Bug 856322

Summary: selinux prevents shutdown from GDM after login/logout cycle (F18 Alpha RC2)
Product: [Fedora] Fedora Reporter: Adam Williamson <awilliam>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED DUPLICATE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: unspecified    
Version: 18CC: dominick.grift, dwalsh, mgrepl, robatino
Target Milestone: ---Keywords: Reopened
Target Release: ---   
Hardware: All   
OS: All   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-09-12 01:03:02 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 752660    

Description Adam Williamson 2012-09-11 18:59:33 UTC 
I installed from F18 Alpha RC2 DVD to a KVM.

If I just boot the system to GDM and try to shut down from the menu at top right, it works fine.

If I boot to GDM, log in, log out, and then try to shut down from the menu at top right, nothing seems to happen. Looking at the system logs, an selinux denial exactly coincides with the failure. See bottom for the selinux denial. If I try and file this via the selinux GUI, it decides it's a dupe of 672409.

If I set SELinux to Permissive, then a polkit authentication dialog pops up, telling me authentication is required for powering off while 'other users' are logged in. If I enter my password, shutdown works. So the selinux denial is preventing the polkit auth process from working. (Though I don't know why exactly gdm thinks 'other users are logged in', when I just logged out.)

Proposing as Beta blocker per criterion "All release-blocking desktops' offered mechanisms (if any) for shutting down, logging out and rebooting must work".

----------

SELinux is preventing /usr/lib/polkit-1/polkit-agent-helper-1 from read access on the file system-auth-ac.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that polkit-agent-helper-1 should be allowed read access on the system-auth-ac file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep polkit-agent-he /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:policykit_auth_t:s0-s0:c0.c1023
Target Context                system_u:object_r:etc_runtime_t:s0
Target Objects                system-auth-ac [ file ]
Source                        polkit-agent-he
Source Path                   /usr/lib/polkit-1/polkit-agent-helper-1
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           polkit-0.107-2.fc18.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.11.1-7.fc18.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux localhost 3.6.0-0.rc2.git2.1.fc18.x86_64 #1
                              SMP Wed Aug 22 11:54:04 UTC 2012 x86_64 x86_64
Alert Count                   20
First Seen                    2012-09-11 17:37:45 PDT
Last Seen                     2012-09-11 18:47:25 PDT
Local ID                      c1e839fd-e621-443a-9fb8-c93adec7c325

Raw Audit Messages
type=AVC msg=audit(1347414445.472:307): avc:  denied  { read } for  pid=1745 comm="polkit-agent-he" name="system-auth-ac" dev="vda3" ino=147385 scontext=system_u:system_r:policykit_auth_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_runtime_t:s0 tclass=file


type=SYSCALL msg=audit(1347414445.472:307): arch=x86_64 syscall=open success=no exit=EACCES a0=8de980 a1=0 a2=1b6 a3=238 items=0 ppid=1725 pid=1745 auid=42 uid=42 gid=42 euid=0 suid=0 fsuid=0 egid=42 sgid=42 fsgid=42 tty=(none) ses=3 comm=polkit-agent-he exe=/usr/lib/polkit-1/polkit-agent-helper-1 subj=system_u:system_r:policykit_auth_t:s0-s0:c0.c1023 key=(null)

Hash: polkit-agent-he,policykit_auth_t,etc_runtime_t,file,read

audit2allow

#============= policykit_auth_t ==============
allow policykit_auth_t etc_runtime_t:file read;

audit2allow -R

#============= policykit_auth_t ==============
allow policykit_auth_t etc_runtime_t:file read;
Comment 1 Miroslav Grepl 2012-09-11 19:54:56 UTC 
This is old F18 release.

# sesearch -A -s policykit_auth_t -t etc_runtime_t -c file -p read -C
Found 2 semantic av rules:
   allow policykit_auth_t etc_runtime_t : file { ioctl read getattr lock open } ; 
   allow nsswitch_domain etc_runtime_t : file { ioctl read getattr lock open } ;


With the latest builds.
Comment 2 Adam Williamson 2012-09-12 01:00:54 UTC 
Yes, it's old, because it's the Alpha. We don't use builds from updates-testing in composes. If we need a newer selinux-policy for the Alpha then we need a blocker/NTH bug it fixes. Re-opening, bugs shouldn't be closed until the fixing package is in stable.
Comment 3 Adam Williamson 2012-09-12 01:03:02 UTC 
I'm pretty sure this is 852403, now.

*** This bug has been marked as a duplicate of bug 852403 ***