Bug 388431 - xdm doesn't work with SELinux
xdm doesn't work with SELinux
Status: CLOSED NEXTRELEASE
Product: Fedora
Classification: Fedora
Component: xorg-x11-xdm (Show other bugs)
10
All Linux
low Severity urgent
: ---
: ---
Assigned To: Matěj Cepl
Fedora Extras Quality Assurance
: Patch
: 455584 (view as bug list)
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-11-17 11:33 EST by martin
Modified: 2013-01-09 23:30 EST (History)
9 users (show)

See Also:
Fixed In Version: 1.1.6-7.fc10
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-04-16 18:24:00 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
messages copied from the setroubleshootbrowser (8.10 KB, text/plain)
2007-11-17 11:33 EST, martin
no flags Details
suggested patch against CVS devel repo (1.34 KB, patch)
2008-10-29 07:44 EDT, Matěj Cepl
no flags Details | Diff
patch adding XDMXAUTHDIR variable (3.84 KB, patch)
2009-01-26 13:20 EST, Matěj Cepl
no flags Details | Diff

  None (edit)
Description martin 2007-11-17 11:33:13 EST
Description of problem:
If i want to use xdm i have to disable SELinux (no good idea :-(  )

Version-Release number of selected component (if applicable):
selinux-policy-targeted (Version: 3.0.8 Release: 53.fc8)

How reproducible:
Always

Steps to Reproduce:
1. Push the Power Button
2. Wait until xdm Login screen appears
3. Type in Name and Password and press ENTER
  
Actual results:
Login Screen appears again

Expected results:
start of xfce4 

Additional info:
When I start xdm from root konsole it works
With setenforce 0 it works also
Comment 1 martin 2007-11-17 11:33:13 EST
Created attachment 262301 [details]
messages copied from the setroubleshootbrowser
Comment 2 Daniel Walsh 2007-11-19 10:38:10 EST
Could you verify that your system labeling is correct.

touch /.autorelabel; reboot

This looks like some kind of labeling problem.
Comment 3 martin 2007-11-19 12:40:20 EST
Sorry. This didn't help. It's still the same.

I suppose, you can reproduce the problem yourself.
Just install xorg-x11-xdm, change the 1st line of /etc/sysconfig/desktop
to DISPLAYMANAGER="XDM" and adore the problem :-)
Comment 4 Daniel Walsh 2007-11-19 13:37:48 EST
Ok I misread the message.  The problem is that /etc/pam.d/xdm does not have
pam_selinux in it.  It should look something like /etc/pam.d/gdm

#%PAM-1.0
auth     [success=done ignore=ignore default=bad] pam_selinux_permit.so
auth       required    pam_env.so
auth       include     system-auth
auth       optional    pam_gnome_keyring.so
account    required    pam_nologin.so
account    include     system-auth
password   include     system-auth
session    required    pam_selinux.so close
session    include     system-auth
session    required    pam_loginuid.so
session    optional    pam_console.so
session    required    pam_selinux.so open
session    optional    pam_keyinit.so force revoke
session    required    pam_namespace.so
session    optional    pam_gnome_keyring.so auto_start
Comment 5 Jesse Keating 2008-04-03 17:46:14 EDT
So uh, this is from late 2007, is this fixed yet?
Comment 6 martin 2008-04-04 12:09:24 EDT
Sorry. I deleted F8 from the partition, because i couldn't use it with the bug
and it seemed the nobody will fix it :-(  So could please somebody else test if
it works now ?! The bug should be reproducible for everybody...

Hopefully F9 is usable for me :-)
Comment 7 Miroslav Lichvar 2008-04-07 04:55:16 EDT
This is still not fixed.
Comment 8 Matěj Cepl 2008-06-12 09:30:24 EDT
Setting NEEDINFO for developer is one of the most secure ways how to make bug lost.
Comment 9 Matěj Cepl 2008-07-17 08:03:44 EDT
*** Bug 455584 has been marked as a duplicate of this bug. ***
Comment 10 Jan "Yenya" Kasprzak 2008-10-28 17:50:13 EDT
Please change the Distribution field of this bug to "Fedora 9" so that it does not get lost when F8 is EOL'd.

I have verified that on a freshly installed and updated F9/x86_64 system, xdm runs the user session under the system_u:system_r:xdm_t context, making the default GNOME session fail. With "setenforce 0" it works, but spits out lots of AVCs.

I am stuck with xdm, because gdm is still unusable in F9: for example, there is no way to handle a multi-seat desktop in gdm (at least since two weeks ago there has been a gdm version which can actually do XDMCP :-| ).
Comment 11 Matěj Cepl 2008-10-29 07:44:09 EDT
Created attachment 321791 [details]
suggested patch against CVS devel repo
Comment 12 Søren Sandmann Pedersen 2008-10-30 14:19:22 EDT
I just updated the xdm pam.d file in rawhide.

Jan, if you can verify that just

      cp /etc/pam.d/gdm  /etc/pam.d/xdm

makes it work in F9, I'll update it.
Comment 13 Jan "Yenya" Kasprzak 2008-10-31 05:53:30 EDT
Re: comment #12

I have tried it and it did not work. I have to create a config file as in
comment #11 (Matej's patch), i.e. to add a following line after the pam_selinux_permit.so line in the "auth" section:

auth       required    pam_succeed_if.so user != root quiet

With this one line difference against /etc/pam.d/gdm, I am now able to log in using xdm on both heads/seats.

HOWEVER: there is still some problem with setting file permissions - the usual device files (/dev/snd/*, /dev/video*, /dev/sr0, etc.) do not get a new ACL entry allowing the logged-in user to access them. Moreover, even when I chmod a+rw /dev/sr0, the permissions are reset back to root:disk 0660 as soon as the new media is inserted to the drive, making the DVD drive unusable for the logged in user.

So probably there is still a problem with XDM versus ConsoleKit/PolicyKit/HAL.
Should I open a new bug for it or will we continue in this one?
Comment 14 Matěj Cepl 2008-10-31 09:03:16 EDT
(In reply to comment #13)
> HOWEVER: there is still some problem with setting file permissions - the usual
> device files (/dev/snd/*, /dev/video*, /dev/sr0, etc.) do not get a new ACL

This has nothing to do with this bug (because these things are done by SELinux), and it is perfect duplicate of bug 237621.
Comment 15 Tomas Mraz 2008-10-31 09:11:15 EDT
(In reply to comment #13)
> Re: comment #12
> 
> I have tried it and it did not work. I have to create a config file as in
> comment #11 (Matej's patch), i.e. to add a following line after the
> pam_selinux_permit.so line in the "auth" section:
> 
> auth       required    pam_succeed_if.so user != root quiet
> 
> With this one line difference against /etc/pam.d/gdm, I am now able to log in
> using xdm on both heads/seats.

But this line should just disable root login in xdm and it should not affect the rest of the pam stack.

Perhaps you have something broken in /etc/pam.d/system-auth?
Comment 16 Bug Zapper 2008-11-25 21:03:27 EST
This bug appears to have been reported against 'rawhide' during the Fedora 10 development cycle.
Changing version to '10'.

More information and reason for this action is here:
http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Comment 17 Vitaly Mayatskikh 2009-01-24 05:35:25 EST
xdm tries to create X auth files in /etc/X11/xdm by default. This is wrong, and SELinux will prevent xdm to do wrong thing. Right place for these stuff is /var/lib/xdm. This patch helped me to run both xdm and selinux. Also package xorg-x11-xdm needs to create this dir during package install.

--- /etc/X11/xdm/xdm-config.orig        2009-01-22 21:12:06.000000000 +0100
+++ /etc/X11/xdm/xdm-config     2009-01-22 21:11:53.000000000 +0100
@@ -11,6 +11,7 @@
 
 
 
+DisplayManager.authDir:                /var/lib/xdm
 DisplayManager.errorLogFile:   /var/log/xdm.log
 DisplayManager.pidFile:                /var/run/xdm.pid
 DisplayManager.keyFile:                /etc/X11/xdm/xdm-keys
Comment 18 Matěj Cepl 2009-01-26 13:20:01 EST
Created attachment 330015 [details]
patch adding XDMXAUTHDIR variable 

Proposed fixing xdm-config.
Testing scratch builds are at
http://koji.fedoraproject.org/scratch/mcepl/task_1083646/ (for Rawhide)
and
http://koji.fedoraproject.org/scratch/mcepl/task_1083651/ (for Fedora 10)

Please test and let me know, whether it works.
Comment 20 Vitaly Mayatskikh 2009-01-26 13:54:09 EST
Works for me on F10/x86-64.
Comment 21 Adam Tkac 2009-01-27 06:41:44 EST
Rawhide package works fine as well.
Comment 22 Fedora Update System 2009-03-14 19:13:05 EDT
xorg-x11-xdm-1.1.6-7.fc10 has been submitted as an update for Fedora 10.
http://admin.fedoraproject.org/updates/xorg-x11-xdm-1.1.6-7.fc10
Comment 23 Fedora Update System 2009-03-16 15:36:44 EDT
xorg-x11-xdm-1.1.6-7.fc10 has been pushed to the Fedora 10 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update xorg-x11-xdm'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F10/FEDORA-2009-2695
Comment 24 Fedora Update System 2009-05-06 19:24:00 EDT
xorg-x11-xdm-1.1.6-7.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.