Bug 118997 - avc denied: firstboot: "use network login" does not launch config tool
avc denied: firstboot: "use network login" does not launch config tool
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: policy (Show other bugs)
rawhide
All Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
:
: 119008 (view as bug list)
Depends On:
Blocks: FC2Blocker
  Show dependency treegraph
 
Reported: 2004-03-23 13:45 EST by Ben Levenson
Modified: 2007-11-30 17:10 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2004-05-06 23:57:37 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Ben Levenson 2004-03-23 13:45:42 EST
Description of problem:
received the following avc denials while trying to launch the network
login config tool from GUI firstboot ("use network login" button):

avc:  denied  { use } for  pid=3192 exe=/usr/sbin/userhelper
path=/dev/console dev=hdb1 ino=459355
scontext=system_u:system_r:userhelper_t
tcontext=system_u:system_r:init_t tclass=fd

Version-Release number of selected component (if applicable):
policy-1.9-11
Comment 1 Brent Fox 2004-03-23 13:50:59 EST
Possible dupe of bug #118061?
Comment 2 Ben Levenson 2004-03-23 14:23:18 EST
I don't think so, but I've added a comment to bug# 118061.
Comment 3 Daniel Walsh 2004-03-23 14:53:53 EST
I have fixed this problem with policy-1.9-12  But their are probably
more.  Could you run it in non enforcing mode and see what happens. 
Then grab the AVC messages. 
Comment 4 Ben Levenson 2004-03-23 15:15:47 EST
It turns out that I broke the first rule of SELinux testing: I forgot
to verify that "use network login" worked as expected while in 
permissive mode.  It didn't.

Anyway, here are all of the denials I get with firstboot:
(still using policy-1.9-11)

stage 1: firstboot starts X

avc:  denied  { unix_read unix_write } for  pid=16537
exe=/usr/X11R6/bin/XFree86 key=0
scontext=system_u:system_r:xdm_xserver_t
tcontext=system_u:system_r:initrc_t tclass=shm

avc:  denied  { read write } for  pid=16537 exe=/usr/X11R6/bin/XFree86
key=0 scontext=system_u:system_r:xdm_xserver_t
tcontext=system_u:system_r:initrc_t tclass=shm

avc:  denied  { getattr associate } for  pid=16537
exe=/usr/X11R6/bin/XFree86 key=0
scontext=system_u:system_r:xdm_xserver_t
tcontext=system_u:system_r:initrc_t tclass=shm


stage2: clicking "use network login"

avc:  denied  { use } for  pid=16616 exe=/usr/sbin/userhelper
path=/dev/console dev=hdb1 ino=459355
scontext=system_u:system_r:userhelper_t
tcontext=system_u:system_r:init_t tclass=fd

avc:  denied  { sys_tty_config } for  pid=16616
exe=/usr/sbin/userhelper capability=26
scontext=system_u:system_r:userhelper_t
tcontext=system_u:system_r:userhelper_t tclass=capability


stage 3: adding a user

avc:  denied  { use } for  pid=16618 exe=/usr/sbin/useradd
path=/dev/console dev=hdb1 ino=459355
scontext=system_u:system_r:useradd_t tcontext=system_u:system_r:init_t
tclass=fd

avc:  denied  { write } for  pid=16619 exe=/usr/bin/chfn name=fscreate
dev= ino=1089142806 scontext=system_u:system_r:initrc_t
tcontext=system_u:system_r:initrc_t tclass=file
Comment 5 Ben Levenson 2004-03-23 15:21:44 EST
opened bug# 119008 for tracking related (non-SELinux) issue.
Comment 6 Ben Levenson 2004-03-23 15:29:09 EST
*** Bug 119008 has been marked as a duplicate of this bug. ***
Comment 7 Ben Levenson 2004-03-23 15:30:34 EST
Issue w/ launching config tool appears to be SELinux-related afterall:
Could not set exec context to system_u:sysadm_r:sysadm_t
Comment 8 Daniel Walsh 2004-03-24 15:48:23 EST
Put lots of fixed in policy-1-9-15 that might fix this.

Dan
Comment 9 Jeremy Katz 2004-05-06 23:57:37 EDT
Closing.  Reopen if you still see it.

Note You need to log in before you can comment on or make changes to this bug.