Bug 118997 - avc denied: firstboot: "use network login" does not launch config tool
Summary: avc denied: firstboot: "use network login" does not launch config tool
Keywords:
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: policy
Version: rawhide
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact:
URL:
Whiteboard:
: 119008 (view as bug list)
Depends On:
Blocks: FC2Blocker
TreeView+ depends on / blocked
 
Reported: 2004-03-23 18:45 UTC by Ben Levenson
Modified: 2007-11-30 22:10 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2004-05-07 03:57:37 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)

Description Ben Levenson 2004-03-23 18:45:42 UTC 
Description of problem:
received the following avc denials while trying to launch the network
login config tool from GUI firstboot ("use network login" button):

avc:  denied  { use } for  pid=3192 exe=/usr/sbin/userhelper
path=/dev/console dev=hdb1 ino=459355
scontext=system_u:system_r:userhelper_t
tcontext=system_u:system_r:init_t tclass=fd

Version-Release number of selected component (if applicable):
policy-1.9-11
Comment 1 Brent Fox 2004-03-23 18:50:59 UTC 
Possible dupe of bug #118061?
Comment 2 Ben Levenson 2004-03-23 19:23:18 UTC 
I don't think so, but I've added a comment to bug# 118061.
Comment 3 Daniel Walsh 2004-03-23 19:53:53 UTC 
I have fixed this problem with policy-1.9-12  But their are probably
more.  Could you run it in non enforcing mode and see what happens. 
Then grab the AVC messages.
Comment 4 Ben Levenson 2004-03-23 20:15:47 UTC 
It turns out that I broke the first rule of SELinux testing: I forgot
to verify that "use network login" worked as expected while in 
permissive mode.  It didn't.

Anyway, here are all of the denials I get with firstboot:
(still using policy-1.9-11)

stage 1: firstboot starts X

avc:  denied  { unix_read unix_write } for  pid=16537
exe=/usr/X11R6/bin/XFree86 key=0
scontext=system_u:system_r:xdm_xserver_t
tcontext=system_u:system_r:initrc_t tclass=shm

avc:  denied  { read write } for  pid=16537 exe=/usr/X11R6/bin/XFree86
key=0 scontext=system_u:system_r:xdm_xserver_t
tcontext=system_u:system_r:initrc_t tclass=shm

avc:  denied  { getattr associate } for  pid=16537
exe=/usr/X11R6/bin/XFree86 key=0
scontext=system_u:system_r:xdm_xserver_t
tcontext=system_u:system_r:initrc_t tclass=shm


stage2: clicking "use network login"

avc:  denied  { use } for  pid=16616 exe=/usr/sbin/userhelper
path=/dev/console dev=hdb1 ino=459355
scontext=system_u:system_r:userhelper_t
tcontext=system_u:system_r:init_t tclass=fd

avc:  denied  { sys_tty_config } for  pid=16616
exe=/usr/sbin/userhelper capability=26
scontext=system_u:system_r:userhelper_t
tcontext=system_u:system_r:userhelper_t tclass=capability


stage 3: adding a user

avc:  denied  { use } for  pid=16618 exe=/usr/sbin/useradd
path=/dev/console dev=hdb1 ino=459355
scontext=system_u:system_r:useradd_t tcontext=system_u:system_r:init_t
tclass=fd

avc:  denied  { write } for  pid=16619 exe=/usr/bin/chfn name=fscreate
dev= ino=1089142806 scontext=system_u:system_r:initrc_t
tcontext=system_u:system_r:initrc_t tclass=file
Comment 5 Ben Levenson 2004-03-23 20:21:44 UTC 
opened bug# 119008 for tracking related (non-SELinux) issue.
Comment 6 Ben Levenson 2004-03-23 20:29:09 UTC 
*** Bug 119008 has been marked as a duplicate of this bug. ***
Comment 7 Ben Levenson 2004-03-23 20:30:34 UTC 
Issue w/ launching config tool appears to be SELinux-related afterall:
Could not set exec context to system_u:sysadm_r:sysadm_t
Comment 8 Daniel Walsh 2004-03-24 20:48:23 UTC 
Put lots of fixed in policy-1-9-15 that might fix this.

Dan
Comment 9 Jeremy Katz 2004-05-07 03:57:37 UTC 
Closing.  Reopen if you still see it.
Note You need to log in before you can comment on or make changes to this bug.