/log/xdm.log [ file ] Source xdm Source Path /usr/bin/xdm Port <Unknown> Host bodysnatcher Source RPM Packages xorg-x11-xdm-1.1.6-18.fc13 Target RPM Packages Policy RPM selinux-policy-3.7.19-39.fc13 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Plugin Name catchall Host Name bodysnatcher Platform Linux bodysnatcher 2.6.33.6-147.fc13.i686 #1 SMP Tue Jul 6 22:30:55 UTC 2010 i686 i686 Alert Count 2 First Seen Tue 03 Aug 2010 09:49:42 PM CDT Last Seen Tue 03 Aug 2010 09:52:41 PM CDT Local ID b183ae09-1645-4aa7-a380-beb6a1fa715e Line Numbers Raw Audit Messages node=bodysnatcher type=AVC msg=audit(1280890361.578:16056): avc: denied { write } for pid=2888 comm="xdm" name="xdm.log" dev=sda1 ino=430437 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_log_t:s0 tclass=file node=bodysnatcher type=SYSCALL msg=audit(1280890361.578:16056): arch=40000003 syscall=8 success=no exit=-13 a0=8a4fbc0 a1=1b6 a2=bf8513f0 a3=bf851914 items=0 ppid=1 pid=2888 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="xdm" exe="/usr/bin/xdm" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null) This package has changed ownership in the Fedora Package Database. Reassigning to the new owner of this component. This package has changed ownership in the Fedora Package Database. Reassigning to the new owner of this component. This package has changed ownership in the Fedora Package Database. Reassigning to the new owner of this component. scumbag, are you still seeing this problem? Actually, i don't have anymore an environment to try it. Sorry I'm still having this issue.
[ 41.346556] type=1400 audit(1303297992.706:4): avc: denied { write } for pid=1085 comm="restorecon" path="/var/log/xdm.log" dev=sda3 ino=146267 scontext=unconfined_u:unconfined_r:setfiles_t:s0 tcontext=system_u:object_r:xdm_log_t:s0 tclass=file
[ 41.346608] type=1400 audit(1303297992.706:5): avc: denied { write } for pid=1085 comm="restorecon" path="/var/log/xdm.log" dev=sda3 ino=146267 scontext=unconfined_u:unconfined_r:setfiles_t:s0 tcontext=system_u:object_r:xdm_log_t:s0 tclass=file
lxdm should open its log file for append if it is going to pass it as stdout to its children. Write will allow any app that inherits the file descriptor to truncate the log. *** Bug 710776 has been marked as a duplicate of this bug. *** lxdm-0.4.1-1.fc17 has been submitted as an update for Fedora 17. https://admin.fedoraproject.org/updates/lxdm-0.4.1-1.fc17 lxdm-0.4.1-1.fc16 has been submitted as an update for Fedora 16. https://admin.fedoraproject.org/updates/lxdm-0.4.1-1.fc16 lxdm-0.4.1-1.fc15 has been submitted as an update for Fedora 15. https://admin.fedoraproject.org/updates/lxdm-0.4.1-1.fc15 Package lxdm-0.4.1-1.fc16: * should fix your issue, * was pushed to the Fedora 16 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing lxdm-0.4.1-1.fc16' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2012-4399/lxdm-0.4.1-1.fc16 then log in and leave karma (feedback). lxdm-0.4.1-1.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report. lxdm-0.4.1-1.fc15 has been pushed to the Fedora 15 stable repository. If problems still persist, please make note of it in this bug report. lxdm-0.4.1-1.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report. |