Bug 229039 - KDE/kdm session no longer runs in unconfined_t with pam_selinux 0.99.6.2-3.15
KDE/kdm session no longer runs in unconfined_t with pam_selinux 0.99.6.2-3.15
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: pam (Show other bugs)
6
All Linux
medium Severity medium
: ---
: ---
Assigned To: Tomas Mraz
:
: 229667 (view as bug list)
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-02-16 12:50 EST by Orion Poplawski
Modified: 2007-11-30 17:11 EST (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-02-23 06:16:42 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Orion Poplawski 2007-02-16 12:50:20 EST
Description of problem:

Trying to remove the debug kernels from my system fails with:

audit(1171647763.891:112): avc:  denied  { transition } for  pid=3757 comm="rpm"
name="bash" dev=hda8 ino=883051 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023
tcontext=system_u:system_r:rpm_script_t:s0-s0:c0.c1023 tclass=process

or

audit(1171647636.054:104): avc:  denied  { transition } for  pid=3690 comm="yum"
name="bash" dev=hda8 ino=883051 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023
tcontext=system_u:system_r:rpm_script_t:s0-s0:c0.c1023 tclass=process

rpm -e kernel-debug-2.6.19-1.2911.fc6.i686
error: %preun(kernel-debug-2.6.19-1.2911.fc6.i686) scriptlet failed, exit status 255

Version-Release number of selected component (if applicable):
selinux-policy-2.4.6-37.fc6

How reproducible:
Every time


Other denials:

audit(1171647730.099:111): user pid=2156 uid=81 auid=4294967295
subj=system_u:system_r:system_dbusd_t:s0 msg='avc:  denied  { send_msg } for
msgtype=signal interface=org.freedesktop.Hal.Device member=PropertyModified
dest=org.freedesktop.DBus spid=2415 tpid=2728
scontext=system_u:system_r:hald_t:s0
tcontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tclass=dbus


Looks like all of the desktop spawned processes are in the xdm_t context:

system_u:system_r:xdm_t:SystemLow-SystemHigh root 2517 2489  0 10:06 ? 00:00:00
kdm -noda
system_u:system_r:xdm_t:SystemLow-SystemHigh root 2549 2517  2 10:06 tty7
00:01:07 /usr/b
system_u:system_r:xdm_t:SystemLow-SystemHigh root 2550 2517  0 10:06 ? 00:00:00 -:0
system_u:system_r:xdm_t:SystemLow-SystemHigh orion 2566 2550  0 10:06 ? 00:00:00
-/bin/tc
system_u:system_r:xdm_t:SystemLow-SystemHigh orion 2641 2566  0 10:06 ? 00:00:00
/bin/sh
system_u:system_r:xdm_t:SystemLow-SystemHigh orion 2642 2641  0 10:06 ? 00:00:00
/usr/bin
system_u:system_r:xdm_t:SystemLow-SystemHigh orion 2645 1  0 10:06 ?   00:00:00
/usr/bin/
system_u:system_r:xdm_t:SystemLow-SystemHigh orion 2646 1  0 10:06 ?   00:00:00
/bin/dbus
system_u:system_r:xdm_t:SystemLow-SystemHigh orion 2720 1  0 10:06 ?   00:00:00
start_kde
system_u:system_r:xdm_t:SystemLow-SystemHigh orion 2721 1  0 10:06 ?   00:00:00
kdeinit R
system_u:system_r:xdm_t:SystemLow-SystemHigh orion 2724 1  0 10:06 ?   00:00:00
dcopserve
........

As you can see, this is the KDE desktop launched from kdm.
Comment 1 Daniel Walsh 2007-02-16 15:45:31 EST
This looks like you  had some bad transitions.  IE You are logged in as xdm_t,
instead of unconfined_t.  I think you need the pam_selinux.so added to kdm pam file?
Comment 2 Orion Poplawski 2007-02-16 15:49:40 EST
Well, it used to work before I rebooted today (to get the new kernel) with the
new selinux-policy installled.

[root@cynosure pam.d]# cat kdm
#%PAM-1.0
auth       include     system-auth
account    required    pam_nologin.so
account    include     system-auth
password   include     system-auth
session    optional    pam_keyinit.so force revoke
session    include     system-auth
session    required    pam_loginuid.so
session    optional    pam_selinux.so
session    optional    pam_console.so
Comment 3 Daniel Walsh 2007-02-16 16:07:24 EST
Any other error (avc) messages?
Comment 4 Orion Poplawski 2007-02-16 16:15:12 EST
Just variations on the send_msg one:

Feb 16 10:06:59 cynosure kernel: audit(1171645619.568:5): user pid=2156 uid=81
auid=4294967295 subj=system_u:system_r:system_dbusd_t:s0 msg='avc:  denied  {
send_msg } for msgtype=method_call interface=org.freedesktop.Hal.Manager
member=GetAllDevices dest=org.freedesktop.Hal spid=2728 tpid=2415
scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023
tcontext=system_u:system_r:hald_t:s0 tclass=dbus
Feb 16 10:07:18 cynosure kernel: audit(1171645638.667:6): user pid=2156 uid=81
auid=4294967295 subj=system_u:system_r:system_dbusd_t:s0 msg='avc:  denied  {
send_msg } for msgtype=method_call interface=org.freedesktop.Avahi.Server
member=GetAPIVersion dest=org.freedesktop.Avahi spid=2728 tpid=2403
scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023
tcontext=system_u:system_r:avahi_t:s0 tclass=dbus
Feb 16 14:10:07 cynosure kernel: audit(1171660207.804:644): user pid=2156 uid=81
auid=4294967295 subj=system_u:system_r:system_dbusd_t:s0 msg='avc:  denied  {
send_msg } for msgtype=signal interface=org.freedesktop.Hal.Device
member=PropertyModified dest=org.freedesktop.DBus spid=2415 tpid=2728
scontext=system_u:system_r:hald_t:s0
tcontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tclass=dbus

But they are all for dbus-system:

system_u:system_r:system_dbusd_t dbus     2156     1  0 10:05 ?        00:00:00
dbus-daemon --system
Comment 5 Tomas Hoger 2007-02-22 10:24:04 EST
With debug argument for pam_selinux:

Feb 22 16:11:32 localhost kdm: :0[3355]: pam_selinux(kdm:session): Open Session
Feb 22 16:11:32 localhost kdm: :0[3355]: pam_selinux(kdm:session): Username= foo
SELinux User = user_u Level= s0
Feb 22 16:11:32 localhost kdm: :0[3355]: pam_selinux(kdm:session): set foo
security context to (null)

Is that "(null)" something what is expected to appear there?
Comment 6 Tomas Hoger 2007-02-22 10:36:16 EST
I tried to revert back to pam-0.99.6.2-3.9.fc6.i386 from
pam-0.99.6.2-3.15.fc6.i386 and it solves problem for me.

Feb 22 16:26:57 localhost kdm: :0[4033]: pam_selinux(kdm:session): set foo
security context to user_u:system_r:unconfined_t

Session is started with unconfined_t domain.  Looks like pam_selinux issue, not
policy issue.
Comment 7 Daniel Walsh 2007-02-22 12:51:10 EST
*** Bug 229667 has been marked as a duplicate of this bug. ***
Comment 8 Fedora Update System 2007-02-22 20:37:12 EST
pam-0.99.6.2-3.16.fc6 has been pushed for fc6, which should resolve this issue.  If these problems are still present in this version, then please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.