Bug 360301 - selinux denials for pam_console_apply called from kdm
selinux denials for pam_console_apply called from kdm
Status: CLOSED NOTABUG
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
7
i386 Linux
low Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-10-31 10:41 EDT by vikram goyal
Modified: 2013-01-09 23:29 EST (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-11-05 15:46:07 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description vikram goyal 2007-10-31 10:41:01 EDT
Description of problem:
pam-0.99.7.1-5.1.fc7

Version-Release number of selected component (if applicable):


How reproducible:
Switching on kdm as login manager produced these avcs.

Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:
selinux-policy-targeted-2.6.4-48.fc7
selinux-policy-2.6.4-48.fc7
kdebase-3.5.7-13.1.fc7

Selinux Denials

type=AVC msg=audit(1193836357.135:35): avc:  denied  { append } for  pid=3915
comm="pam_console_app" path="/var/log/kdm.log" dev=dm-1 ino=753893
scontext=system_u:system_r:pam_console_t:s0-s0:c0.c1023
tcontext=user_u:object_r:var_log_t:s0 tclass=file

type=AVC msg=audit(1193836357.135:35): avc:  denied  { append } for  pid=3915
comm="pam_console_app" path="/var/log/kdm.log" dev=dm-1 ino=753893
scontext=system_u:system_r:pam_console_t:s0-s0:c0.c1023
tcontext=user_u:object_r:var_log_t:s0 tclass=file
Comment 1 Tomas Mraz 2007-10-31 11:46:33 EDT
I'm not really sure why kdm runs pam_console_apply with output redirected to
/var/log/kdm.log, but it's probably legitimate and it seems harmless to me to
allow that in the policy.
Comment 2 Jesse Keating 2007-10-31 13:44:49 EDT
Can you duplicate this on rawhide (F8) ?
Comment 3 Rex Dieter 2007-10-31 14:08:58 EDT
I can't reproduce on f8/rawhide
Comment 4 Daniel Walsh 2007-11-01 13:34:36 EDT
This is a mislabled file it should be labeled, system_u:object_r:xserver_log_t

restorecon /var/log/kdm.log

Should fix.  There is policy that says dontaudit pam_console writing to
xserver_log_t.

So the question is how did the file get mislabeled?  

What context is kdm running under?

ps -eZ | grep kdm
Comment 5 vikram goyal 2007-11-01 23:30:33 EDT
[root@holycow ~]# ps -eZ|grep kdm

system_u:system_r:xdm_t:SystemLow-SystemHigh 3276 ? 00:00:00 kdm
system_u:system_r:xdm_t:SystemLow-SystemHigh 3342 ? 00:00:00 kdm


[root@holycow ~]# ls -lZ /var/log/kdm.log
-rw-r--r--  root root user_u:object_r:var_log_t        /var/log/kdm.log
Comment 6 vikram goyal 2007-11-01 23:32:09 EDT
Forgot to paste

[root@holycow ~]# ls -lZ `which kdm`
-rwxr-xr-x  root root system_u:object_r:xdm_exec_t     /usr/bin/kdm

[root@holycow ~]# ls -lZ `which gdm`
-rwxr-xr-x  root root system_u:object_r:bin_t          /usr/sbin/gdm
Comment 7 Daniel Walsh 2007-11-02 09:33:14 EDT
If you do the restorecon /var/log/kdm.log

Does it fix the context?

If you logout and log back in, do you get avc?

How about after a reboot?
Comment 8 vikram goyal 2007-11-03 10:09:53 EDT
As you suggested, I reverted the whole thing back to as it were. Removed
/etc/sysconfig/desktop file and kdm.log also which at that time had become
xserver_log_t. I don't know how...

rebooted and wrote a fresh desktop file with KDE selected and rebooted again.
The kdm started instead of gdm. I checked kdm log which was:

[root@holycow ~]# ls -lZ /var/log/kdm.log
-rw-r--r--  root root system_u:object_r:xserver_log_t  /var/log/kdm.log

And there were no avcs. I had also updated to new selinux policies a day back.

selinux-policy-2.6.4-49.fc7
selinux-policy-targeted-2.6.4-49.fc7
Comment 9 Daniel Walsh 2007-11-05 15:46:07 EST
Ok reopen if it happens again.

Note You need to log in before you can comment on or make changes to this bug.