Description of problem: When nss_ldap is enabled, xfs attempts to contact the LDAP server when it starts. SELinux blocks the connection. xfs attempts to contact the LDAP server again when an X server connects; when xfs is unable to contact the LDAP server, it refuses the connection from the X server, and X fails, because it cannot find the 'fixed' font. Version-Release number of selected component (if applicable): selinux-policy-targeted-2.2.40-1.fc5 How reproducible: 100% Steps to Reproduce: 1. Enable nss_ldap and SELinux targeted policy. 2. service start xfs 3. telinit 5 (to start X server) Actual results: X fails to start Expected results: X should start successfully Additional info: Eventually, xfs appears to give up on contacting the LDAP server. At this point, it is possible to start X.
Created attachment 129768 [details] audit.log from xfs startup
Workaround is to add 'xfs' user to nss_initgroups_ignoreusers in /etc/ldap.conf.
Fixed in selinux-policy-2.2.47-3
It still does not work for me. I installed selinux-policy-targeted-2.2.47-3.fc5, did a complete relabeling, but still get the following audit messages when trying to start xfs (by "service xfs restart"): type=AVC msg=audit(1152024317.140:105): avc: denied { read } for pid=2973 comm="xfs" name="urandom" dev=tmpfs ino=1640 scontext=root:system_r:xfs_t:s0 tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file type=SYSCALL msg=audit(1152024317.140:105): arch=40000003 syscall=5 success=no exit=-13 a0=a055dc a1=900 a2=108 a3=bf814f34 items=1 pid=2973 auid=0 uid=0 gid=43 euid=0 suid=0 fsuid=0 egid=43 sgid=43 fsgid=43 tty=(none) comm="xfs" exe="/usr/bin/xfs" subj=root:system_r:xfs_t:s0 type=CWD msg=audit(1152024317.140:105): cwd="/" type=PATH msg=audit(1152024317.140:105): item=0 name="/dev/urandom" inode=1640 dev=00:0f mode=020444 ouid=0 ogid=0 rdev=01:09 obj=system_u:object_r:urandom_device_t:s0 type=AVC msg=audit(1152024317.140:106): avc: denied { read } for pid=2973 comm="xfs" name="random" dev=tmpfs ino=1634 scontext=root:system_r:xfs_t:s0 tcontext=system_u:object_r:random_device_t:s0 tclass=chr_file type=SYSCALL msg=audit(1152024317.140:106): arch=40000003 syscall=5 success=no exit=-13 a0=a2cc72 a1=900 a2=108 a3=bf814f34 items=1 pid=2973 auid=0 uid=0 gid=43 euid=0 suid=0 fsuid=0 egid=43 sgid=43 fsgid=43 tty=(none) comm="xfs" exe="/usr/bin/xfs" subj=root:system_r:xfs_t:s0 type=CWD msg=audit(1152024317.140:106): cwd="/" type=PATH msg=audit(1152024317.140:106): item=0 name="/dev/random" inode=1634 dev=00:0f mode=020666 ouid=0 ogid=0 rdev=01:08 obj=system_u:object_r:random_device_t:s0
The bug seems to be fixed in selinux-policy-targeted-2.3.3-8.fc5. Thanks.