Bug 823232

Summary: SELinux violation when running "sudo su -"
Product: [Fedora] Fedora Reporter: Ignacio Vazquez-Abrams <ivazqueznet>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 16CC: dominick.grift, dwalsh, lovyagin, mgrepl
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-06-28 03:27:07 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Ignacio Vazquez-Abrams 2012-05-20 04:33:52 UTC 
SELinux diagnostic tool reporting failed. Here is a transcript of the violation details:

=== TRANSCRIPT BEGINS ===
SELinux is preventing /usr/bin/xauth from write access on the directory auth-for-ignacio-T2O6TC.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that xauth should be allowed write access on the auth-for-ignacio-T2O6TC directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep xauth /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                unconfined_u:unconfined_r:xauth_t:s0
Target Context                system_u:object_r:var_run_t:s0
Target Objects                auth-for-ignacio-T2O6TC [ dir ]
Source                        xauth
Source Path                   /usr/bin/xauth
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           xorg-x11-xauth-1.0.6-1.fc16.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.10.0-86.fc16.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux localhost.localdomain 3.3.5-2.fc16.x86_64 #1
                              SMP Tue May 8 11:24:50 UTC 2012 x86_64 x86_64
Alert Count                   183
First Seen                    Wed 11 Apr 2012 10:51:51 AM EDT
Last Seen                     Sat 19 May 2012 10:42:05 PM EDT
Local ID                      3044fccc-4fac-4b37-98db-61429474639c

Raw Audit Messages
type=AVC msg=audit(1337481725.253:131): avc:  denied  { write } for  pid=3491 comm="xauth" name="auth-for-ignacio-T2O6TC" dev="tmpfs" ino=26721 scontext=unconfined_u:unconfined_r:xauth_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=dir


type=SYSCALL msg=audit(1337481725.253:131): arch=x86_64 syscall=open success=no exit=EACCES a0=7fffb8e13530 a1=c1 a2=180 a3=8 items=0 ppid=3490 pid=3491 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm=xauth exe=/usr/bin/xauth subj=unconfined_u:unconfined_r:xauth_t:s0 key=(null)

Hash: xauth,xauth_t,var_run_t,dir,write

audit2allow

#============= xauth_t ==============
#!!!! The source type 'xauth_t' can write to a 'dir' of the following types:
# nx_server_var_lib_t, user_home_t, xauth_tmp_t, var_lib_t, xdm_var_run_t, admin_home_t, user_home_dir_t, tmp_t, user_tmp_t

allow xauth_t var_run_t:dir write;

audit2allow -R

#============= xauth_t ==============
#!!!! The source type 'xauth_t' can write to a 'dir' of the following types:
# nx_server_var_lib_t, user_home_t, xauth_tmp_t, var_lib_t, xdm_var_run_t, admin_home_t, user_home_dir_t, tmp_t, user_tmp_t

allow xauth_t var_run_t:dir write;

=== TRANSCRIPT ENDS ===
Comment 1 Daniel Walsh 2012-05-21 14:02:07 UTC 
What directory is xauth trying to write into?  What were you doing when this happened?
Comment 2 lnx 2012-06-06 14:40:36 UTC 
Have same bug here. Have fresh install of Fedora 17 + MATE DE. Appears each time I start su.
Comment 3 Dominick Grift 2012-06-06 14:49:56 UTC 
probably /run/gdm/.*

i do not see this problem here (its labeled xdm_var_run_t here) but then again i do not use su.
Comment 4 Daniel Walsh 2012-06-07 15:59:44 UTC 
ls -ldZ /run/gdm
Comment 5 lnx 2012-06-07 16:09:10 UTC 
$ ls -ldZ /run/gfm
ls: cannot access /run/gdm: No such file or directory
$ ls -ldZ /run/mdm
drwx--x--x. root mdm system_u:object_r:var_run_t:s0 /run/mdm
$
Comment 6 Daniel Walsh 2012-06-07 16:25:59 UTC 
What is mdm?

Fixed in selinux-policy-3.10.0-129.fc17

semanage fcontext -a -t xdm_var_run_t '/var/run/mdm(/.*)?'
restorecon -R -v /run

Will fix for now.
Comment 7 lnx 2012-06-07 16:29:23 UTC 
mdm is fork of GNOME 2 gdm (aka MATE display manager)
yup, thanks, I see, will check now
Comment 8 lnx 2012-06-07 16:40:39 UTC 
Daniel, looks like it helps, but context restores to initial after reboot, so fix is not permanent...
Comment 9 Daniel Walsh 2012-06-07 18:43:55 UTC 
ps -eZ | grep mdm
Comment 10 Daniel Walsh 2012-06-07 18:46:59 UTC 
chcon -t xdm_exec_t /usr/sbin/mdm
Comment 11 lnx 2012-06-07 18:54:58 UTC 
# ps -eZ | grep mdm
system_u:system_r:initrc_t:s0 497 ? 00:00:00 mdm-binary
system_u:system_r:initrc_t:s0 621 ? 00:00:00 mdm-simple-slav
system_u:system_r:initrc_t:s0 793 ? 00:00:00 mdm-session-wor
unconfined_u:unconfined_r:unconfined_t:s0 1070 ? 00:00:00 mdm-user-switch
#
Comment 12 lnx 2012-06-07 19:02:46 UTC 
chcon -t xdm_exec_t /usr/sbin/mdm helps in this issue but produce a lot of other SElinux violation, will check
Comment 13 Daniel Walsh 2012-06-07 19:05:03 UTC 
chcon -t xdm_exec_t /usr/sbin/mdm-binary

rpm -qlf /usr/sbin/mdm-binary

You probably need to do fixes to /var/lib/mdm and /var/run/mdm and /var/log/mdm to match gdm labels.
Comment 14 Daniel Walsh 2012-06-07 19:08:53 UTC 
chcon -Rt xdm_var_run_t /run/mdm
chcon -Rt xserver_log_t /var/log/mdm
chcon -Rt xdm_var_lib_t /var/lib/mdm
Comment 15 lnx 2012-06-08 13:02:08 UTC 
well, looks like 

chcon -t xdm_exec_t /usr/sbin/mdm
chcon -t xdm_exec_t /usr/sbin/mdm-binary

chcon -Rt xdm_var_lib_t /var/lib/mdm
chcon -Rt xdm_log_t /var/log/mdm
chcon -Rt xdm_var_lib_t /var/cache/mdm
chcon -Rt xdm_etc_t /etc/mdm
chcon -Rt xserver_log_t /var/mdm
chcon -Rt xdm_etc_t /etc/gdm
chcon -Rt xdm_etc_t /etc/gdm/custom.conf
chcon -Rt xdm_unconfined_exec_t /etc/gdm/Init
chcon -Rt xdm_unconfined_exec_t /etc/gdm/PostLogin
chcon -Rt xdm_unconfined_exec_t /etc/gdm/PostSession
chcon -Rt xdm_unconfined_exec_t /etc/gdm/PreSession
chcon -t dbusd_etc_t /etc/dbus-1/system.d/mdm.conf 
chcon -Rt xdm_spool_t /var/spool/mdm

is enough for mdm, looking forward how to semanage fcontext / restorecon it correctly inside LiveCD kickstart script...
Comment 16 Daniel Walsh 2012-06-08 14:37:05 UTC 
chcon -Rt xserver_log_t /var/mdm

I have everyone except ^^

This should not  be needed. mdm should not store its log files in this directory.
Comment 17 lnx 2012-06-08 15:45:09 UTC 
Hm, I examined gdm-2.32.1-2.fc14.x86_64.rpm to find all that, I checked, it provides this (xserver_log_t) context for /var/gdm...
Comment 18 Daniel Walsh 2012-06-11 14:10:29 UTC 
Old version, probably should remove that labelling.
Comment 19 Fedora Update System 2012-06-15 10:31:11 UTC 
selinux-policy-3.10.0-89.fc16 has been submitted as an update for Fedora 16.
https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-89.fc16
Comment 20 Fedora Update System 2012-06-15 23:52:37 UTC 
Package selinux-policy-3.10.0-89.fc16:
* should fix your issue,
* was pushed to the Fedora 16 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-89.fc16'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-9507/selinux-policy-3.10.0-89.fc16
then log in and leave karma (feedback).
Comment 21 Fedora Update System 2012-06-28 03:27:07 UTC 
selinux-policy-3.10.0-89.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.