Bug 832840

Summary: /usr/bin/kdm is mislabeled
Product: [Fedora] Fedora Reporter: bodhi.zazen <bodhi.zazen>
Component: selinux-policy-targetedAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Ben Levenson <benl>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 17CC: darwinian.empire, dwalsh, germano.massullo, kevin, kylepablo, morgancoxuk, orion, rdieter, rguerra.marin, rtguille, stealthcipher, vincenzo.romano
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-06-20 00:30:12 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
raw avc denials none

Description bodhi.zazen 2012-06-17 22:15:44 UTC 
Created attachment 592480 [details]
raw avc denials

Description of problem:

 /usr/bin/kdm is mislabeled in the policy, prevents user_u from logging into kde.

Version-Release number of selected component (if applicable):


How reproducible:

Try to log into kde

Steps to Reproduce:
1. Log into kde as a user_u
2.
3.
  
Actual results:

kde does not allow log in

Expected results:

Able to log in

Additional info:

Fix

/usr/bin/kde is mislabeled as bin_t ,

/usr/bin/kdm should be type xdm_exec_t
Comment 1 Miroslav Grepl 2012-06-18 08:46:32 UTC 
*** Bug 832860 has been marked as a duplicate of this bug. ***
Comment 2 Miroslav Grepl 2012-06-18 08:46:37 UTC 
*** Bug 832806 has been marked as a duplicate of this bug. ***
Comment 3 Miroslav Grepl 2012-06-18 09:23:51 UTC 
Yes,

# chcon -t xdm_exec_t /usr/bin/kdm

will fix it for now.
Comment 4 bodhi.zazen 2012-06-18 12:19:36 UTC 
sorry for the duplicates, I was having problems connecting to bugzilla.
Comment 5 Miroslav Grepl 2012-06-18 12:30:35 UTC 
No problem.

I have finally found a bug. 

Fixed in selinux-policy-3.10.0-132.fc17
Comment 6 Orion Poplawski 2012-06-18 19:35:59 UTC 
For me it actually allows you to login, but only after a delay of 20-30 seconds.  Denial message is:

type=USER_AVC msg=audit(1340046369.740:212): pid=0 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=error error_name=net.reactivated.Fprint.Error.NoSuchDevice dest=:1.193 spid=6245 tpid=6222 scontext=system_u:system_r:fprintd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:initrc_t:s0 tclass=dbus  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
Comment 7 Daniel Walsh 2012-06-18 20:35:30 UTC 
That looks like you still have a process running as initrc_t?
Comment 8 Rex Dieter 2012-06-18 20:37:04 UTC 
*** Bug 833184 has been marked as a duplicate of this bug. ***
Comment 9 Orion Poplawski 2012-06-18 20:37:20 UTC 
Yeah, because kdm is labeled bin_t instead of kdm_exec_t.  Changing that fixes it.  But -130 wants it labeled bin_t.
Comment 10 Miroslav Grepl 2012-06-18 20:38:15 UTC 
Yes and a new build/update is on the way.
Comment 11 Rex Dieter 2012-06-18 22:05:28 UTC 
*** Bug 833219 has been marked as a duplicate of this bug. ***
Comment 12 Fedora Update System 2012-06-19 07:59:56 UTC 
selinux-policy-3.10.0-132.fc17 has been submitted as an update for Fedora 17.
https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-132.fc17
Comment 13 Rex Dieter 2012-06-19 13:19:25 UTC 
*** Bug 833383 has been marked as a duplicate of this bug. ***
Comment 14 Fedora Update System 2012-06-20 00:30:12 UTC 
selinux-policy-3.10.0-132.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 15 Kevin Kofler 2012-06-20 09:02:36 UTC 
*** Bug 833627 has been marked as a duplicate of this bug. ***
Comment 16 Fedora Update System 2012-07-19 09:18:17 UTC 
selinux-policy-3.10.0-132.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 17 Ruben Guerra Marin 2013-08-02 04:02:03 UTC 
I don't know if this is the same bug, but I have the same problems on f19. I write my user and password on kdm, and when I hit enter, it lasts like 10 seconds to start the splash screen, unless I wait the 10 seconds before hitting enter.

Writing "chcon -t xdm_exec_t /usr/bin/kdm" just returns:

chcon: can't apply partial context to unlabeled file ‘/usr/bin/kdm’

any ideas if this is the same? thanks!
Comment 18 Orion Poplawski 2013-08-02 04:38:16 UTC 
It's clearly mislabled, but it is completely unlabelled.  SELinx labels have several components, not just the "type" (what you are setting with -t).

e.g.:
# ls -lZ /usr/bin/kdm
-rwxr-xr-x. root root system_u:object_r:xdm_exec_t:s0  /usr/bin/kdm

Try "restorecon -v /usr/bin/kdm" to set the proper label.
Comment 19 Ruben Guerra Marin 2013-08-02 04:51:08 UTC 
Thanks for answering so quickly, I tried that but I still have the problem. I even have selinux disabled and I still have the problem, so I guess it is something else than selinux?

thanks!
Comment 20 Orion Poplawski 2013-08-02 05:00:05 UTC 
Don't disable SELinux - that's going to lead to a lot on unlabeled files causing problems if you re-enable.  Set permissive mode (enforcing=0) instead.

If you want to try to get back to a working selinux system do:

touch /.autorelabel

and reboot.  This will take a while to relabel everything on system.
Comment 21 Ruben Guerra Marin 2013-08-02 05:02:50 UTC 
I tried that command, and yes it took a while to relabel everything, but I'm still having the delay after I hit enter =/
Comment 22 Daniel Walsh 2013-08-02 14:49:24 UTC 
Try with the force command

restorecon -F /usr/sbin/gdm
Comment 23 Kevin Kofler 2013-08-03 11:55:16 UTC 
This bug is about SELinux, if you're having the issue even with SELinux disabled (as you said in comment #19), you're experiencing a DIFFERENT bug with the same symptoms.