Bug 635897
Summary: | SELinux is preventing /usr/sbin/lxdm-binary "execute" access on xauth. | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Adam Williamson <awilliam> |
Component: | lxdm | Assignee: | Christoph Wickert <christoph.wickert> |
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 14 | CC: | christoph.wickert, dgod.osa, dwalsh, flashl, mgrepl, mkhusid, mtx_lives, v.plessky |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | x86_64 | ||
OS: | Linux | ||
Whiteboard: | setroubleshoot_trace_hash:6249385739b812e2b1ad2c0b5d239d3ccebd615a5ce7c9f4adb241af86dbcac2 | ||
Fixed In Version: | lxdm-0.4.1-1.fc16 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2012-03-23 17:42:29 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Adam Williamson
2010-09-20 23:54:38 UTC
This looks like you don't have pam_selinux setup correctly in your pam files. I don't think so. We had this already and you said it was fine. This is /etc/pam.d/lxdm from the package: #%PAM-1.0 auth [success=done ignore=ignore default=bad] pam_selinux_permit.so auth required pam_succeed_if.so user != root quiet auth required pam_env.so auth substack system-auth auth optional pam_gnome_keyring.so account required pam_nologin.so account include system-auth password include system-auth session required pam_selinux.so close session required pam_loginuid.so session optional pam_console.so session required pam_selinux.so open session optional pam_keyinit.so force revoke session required pam_namespace.so session optional pam_gnome_keyring.so auto_start session include system-auth What's wrong with it? Why is it running xauth before calling pam_selinux.so open? Dgod, can you give us some insight here? lxdm use xauth to create xauth file of xserver. the xserver is started by lxdm before pam session. slim likely do the samething. I don't think it's a security problem, if neccesary, I can rewrite this part. As long as I understand this is normal. I do not have a problem adding the access. You can add these rules for now using # grep avc /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Fixed in selinux-policy-3.9.5-7.fc14 lxdm-0.4.1-1.fc17 has been submitted as an update for Fedora 17. https://admin.fedoraproject.org/updates/lxdm-0.4.1-1.fc17 lxdm-0.4.1-1.fc16 has been submitted as an update for Fedora 16. https://admin.fedoraproject.org/updates/lxdm-0.4.1-1.fc16 lxdm-0.4.1-1.fc15 has been submitted as an update for Fedora 15. https://admin.fedoraproject.org/updates/lxdm-0.4.1-1.fc15 Package lxdm-0.4.1-1.fc16: * should fix your issue, * was pushed to the Fedora 16 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing lxdm-0.4.1-1.fc16' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2012-4399/lxdm-0.4.1-1.fc16 then log in and leave karma (feedback). lxdm-0.4.1-1.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report. lxdm-0.4.1-1.fc15 has been pushed to the Fedora 15 stable repository. If problems still persist, please make note of it in this bug report. lxdm-0.4.1-1.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report. |