Bug 1466352 - SELinux is preventing /usr/libexec/gdm-session-worker from create access on the directory gdm.
SELinux is preventing /usr/libexec/gdm-session-worker from create access on t...
Status: CLOSED WONTFIX
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: selinux-policy (Show other bugs)
7.4
Unspecified Linux
unspecified Severity low
: rc
: ---
Assigned To: Lukas Vrabec
BaseOS QE Security Team
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2017-06-29 09:23 EDT by nate.dailey
Modified: 2017-06-30 04:58 EDT (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2017-06-30 04:58:33 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description nate.dailey 2017-06-29 09:23:56 EDT
Description of problem:

# sealert -l 0baa83cb-1dc3-4978-9cab-956d43a0278b
SELinux is preventing /usr/libexec/gdm-session-worker from create access on the directory gdm.

*****  Plugin catchall_boolean (89.3 confidence) suggests   ******************

If you want to allow polyinstantiation to enabled
Then you must tell SELinux about this by enabling the 'polyinstantiation_enabled' boolean.
You can read 'None' man page for more details.
Do
setsebool -P polyinstantiation_enabled 1

*****  Plugin catchall (11.6 confidence) suggests   **************************

If you believe that gdm-session-worker should be allowed create access on the gdm directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'gdm-session-wor' --raw | audit2allow -M my-gdmsessionwor
# semodule -i my-gdmsessionwor.pp


Additional Information:
Source Context                system_u:system_r:xdm_t:s0-s0:c0.c1023
Target Context                system_u:object_r:admin_home_t:s0
Target Objects                gdm [ dir ]
Source                        gdm-session-wor
Source Path                   /usr/libexec/gdm-session-worker
Port                          <Unknown>
Host                          lin303.mno.stratus.com
Source RPM Packages           gdm-3.22.3-11.el7.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-164.el7.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     lin303.mno.stratus.com
Platform                      Linux lin303.mno.stratus.com 3.10.0-685.el7.x86_64
                              #1 SMP Tue Jun 20 00:14:41 EDT 2017 x86_64 x86_64
Alert Count                   2
First Seen                    2017-06-29 09:01:45 EDT
Last Seen                     2017-06-29 09:06:01 EDT
Local ID                      0baa83cb-1dc3-4978-9cab-956d43a0278b

Raw Audit Messages
type=AVC msg=audit(1498741561.166:477): avc:  denied  { create } for  pid=21802 comm="gdm-session-wor" name="gdm" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:admin_home_t:s0 tclass=dir


type=SYSCALL msg=audit(1498741561.166:477): arch=x86_64 syscall=mkdir success=no exit=EACCES a0=55c7d617c800 a1=1c0 a2=55c7d617c810 a3=0 items=0 ppid=21771 pid=21802 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=11 comm=gdm-session-wor exe=/usr/libexec/gdm-session-worker subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)

Hash: gdm-session-wor,xdm_t,admin_home_t,dir,create


Version-Release number of selected component (if applicable):

I see this on RHEL 7.4, up through Snapshot-5. Not sure which components are involved, but:

selinux-policy-targeted-3.13.1-164.el7.noarch
selinux-policy-3.13.1-164.el7.noarch
libselinux-2.5-11.el7.x86_64
libselinux-utils-2.5-11.el7.x86_64
libselinux-devel-2.5-11.el7.x86_64
libselinux-python-2.5-11.el7.x86_64


How reproducible:

Every time, logging in to GUI as root.


Steps to Reproduce:
1. Log in to the GUI as root (SELinux enforcing), and this happens. 


Actual results:

Alert.


Expected results:

No alert--this didn't happen in 7.3.


Additional info:

I've seen reference to SELinux/GUI login as root being unsupported, so apologies if this is not-a-bug.
Comment 2 Lukas Vrabec 2017-06-30 04:58:33 EDT
Hi, 

This scenario is not recommended and not supported from SELinux POV. Please login as normal user not root. 

Thanks,
Lukas.

Note You need to log in before you can comment on or make changes to this bug.