Bug 192566 - xfs AVC w/ nss_ldap breaks X
xfs AVC w/ nss_ldap breaks X
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
5
i686 Linux
medium Severity high
: ---
: ---
Assigned To: Daniel Walsh
: SELinux
Depends On:
Blocks: 192555
  Show dependency treegraph
 
Reported: 2006-05-20 16:06 EDT by Ian Pilcher
Modified: 2007-11-30 17:11 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-08-01 11:25:19 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
audit.log from xfs startup (13.46 KB, text/plain)
2006-05-20 16:06 EDT, Ian Pilcher
no flags Details

  None (edit)
Description Ian Pilcher 2006-05-20 16:06:02 EDT
Description of problem:

When nss_ldap is enabled, xfs attempts to contact the LDAP server when it
starts.  SELinux blocks the connection.  xfs attempts to contact the LDAP
server again when an X server connects; when xfs is unable to contact the
LDAP server, it refuses the connection from the X server, and X fails,
because it cannot find the 'fixed' font.


Version-Release number of selected component (if applicable):

selinux-policy-targeted-2.2.40-1.fc5


How reproducible:

100%


Steps to Reproduce:
1. Enable nss_ldap and SELinux targeted policy.
2. service start xfs
3. telinit 5 (to start X server)
  
Actual results:

X fails to start


Expected results:

X should start successfully


Additional info:

Eventually, xfs appears to give up on contacting the LDAP server.  At this
point, it is possible to start X.
Comment 1 Ian Pilcher 2006-05-20 16:06:02 EDT
Created attachment 129768 [details]
audit.log from xfs startup
Comment 2 Ian Pilcher 2006-05-20 16:23:03 EDT
Workaround is to add 'xfs' user to nss_initgroups_ignoreusers in /etc/ldap.conf.
Comment 3 Daniel Walsh 2006-06-15 22:21:28 EDT
Fixed in selinux-policy-2.2.47-3
Comment 4 Joachim Selke 2006-07-04 10:50:53 EDT
It still does not work for me. I installed selinux-policy-targeted-2.2.47-3.fc5,
did a complete relabeling, but still get the following audit messages when
trying to start xfs (by "service xfs restart"):

type=AVC msg=audit(1152024317.140:105): avc:  denied  { read } for  pid=2973
comm="xfs" name="urandom" dev=tmpfs ino=1640 scontext=root:system_r:xfs_t:s0
tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file
type=SYSCALL msg=audit(1152024317.140:105): arch=40000003 syscall=5 success=no
exit=-13 a0=a055dc a1=900 a2=108 a3=bf814f34 items=1 pid=2973 auid=0 uid=0
gid=43 euid=0 suid=0 fsuid=0 egid=43 sgid=43 fsgid=43 tty=(none) comm="xfs"
exe="/usr/bin/xfs" subj=root:system_r:xfs_t:s0
type=CWD msg=audit(1152024317.140:105):  cwd="/"
type=PATH msg=audit(1152024317.140:105): item=0 name="/dev/urandom" inode=1640
dev=00:0f mode=020444 ouid=0 ogid=0 rdev=01:09
obj=system_u:object_r:urandom_device_t:s0
type=AVC msg=audit(1152024317.140:106): avc:  denied  { read } for  pid=2973
comm="xfs" name="random" dev=tmpfs ino=1634 scontext=root:system_r:xfs_t:s0
tcontext=system_u:object_r:random_device_t:s0 tclass=chr_file
type=SYSCALL msg=audit(1152024317.140:106): arch=40000003 syscall=5 success=no
exit=-13 a0=a2cc72 a1=900 a2=108 a3=bf814f34 items=1 pid=2973 auid=0 uid=0
gid=43 euid=0 suid=0 fsuid=0 egid=43 sgid=43 fsgid=43 tty=(none) comm="xfs"
exe="/usr/bin/xfs" subj=root:system_r:xfs_t:s0
type=CWD msg=audit(1152024317.140:106):  cwd="/"
type=PATH msg=audit(1152024317.140:106): item=0 name="/dev/random" inode=1634
dev=00:0f mode=020666 ouid=0 ogid=0 rdev=01:08
obj=system_u:object_r:random_device_t:s0
Comment 5 Joachim Selke 2006-08-01 10:20:30 EDT
The bug seems to be fixed in selinux-policy-targeted-2.3.3-8.fc5. Thanks.

Note You need to log in before you can comment on or make changes to this bug.