Bug 166761 - GDM Login failure with SELinux enabled
GDM Login failure with SELinux enabled
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
rawhide
All Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2005-08-25 09:00 EDT by James Laska
Modified: 2013-09-02 02:06 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-08-25 10:13:52 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description James Laska 2005-08-25 09:00:02 EDT
# RPMS  gdm-2.8.0.2-2.i386 
#       libselinux-1.25.2-1.i386.rpm
#       selinux-policy-targeted-1.25.4-5.noarch.rpm

Attempting to login to gdm with selinux targeted policy enabled fails.  A dialog
appears stating:

  "Cannot start the session due to some internal error."

I am able to login without error if I disable selinux $(setenforce 0).  When
selinux is enabled and my logins are rejected, I observe the following selinux
avc denial:

==> /var/log/messages <==
Aug 25 08:55:29 flatline gdm(pam_unix)[5126]: session opened for user guest by
(uid=0)
Aug 25 08:55:29 flatline kernel: audit(1124974529.816:7): avc:  denied  {
transition } for  pid=5187 comm="gdm-binary" name="Xsession" dev=hda5
ino=1933254 scontext=system_u:system_r:init_t
tcontext=user_u:system_r:unconfined_t tclass=process
Aug 25 08:55:29 flatline gdm[5187]: session_child_run: Could not exec
/etc/X11/xdm/Xsession default
Aug 25 08:55:42 flatline gdm(pam_unix)[5126]: session closed for user guest
Aug 25 08:55:42 flatline kernel: agpgart: Found an AGP 2.0 compliant device at
0000:00:00.0.
Aug 25 08:55:42 flatline kernel: agpgart: Putting AGP V2 device at 0000:00:00.0
into 1x mode
Aug 25 08:55:42 flatline kernel: agpgart: Putting AGP V2 device at 0000:01:00.0
into 1x mode


Using audit2allow I can see the following potentially resolve the issue:

[root@flatline jlaska]# audit2allow
Aug 25 08:55:29 flatline kernel: audit(1124974529.816:7): avc:  denied  {
transition } for  pid=5187 comm="gdm-binary" name="Xsession" dev=hda5
ino=1933254 scontext=system_u:system_r:init_t
tcontext=user_u:system_r:unconfined_t tclass=process

allow init_t unconfined_t:process transition;
Comment 1 Daniel Walsh 2005-08-25 09:18:30 EDT
Update to the latest policy and make sure /usr/sbin/gdm-binary has xdm_exec_t as
a context.
Comment 2 James Laska 2005-08-25 09:34:54 EDT
Tried ...

  $ fixfiles -R / restore 

and ...

  $ fixfiles relabel /

also did not resolve the issue.

# ls -Z /usr/sbin/gdm-binary
-rwxr-xr-x  root     root     system_u:object_r:xdm_exec_t     /usr/sbin/gdm-binary

Updating to selinux-policy-targeted-1.25.4-8 does not appear to resolve the
issue for me.  I'm going to attempt a relabel on reboot and see how that fares ...
Comment 3 Thomas J. Baker 2005-08-25 09:40:35 EDT
I did a "fixfiles relabel" and it fixed it for me. (I had to restart gdm but it
worked after that.) I've only got selinux-policy-targeted-1.25.4-5 currently
installed.
Comment 4 Daniel Walsh 2005-08-25 09:45:44 EDT
ps -eZ | grep gdm.

The proper way to relabel is 
touch /.autorelabel
reboot

fixfiles -R / restore (Means find the RPM package / and restore all files owned
by it)

Comment 5 James Laska 2005-08-25 10:13:52 EDT
dwalsh: thanks for the tips, making an note for future reference here ;)

$ touch /.autorelabel

and a reboot did the trick

I was also retesting by way of gdm inside of Xnest (not sure if the pids were
getting any new contexts).

Changing this issue to RESOLVED/RAWHIDE

Note You need to log in before you can comment on or make changes to this bug.