Bug 383571 - gdm has trouble with selinux or vice versa
gdm has trouble with selinux or vice versa
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: gdm (Show other bugs)
rawhide
All Linux
low Severity low
: ---
: ---
Assigned To: Ray Strode [halfline]
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-11-14 17:52 EST by Antonio A. Olivares
Modified: 2013-01-13 07:05 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-12-22 23:24:53 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Confirming error after several relabeling attempts (2.21 KB, text/plain)
2007-11-27 17:41 EST, Jim Cornette
no flags Details

  None (edit)
Description Antonio A. Olivares 2007-11-14 17:52:12 EST
Description of problem:
When booting computer, I get the message 
Id "x" respawning too fast: disabled for 5 minutes
I have to press any key, then login manually and type startx to get GNOME.  
gdm fails to initiate.  

Version-Release number of selected component (if applicable):
gdm-2.21.2-0.2007.11.09.1.fc9 ?? 

How reproducible:
Start machine up and one can see the messages.  


Steps to Reproduce:
1. Start computer 
2. Wait about 2 minutes maybe less
3. see the message on your screen Id "x" respawning too fast: disabled for 5 
minutes
  
Actual results:
Id "x" respawning too fast: disabled for 5 minutes
login manually

Expected results:
login correctly to X as it was configured to login automatically.  


Additional info:
Applying what setroubleshoot recommends does nothing to cure problem.  ./touch 
autorelabel does not help either.  

bug in gdm something with getattr /bin/* 

Summary
    SELinux is preventing gdm (xdm_t) "getattr" to
/bin/rpm (rpm_exec_t).

Detailed Description
    SELinux denied access requested by gdm. It is not
expected that this access
    is required by gdm and this access may signal an
intrusion attempt. It is
    also possible that the specific version or
configuration of the application
    is causing it to require additional access.

Allowing Access
    Sometimes labeling problems can cause SELinux
denials.  You could try to
    restore the default system file context for
/bin/rpm, restorecon -v /bin/rpm
    If this does not work, there is currently no
automatic way to allow this
    access. Instead,  you can generate a local policy
module to allow this
    access - see
http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385
Or you
    can disable SELinux protection altogether.
Disabling SELinux protection is
    not recommended. Please file a
    http://bugzilla.redhat.com/bugzilla/enter_bug.cgi
against this package.

Additional Information        

Source Context              
system_u:system_r:xdm_t:SystemLow-SystemHigh
Target Context              
system_u:object_r:rpm_exec_t
Target Objects                /bin/rpm [ file ]
Affected RPM Packages        rpm-4.4.2.2-7.fc9
[target]
Policy RPM                  
selinux-policy-3.0.8-44.fc8
Selinux Enabled              True
Policy Type                  targeted
MLS Enabled                  True
Enforcing Mode                Enforcing
Plugin Name                  plugins.catchall_file
Host Name                    localhost
Platform                      Linux localhost
2.6.23.1-42.fc8 #1 SMP Tue Oct 30
                              13:55:12 EDT 2007 i686
athlon
Alert Count                  4401
First Seen                    Sun 11 Nov 2007 09:11:06
AM CST
Last Seen                    Mon 12 Nov 2007 06:09:42
PM CST
Local ID                    
e1676a84-c6d0-45b8-97d7-c7cae2d755c1
Line Numbers                  

Raw Audit Messages            

avc: denied { getattr } for comm=gdm dev=dm-0 egid=0
euid=0 exe=/bin/bash
exit=-13 fsgid=0 fsuid=0 gid=0 items=0 path=/bin/rpm
pid=4958
scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 sgid=0
subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 suid=0
tclass=file
tcontext=system_u:object_r:rpm_exec_t:s0 tty=(none)
uid=0
Comment 1 Ray Strode [halfline] 2007-11-14 22:07:05 EST
Apparently gdm is running some shell that does 

if [ -x /bin/rpm ]; then ...

or similiar.  Since it's happening at start up, I'm guessing it's happening from
this line:

test -f /etc/profile && . /etc/profile

in /usr/sbin/gdm

Do you post the output of 

ls -l /etc/profile.d 

?

Also, can you post the output of 

grep rpm /etc/profile.d/*

?
Comment 2 Antonio A. Olivares 2007-11-15 08:37:43 EST
[olivares@localhost ~]$ ls -l /etc/profile.d
total 216
-rw-r--r-- 1 root root  764 2007-02-26 07:04 colorls.csh
-rw-r--r-- 1 root root  713 2007-02-26 07:04 colorls.sh
-rw-r--r-- 1 root root   80 2007-09-18 04:12 cvs.csh
-rw-r--r-- 1 root root   78 2007-09-18 04:12 cvs.sh
-rw-r--r-- 1 root root  192 2004-09-09 00:17 glib2.csh
-rw-r--r-- 1 root root  192 2005-12-11 23:58 glib2.sh
-rwxr-xr-x 1 root root  629 2007-09-21 09:22 kde4.csh
-rwxr-xr-x 1 root root  627 2007-09-21 09:22 kde4.sh
-rwxr-xr-x 1 root root  548 2007-09-20 09:37 kde.csh
-rwxr-xr-x 1 root root  428 2007-09-20 09:37 kde.sh
-rw-r--r-- 1 root root  218 2004-09-09 02:12 krb5-devel.csh
-rw-r--r-- 1 root root  229 2006-01-19 12:05 krb5-devel.sh
-rw-r--r-- 1 root root  218 2004-09-09 02:12 krb5-workstation.csh
-rw-r--r-- 1 root root  229 2006-01-19 12:05 krb5-workstation.sh
-rwxr-xr-x 1 root root   77 2007-09-12 04:23 ktechlab.sh
-rwxr-xr-x 1 root root 3006 2007-10-09 16:06 lang.csh
-rwxr-xr-x 1 root root 3329 2007-10-09 16:06 lang.sh
-rw-r--r-- 1 root root  122 2007-02-07 06:55 less.csh
-rw-r--r-- 1 root root  108 2007-02-07 06:55 less.sh
-rwxr-xr-x 1 root root  304 2007-11-08 10:26 qt.csh
-rwxr-xr-x 1 root root  312 2007-11-08 10:26 qt.sh
-rw-r--r-- 1 root root   83 2007-11-12 13:32 SDL_pulseaudio_hack.csh
-rw-r--r-- 1 root root   83 2007-11-12 13:32 SDL_pulseaudio_hack.sh
-rw-r--r-- 1 root root   74 2007-10-04 09:58 vim.csh
-rw-r--r-- 1 root root  248 2007-10-04 09:58 vim.sh
-rw-r--r-- 1 root root  162 2007-04-23 08:04 which-2.csh
-rw-r--r-- 1 root root  170 2004-09-09 09:18 which-2.sh
[olivares@localhost ~]$ 

[olivares@localhost ~]$ grep rpm /etc/profile.d/*
/etc/profile.d/kde4.csh:  set KDE4_LIBDIR = 
`/bin/rpm --eval %\{\?_kde4_libdir\}%\{\!\?_kde4_libdir:%\{_libdir\}\}`
/etc/profile.d/kde4.sh:  
KDE4_LIBDIR=`/bin/rpm --eval '%{?_kde4_libdir}%{!?_kde4_libdir:%{_libdir}}' 
2>/dev/null`
[olivares@localhost ~]$ 

Comment 3 Daniel Walsh 2007-11-15 15:46:17 EST
One problem I see in policy is that we are labeling /usr/sbin/gdm as gdm_exec_t
which we should not do.  We should only label the executable.  Some of these
problems might go away with that change.

You can test this theory by executing

chcon -t bin_t /usr/sbin/gdm

Comment 4 Jim Cornette 2007-11-21 20:31:32 EST
I was able to get some of gdm to come up when changing enforcing to permissive.
Summary
    SELinux is preventing /usr/libexec/gdm-simple-greeter (xdm_t) "getattr" to
    <Unknown> (inotifyfs_t).

Detailed Description
    SELinux denied access requested by /usr/libexec/gdm-simple-greeter. It is
    not expected that this access is required by /usr/libexec/gdm-simple-greeter
    and this access may signal an intrusion attempt. It is also possible that
    the specific version or configuration of the application is causing it to
    require additional access.

Allowing Access
    Sometimes labeling problems can cause SELinux denials.  You could try to
    restore the default system file context for <Unknown>, restorecon -v
    <Unknown> If this does not work, there is currently no automatic way to
    allow this access. Instead,  you can generate a local policy module to allow
    this access - see http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385
    Or you can disable SELinux protection altogether. Disabling SELinux
    protection is not recommended. Please file a
    http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package.

Additional Information        

Source Context                system_u:system_r:xdm_t:SystemLow-SystemHigh
Target Context                system_u:object_r:inotifyfs_t
Target Objects                None [ dir ]
Affected RPM Packages         gdm-2.21.2-0.2007.11.20.2.fc9 [application]
Policy RPM                    selinux-policy-3.0.8-53.fc8
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Permissive
Plugin Name                   plugins.catchall_file
Host Name                     HP-JCF7
Platform                      Linux HP-JCF7 2.6.23.1-49.fc8 #1 SMP Thu Nov 8
                              21:41:26 EST 2007 i686 athlon
Alert Count                   2
First Seen                    Wed 21 Nov 2007 06:17:22 PM EST
Last Seen                     Wed 21 Nov 2007 08:18:41 PM EST
Local ID                      96b53fff-c2a6-421a-82dc-e4142c86d9d5

simple-greeter error:
Line Numbers                  

Raw Audit Messages            

avc: denied { getattr } for comm=gdm-simple-gree dev=inotifyfs egid=42 euid=42
exe=/usr/libexec/gdm-simple-greeter exit=0 fsgid=42 fsuid=42 gid=42 items=0
path=inotify pid=3527 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 sgid=42
subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 suid=42 tclass=dir
tcontext=system_u:object_r:inotifyfs_t:s0 tty=(none) uid=42

Comment 5 Jim Cornette 2007-11-21 20:33:20 EST
Summary
    SELinux is preventing gdm (xdm_t) "execute" to <Unknown> (rpm_exec_t).

Detailed Description
    SELinux denied access requested by gdm. It is not expected that this access
    is required by gdm and this access may signal an intrusion attempt. It is
    also possible that the specific version or configuration of the application
    is causing it to require additional access.

Allowing Access
    Sometimes labeling problems can cause SELinux denials.  You could try to
    restore the default system file context for <Unknown>, restorecon -v
    <Unknown> If this does not work, there is currently no automatic way to
    allow this access. Instead,  you can generate a local policy module to allow
    this access - see http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385
    Or you can disable SELinux protection altogether. Disabling SELinux
    protection is not recommended. Please file a
    http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package.

Additional Information        

Source Context                system_u:system_r:xdm_t:SystemLow-SystemHigh
Target Context                system_u:object_r:rpm_exec_t
Target Objects                None [ file ]
Affected RPM Packages         
Policy RPM                    selinux-policy-3.0.8-53.fc8
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   plugins.catchall_file
Host Name                     HP-JCF7
Platform                      Linux HP-JCF7 2.6.23.1-49.fc8 #1 SMP Thu Nov 8
                              21:41:26 EST 2007 i686 athlon
Alert Count                   122
First Seen                    Fri 16 Nov 2007 09:52:45 PM EST
Last Seen                     Wed 21 Nov 2007 08:07:37 PM EST
Local ID                      030edbeb-8cef-4810-872c-1ee1860d64f6
Line Numbers                  

Raw Audit Messages            

avc: denied { execute } for comm=gdm dev=sda6 egid=0 euid=0 exe=/bin/bash
exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name=rpm pid=2745
scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 sgid=0
subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 suid=0 tclass=file
tcontext=system_u:object_r:rpm_exec_t:s0 tty=(none) uid=0

Comment 6 Jim Cornette 2007-11-21 20:36:49 EST
What I am seeing is a small GUI in the center for the simple browser. The text
is fairly large. There is no shutdown available from X when it starts. The small
rendition of the browser allows login name and comes up with a password.
Comment 7 Jim Cornette 2007-11-21 20:40:54 EST
What I posted on the test list before entering information.
>>>
>> If I boot with enforcing=0 I can get gdm to load successfully. The 
>> problem with it once loaded is that the screen is small square in the 
>> center of the screen.
>> I have no xorg.conf so that might be why the login for gdm is so messed
>  
>> up. At least I can shut down now.
>> I then set SELinux back to enforcing. There are no browser popups for 
>> SELinux and gdm. I expected something since gdm is killed with SELinux 
>> in enforcing.
>>
>> -- 
Comment 8 Jim Cornette 2007-11-21 21:20:22 EST
No difference in enforcing after running chcon -t bin_t /usr/sbin/gdm
and changing from runlevel 3, setting selinux to enforcing and then changing to
runlevel 5 again.
Comment 9 Felix Bellaby 2007-11-22 20:35:31 EST
You need to change the context on /etc/X11/prefdm as well to get X going:

chcon -t bin_t /etc/X11/prefdm /usr/sbin/gdm

/sbin/prefdm will then bring up the desktop from the console, but telinit 5 will
only get as far as starting the X server.

It appears that gdm fails to acquire the system_dbusd_t service.

Then the transition to system_dbusd_exec_t fails when launching the dbus-daemon.

Then the transition to gconf_exec_t fails when the gconfd-2 is launched.

Further problems might follow.
Comment 10 Felix Bellaby 2007-11-22 22:04:55 EST
In fact the change in context should be restricted to /etc/X11/prefdm.
/usr/sbin/gdm should be left as is so that it uses the system dbus daemon. 

chcon -t bin_t /etc/X11/prefdm

The xdm_t context still needs some additional abilities to enable it to talk to
the dbus daemon:

allow xdm_t system_dbusd_t:dbus acquire_svc;
allow xdm_t self:dbus send_msg;

After these changes gdm can get started.

However, there are still problems launching the gconfd-2 daemon that prevent
gdm-settings-daemon and gtk-window-decorator from getting going.
Comment 11 Jim Cornette 2007-11-22 22:21:04 EST
Unless I go into permissive mode I still see the problems. I relabeled my
filesystem and ran chcon -t bin_t /etc/X11/prefdm and still had the respawning
error. With SELInux in permissive mode I could get the crippled browser. If I
set selinux to enforcing before pressing enter for the password, all I get is X
with no GNOME desktop. I have errors for xorg-x11-server-Xorg and also
ConsoleKit to address those problems.
I am also running kernel-2.6.23.1-49.fc8 since the console hangs at udev for
even the latest kernel-2.6.24-0.41.rc3.git1.fc9 on the system.
I see messages related to DBUS, rpm, SELinux policy also in the troubleshooter
browser. kdm works but is not my choice in login managers with SELinux in
enforcing. 
Comment 12 Antonio A. Olivares 2007-11-27 08:45:10 EST
Alert count has increased dramatically.  I turned off setroubleshoot service,
with chkconfig.  Upon bootup, it started again automatically warning me again. 
The alert count on this has increased dramatically and it is bothering me while
I can ignore it, it comes back.  

Alert Count                   10480

Summary
    SELinux is preventing gdm (xdm_t) "execute" to <Unknown> (rpm_exec_t).

Detailed Description
    SELinux denied access requested by gdm. It is not expected that this access
    is required by gdm and this access may signal an intrusion attempt. It is
    also possible that the specific version or configuration of the application
    is causing it to require additional access.

Allowing Access
    Sometimes labeling problems can cause SELinux denials.  You could try to
    restore the default system file context for <Unknown>, restorecon -v
    <Unknown> If this does not work, there is currently no automatic way to
    allow this access. Instead,  you can generate a local policy module to allow
    this access - see http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385
    Or you can disable SELinux protection altogether. Disabling SELinux
    protection is not recommended. Please file a
    http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package.

Additional Information        

Source Context                system_u:system_r:xdm_t:SystemLow-SystemHigh
Target Context                system_u:object_r:rpm_exec_t
Target Objects                None [ file ]
Affected RPM Packages         
Policy RPM                    selinux-policy-3.0.8-44.fc8
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   plugins.catchall_file
Host Name                     localhost
Platform                      Linux localhost 2.6.24-0.42.rc3.git1.fc9 #1 SMP
                              Sat Nov 24 05:51:18 EST 2007 i686 athlon
Alert Count                   10480
First Seen                    Sun 11 Nov 2007 09:11:06 AM CST
Last Seen                     Tue 27 Nov 2007 07:38:16 AM CST
Local ID                      f3168196-46ac-4951-ab61-b3b218534bb2
Line Numbers                  

Raw Audit Messages            

avc: denied { execute } for comm=gdm dev=dm-0 name=rpm pid=10023
scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tclass=file
tcontext=system_u:object_r:rpm_exec_t:s0

Comment 13 Jim Cornette 2007-11-27 17:41:21 EST
Created attachment 270461 [details]
Confirming error after several relabeling attempts

I can confirm that this error is still present with the current state of gdm.
See attached report from the troubleshooter browser.
Comment 14 Jim Cornette 2007-12-22 00:01:43 EST
The error is no longer being logged as with selinux-policy-3.2.5-3.fc9. Leaving
the bug ticket since no longer causing problems on my system.

Note You need to log in before you can comment on or make changes to this bug.