Bug 122969 - /var/run/xdmctl needs to be created as xdm_var_run_t
Summary: /var/run/xdmctl needs to be created as xdm_var_run_t
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: policy   
(Show other bugs)
Version: rawhide
Hardware: All Linux
medium
medium
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Ben Levenson
URL:
Whiteboard:
Keywords: SELinux
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2004-05-10 20:05 UTC by Aleksey Nogin
Modified: 2007-11-30 22:10 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2004-07-20 12:36:16 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Aleksey Nogin 2004-05-10 20:05:10 UTC 
kdm (and may be other dms as well) create names pipes in the
/var/run/xdmctl directory. According to file_contexts, /var/run/xdmctl
is supposed to be xdm_var_run_t (which is the correct thing, IMHO),
but it ends up being created as just var_run_t instead.

I am guessing that something like 

type_transition xdm_t var_run_t:dir xdm_var_run_t;

is needed. (Note that the same thing for :file already exists in
policy.conf).

Another workaround is adding

type_transition xdm_t var_run_t:fifo_file xdm_var_run_t;

which allows creating named pipes in /var/run/xdmctl even when it is
marked var_run_t.
Comment 1 Daniel Walsh 2004-06-02 18:44:29 UTC 
Fixed in selinux-policy-strict-1.13.2-7.src.rpm
Comment 2 Daniel Walsh 2004-07-20 12:36:16 UTC 
Fixed in Rawhide
Comment 3 Kam Leo 2006-02-12 20:57:26 UTC 
I'm getting this error with FC4 and selinux-policy-targeted-1.27.1-2.18. Is this
be fixed in targeted?
Comment 4 Kam Leo 2006-02-13 07:51:28 UTC 
After upgrading a bunch of kde packages which includes
kdebase-3.5.1-1.4.fc4.kde. The message "rm: cannot remove
'/var/run/xdmctl/dmctl' is a directory" no longer appears during boot. File
context for /var/run/xdmctl has not changed it is still var_run_t.
Comment 5 Kam Leo 2006-02-13 08:38:46 UTC 
My bad. I need to resist immediate updating of bug reports. 

The message "rm: cannot remove '/var/run/xdmctl/dmctl': Is a directory"
reappeared after upgrading the following packages:

xorg-x11-6.8.2-37.FC4.49.2.i386.rpm
xorg-x11-deprecated-libs-6.8.2-37.FC4.49.2.i386.rpm
xorg-x11-deprecated-libs-devel-6.8.2-37.FC4.49.2.i386.rpm
xorg-x11-devel-6.8.2-37.FC4.49.2.i386.rpm
xorg-x11-font-utils-6.8.2-37.FC4.49.2.i386.rpm
xorg-x11-libs-6.8.2-37.FC4.49.2.i386.rpm
xorg-x11-Mesa-libGL-6.8.2-37.FC4.49.2.i386.rpm
xorg-x11-Mesa-libGLU-6.8.2-37.FC4.49.2.i386.rpm
xorg-x11-tools-6.8.2-37.FC4.49.2.i386.rpm
xorg-x11-twm-6.8.2-37.FC4.49.2.i386.rpm
xorg-x11-xauth-6.8.2-37.FC4.49.2.i386.rpm
xorg-x11-xdm-6.8.2-37.FC4.49.2.i386.rpm
xorg-x11-xfs-6.8.2-37.FC4.49.2.i386.rpm

If this bug has been fixed why does this message still occur when KDM is enabled?
Comment 6 Daniel Walsh 2006-02-13 15:01:15 UTC 
What avc messages are you seeing?

Dan
Comment 7 Kam Leo 2006-02-13 19:10:06 UTC 
There are no AVC messages in /var/log/audit/audit.log regarding this error. The
error message appears immediately after "Enabling local filesystem quotas" is
displayed which is several processes before auditd is started.
Comment 8 Daniel Walsh 2006-02-15 18:04:53 UTC 
Is /var/run/xdmctl/dmctl a directory?
Does this happen if you setenforce 0?

If yes then this is not an SELinux problem.
Comment 9 Kam Leo 2006-02-16 08:59:03 UTC 
1. The file_context for /var/run/xdmctl changed to xdm_var_run_t after upgrading
to selinux-policy-targeted-1.27.1-2.22. So as far as this bug is concerned all
is fixed.

2. /var/run/xdmctl/dmctl is a directory. When selinux=0 is set in grub the error
still occurs. Therefore not a selinux, but a KDM problem. I'll check to see if
it is worthwhile entering a bug with KDE.
Note You need to log in before you can comment on or make changes to this bug.