From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.8b3) Gecko/20050818 Fedora/1.1-0.2.7.deerpark.alpha2.1 Firefox/1.0+ Description of problem: After upgrading to today's rawhide, I could no longer start a failsafe terminal from gdm. After saying displaying the dialogue in which it informs terminating the xterm will terminate the session, when you press enter, a new dialogue opens up saying an internal error occurred and the session couldn't be started. It then says the session has left a ~/.xsession-errors file with errors, but no such file was created. A new gdm login screen shows up afterwards. Version-Release number of selected component (if applicable): gdm-2.8.0.2-1 How reproducible: Always Steps to Reproduce: 1.Try to start a fail safe terminal from gdm Actual Results: It triggers an internal error in gdm Expected Results: It worked with yesterday's rawhide Additional info:
Turns out this is a selinux problem. gdm-binary fails to exec xterm. Here's the audit.log snippet: type=AVC msg=audit(1124569909.855:395): avc: denied { transition } for pid=4996 comm="gdm-binary" name="xterm" dev=dm-2 ino=1351752 scontext=system_u:system_r:init_t tcontext=user_u:system_r:unconfined_t tclass=process type=SYSCALL msg=audit(1124569909.855:395): arch=40000003 syscall=11 success=yes exit=0 a0=892a780 a1=bff7eb30 a2=892a488 a3=891ad1c items=2 pid=4996 auid=4294967295 uid=404 gid=404 euid=404 suid=404 fsuid=404 egid=404 sgid=404 fsgid=404 comm="xterm" exe="/usr/bin/xterm" type=AVC_PATH msg=audit(1124569909.855:395): path="/usr/bin/xterm" type=CWD msg=audit(1124569909.855:395): cwd="/l/home/aoliva" type=PATH msg=audit(1124569909.855:395): item=0 name="/usr/bin/xterm" flags=101 inode=1351752 dev=fd:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 type=PATH msg=audit(1124569909.855:395): item=1 flags=101 inode=266082 dev=fd:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 Should gdm-binary be running as init_t, or is this a fallout from changes in file names in gdm that require changes in the selinux context specs? A simple work-around to get a failsafe term is to setenforce 0.
It turns out that it's not only the failsafe terminal that's broken. Starting a default (gnome) session is broken in just the same way :-(
I forgot to post the audit logs for the default session, here they are: type=AVC msg=audit(1124572643.945:81): avc: denied { transition } for pid=3518 comm="gdm-binary" name="Xsession" dev=dm-1 ino=362615 scontext=system_u:system_r:init_t tcontext=user_u:system_r:unconfined_t tclass=process type=SYSCALL msg=audit(1124572643.945:81): arch=c000003e syscall=59 success=yes exit=0 a0=646350 a1=7fffffd3dcd0 a2=66bb60 a3=66c200 items=3 pid=3518 auid=4294967295 uid=404 gid=404 euid=404 suid=404 fsuid=404 egid=404 sgid=404 fsgid=404 comm="Xsession" exe="/bin/bash" type=AVC_PATH msg=audit(1124572643.945:81): path="/etc/X11/xdm/Xsession" type=CWD msg=audit(1124572643.945:81): cwd="/l/home/aoliva" type=PATH msg=audit(1124572643.945:81): item=0 name="/etc/X11/xdm/Xsession" flags=101 inode=362615 dev=fd:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 type=PATH msg=audit(1124572643.945:81): item=1 flags=101 inode=1998886 dev=fd:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 type=PATH msg=audit(1124572643.945:81): item=2 flags=101 inode=951472 dev=fd:01 mode=0100755 ouid=0 ogid=0 rdev=00:00
Problem appears to be caused by the 'moving' of gdm-binary from /usr/bin to /usr/sbin. The following 'patch' made it work for me (of course, you need to 'make load'): --- /tmp/xdm.fc 2005-08-21 18:12:10.000000000 -0700 +++ ./xdm.fc 2005-08-21 17:55:35.000000000 -0700 @@ -3,7 +3,7 @@ /usr/X11R6/bin/[xgkw]dm -- system_u:object_r:xdm_exec_t /opt/kde3/bin/kdm -- system_u:object_r:xdm_exec_t /usr/bin/gpe-dm -- system_u:object_r:xdm_exec_t -/usr/bin/gdm-binary -- system_u:object_r:xdm_exec_t +/usr/(s)?bin/gdm-binary -- system_u:object_r:xdm_exec_t /var/[xgk]dm(/.*)? system_u:object_r:xserver_log_t /usr/var/[xgkw]dm(/.*)? system_u:object_r:xserver_log_t /var/log/[kw]dm\.log -- system_u:object_r:xserver_log_t
So for now, one workaround that allows you to stay in enforcing mode is to chcon -t xdm_exec_t /usr/sbin/gdm-binary and reboot.
selinux-policy-targeted-1.25.4-8 has fix
Fixed, indeed. Thanks!