Description of problem: Trying to remove the debug kernels from my system fails with: audit(1171647763.891:112): avc: denied { transition } for pid=3757 comm="rpm" name="bash" dev=hda8 ino=883051 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:rpm_script_t:s0-s0:c0.c1023 tclass=process or audit(1171647636.054:104): avc: denied { transition } for pid=3690 comm="yum" name="bash" dev=hda8 ino=883051 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:rpm_script_t:s0-s0:c0.c1023 tclass=process rpm -e kernel-debug-2.6.19-1.2911.fc6.i686 error: %preun(kernel-debug-2.6.19-1.2911.fc6.i686) scriptlet failed, exit status 255 Version-Release number of selected component (if applicable): selinux-policy-2.4.6-37.fc6 How reproducible: Every time Other denials: audit(1171647730.099:111): user pid=2156 uid=81 auid=4294967295 subj=system_u:system_r:system_dbusd_t:s0 msg='avc: denied { send_msg } for msgtype=signal interface=org.freedesktop.Hal.Device member=PropertyModified dest=org.freedesktop.DBus spid=2415 tpid=2728 scontext=system_u:system_r:hald_t:s0 tcontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tclass=dbus Looks like all of the desktop spawned processes are in the xdm_t context: system_u:system_r:xdm_t:SystemLow-SystemHigh root 2517 2489 0 10:06 ? 00:00:00 kdm -noda system_u:system_r:xdm_t:SystemLow-SystemHigh root 2549 2517 2 10:06 tty7 00:01:07 /usr/b system_u:system_r:xdm_t:SystemLow-SystemHigh root 2550 2517 0 10:06 ? 00:00:00 -:0 system_u:system_r:xdm_t:SystemLow-SystemHigh orion 2566 2550 0 10:06 ? 00:00:00 -/bin/tc system_u:system_r:xdm_t:SystemLow-SystemHigh orion 2641 2566 0 10:06 ? 00:00:00 /bin/sh system_u:system_r:xdm_t:SystemLow-SystemHigh orion 2642 2641 0 10:06 ? 00:00:00 /usr/bin system_u:system_r:xdm_t:SystemLow-SystemHigh orion 2645 1 0 10:06 ? 00:00:00 /usr/bin/ system_u:system_r:xdm_t:SystemLow-SystemHigh orion 2646 1 0 10:06 ? 00:00:00 /bin/dbus system_u:system_r:xdm_t:SystemLow-SystemHigh orion 2720 1 0 10:06 ? 00:00:00 start_kde system_u:system_r:xdm_t:SystemLow-SystemHigh orion 2721 1 0 10:06 ? 00:00:00 kdeinit R system_u:system_r:xdm_t:SystemLow-SystemHigh orion 2724 1 0 10:06 ? 00:00:00 dcopserve ........ As you can see, this is the KDE desktop launched from kdm.
This looks like you had some bad transitions. IE You are logged in as xdm_t, instead of unconfined_t. I think you need the pam_selinux.so added to kdm pam file?
Well, it used to work before I rebooted today (to get the new kernel) with the new selinux-policy installled. [root@cynosure pam.d]# cat kdm #%PAM-1.0 auth include system-auth account required pam_nologin.so account include system-auth password include system-auth session optional pam_keyinit.so force revoke session include system-auth session required pam_loginuid.so session optional pam_selinux.so session optional pam_console.so
Any other error (avc) messages?
Just variations on the send_msg one: Feb 16 10:06:59 cynosure kernel: audit(1171645619.568:5): user pid=2156 uid=81 auid=4294967295 subj=system_u:system_r:system_dbusd_t:s0 msg='avc: denied { send_msg } for msgtype=method_call interface=org.freedesktop.Hal.Manager member=GetAllDevices dest=org.freedesktop.Hal spid=2728 tpid=2415 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:hald_t:s0 tclass=dbus Feb 16 10:07:18 cynosure kernel: audit(1171645638.667:6): user pid=2156 uid=81 auid=4294967295 subj=system_u:system_r:system_dbusd_t:s0 msg='avc: denied { send_msg } for msgtype=method_call interface=org.freedesktop.Avahi.Server member=GetAPIVersion dest=org.freedesktop.Avahi spid=2728 tpid=2403 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:avahi_t:s0 tclass=dbus Feb 16 14:10:07 cynosure kernel: audit(1171660207.804:644): user pid=2156 uid=81 auid=4294967295 subj=system_u:system_r:system_dbusd_t:s0 msg='avc: denied { send_msg } for msgtype=signal interface=org.freedesktop.Hal.Device member=PropertyModified dest=org.freedesktop.DBus spid=2415 tpid=2728 scontext=system_u:system_r:hald_t:s0 tcontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tclass=dbus But they are all for dbus-system: system_u:system_r:system_dbusd_t dbus 2156 1 0 10:05 ? 00:00:00 dbus-daemon --system
With debug argument for pam_selinux: Feb 22 16:11:32 localhost kdm: :0[3355]: pam_selinux(kdm:session): Open Session Feb 22 16:11:32 localhost kdm: :0[3355]: pam_selinux(kdm:session): Username= foo SELinux User = user_u Level= s0 Feb 22 16:11:32 localhost kdm: :0[3355]: pam_selinux(kdm:session): set foo security context to (null) Is that "(null)" something what is expected to appear there?
I tried to revert back to pam-0.99.6.2-3.9.fc6.i386 from pam-0.99.6.2-3.15.fc6.i386 and it solves problem for me. Feb 22 16:26:57 localhost kdm: :0[4033]: pam_selinux(kdm:session): set foo security context to user_u:system_r:unconfined_t Session is started with unconfined_t domain. Looks like pam_selinux issue, not policy issue.
*** Bug 229667 has been marked as a duplicate of this bug. ***
pam-0.99.6.2-3.16.fc6 has been pushed for fc6, which should resolve this issue. If these problems are still present in this version, then please make note of it in this bug report.