192566 – xfs AVC w/ nss_ldap breaks X

Bug 192566 - xfs AVC w/ nss_ldap breaks X

Summary: xfs AVC w/ nss_ldap breaks X

Keywords:
Status:	CLOSED RAWHIDE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy-targeted
Sub Component:
Version:	5
Hardware:	i686
OS:	Linux
Priority:	medium
Severity:	high
Target Milestone:	---
Assignee:	Daniel Walsh
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	192555
TreeView+	depends on / blocked

Reported:	2006-05-20 20:06 UTC by Ian Pilcher
Modified:	2007-11-30 22:11 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2006-08-01 15:25:19 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
audit.log from xfs startup (13.46 KB, text/plain) 2006-05-20 20:06 UTC, Ian Pilcher	no flags	Details
View All

Description Ian Pilcher 2006-05-20 20:06:02 UTC

Description of problem:

When nss_ldap is enabled, xfs attempts to contact the LDAP server when it
starts.  SELinux blocks the connection.  xfs attempts to contact the LDAP
server again when an X server connects; when xfs is unable to contact the
LDAP server, it refuses the connection from the X server, and X fails,
because it cannot find the 'fixed' font.


Version-Release number of selected component (if applicable):

selinux-policy-targeted-2.2.40-1.fc5


How reproducible:

100%


Steps to Reproduce:
1. Enable nss_ldap and SELinux targeted policy.
2. service start xfs
3. telinit 5 (to start X server)
  
Actual results:

X fails to start


Expected results:

X should start successfully


Additional info:

Eventually, xfs appears to give up on contacting the LDAP server.  At this
point, it is possible to start X.

Comment 1 Ian Pilcher 2006-05-20 20:06:02 UTC

Created attachment 129768 [details]
audit.log from xfs startup

Comment 2 Ian Pilcher 2006-05-20 20:23:03 UTC

Workaround is to add 'xfs' user to nss_initgroups_ignoreusers in /etc/ldap.conf.

Comment 3 Daniel Walsh 2006-06-16 02:21:28 UTC

Fixed in selinux-policy-2.2.47-3

Comment 4 Joachim Selke 2006-07-04 14:50:53 UTC

It still does not work for me. I installed selinux-policy-targeted-2.2.47-3.fc5,
did a complete relabeling, but still get the following audit messages when
trying to start xfs (by "service xfs restart"):

type=AVC msg=audit(1152024317.140:105): avc:  denied  { read } for  pid=2973
comm="xfs" name="urandom" dev=tmpfs ino=1640 scontext=root:system_r:xfs_t:s0
tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file
type=SYSCALL msg=audit(1152024317.140:105): arch=40000003 syscall=5 success=no
exit=-13 a0=a055dc a1=900 a2=108 a3=bf814f34 items=1 pid=2973 auid=0 uid=0
gid=43 euid=0 suid=0 fsuid=0 egid=43 sgid=43 fsgid=43 tty=(none) comm="xfs"
exe="/usr/bin/xfs" subj=root:system_r:xfs_t:s0
type=CWD msg=audit(1152024317.140:105):  cwd="/"
type=PATH msg=audit(1152024317.140:105): item=0 name="/dev/urandom" inode=1640
dev=00:0f mode=020444 ouid=0 ogid=0 rdev=01:09
obj=system_u:object_r:urandom_device_t:s0
type=AVC msg=audit(1152024317.140:106): avc:  denied  { read } for  pid=2973
comm="xfs" name="random" dev=tmpfs ino=1634 scontext=root:system_r:xfs_t:s0
tcontext=system_u:object_r:random_device_t:s0 tclass=chr_file
type=SYSCALL msg=audit(1152024317.140:106): arch=40000003 syscall=5 success=no
exit=-13 a0=a2cc72 a1=900 a2=108 a3=bf814f34 items=1 pid=2973 auid=0 uid=0
gid=43 euid=0 suid=0 fsuid=0 egid=43 sgid=43 fsgid=43 tty=(none) comm="xfs"
exe="/usr/bin/xfs" subj=root:system_r:xfs_t:s0
type=CWD msg=audit(1152024317.140:106):  cwd="/"
type=PATH msg=audit(1152024317.140:106): item=0 name="/dev/random" inode=1634
dev=00:0f mode=020666 ouid=0 ogid=0 rdev=01:08
obj=system_u:object_r:random_device_t:s0

Comment 5 Joachim Selke 2006-08-01 14:20:30 UTC

The bug seems to be fixed in selinux-policy-targeted-2.3.3-8.fc5. Thanks.

Note You need to log in before you can comment on or make changes to this bug.