Bug 396271 - SELinux is preventing /bin/dbus-daemon (xdm_t) "bind" to (xdm_t).
SELinux is preventing /bin/dbus-daemon (xdm_t) "bind" to (xdm_t).
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
rawhide
All Linux
low Severity low
: ---
: ---
Assigned To: Daniel Walsh
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-11-22 22:44 EST by Jim Cornette
Modified: 2007-12-01 22:38 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-12-01 22:38:36 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Jim Cornette 2007-11-22 22:44:39 EST
Description of problem:
even after a system relabel, error persists

Version-Release number of selected component (if applicable):
dbus-1.1.2-9.fc9 [application]
kernel-2.6.23.1-49.fc8

How reproducible:
relabel filesystem, boot into runlevel 5 with crashing gdm

Steps to Reproduce:
Summary
    SELinux is preventing /bin/dbus-daemon (xdm_t) "bind" to <Unknown> (xdm_t).

Detailed Description
    SELinux denied access requested by /bin/dbus-daemon. It is not expected that
    this access is required by /bin/dbus-daemon and this access may signal an
    intrusion attempt. It is also possible that the specific version or
    configuration of the application is causing it to require additional access.

Allowing Access
    You can generate a local policy module to allow this access - see
    http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can disable
    SELinux protection altogether. Disabling SELinux protection is not
    recommended. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi
    against this package.

Additional Information        

Source Context                system_u:system_r:xdm_t:SystemLow-SystemHigh
Target Context                system_u:system_r:xdm_t:SystemLow-SystemHigh
Target Objects                None [ netlink_selinux_socket ]
Affected RPM Packages         dbus-1.1.2-9.fc9 [application]
Policy RPM                    selinux-policy-3.0.8-44.fc8
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Permissive
Plugin Name                   plugins.catchall
Host Name                     HP-JCF7
Platform                      Linux HP-JCF7 2.6.23.1-49.fc8 #1 SMP Thu Nov 8
                              21:41:26 EST 2007 i686 athlon
Alert Count                   1
First Seen                    Thu 22 Nov 2007 10:02:16 PM EST
Last Seen                     Thu 22 Nov 2007 10:02:16 PM EST
Local ID                      5b078aa0-e0ce-4ed1-97bd-326c36b26653
Line Numbers                  

Raw Audit Messages            

avc: denied { bind } for comm=dbus-daemon egid=42 euid=42 exe=/bin/dbus-daemon
exit=0 fsgid=42 fsuid=42 gid=42 items=0 pid=3158
scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 sgid=42
subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 suid=42
tclass=netlink_selinux_socket tcontext=system_u:system_r:xdm_t:s0-s0:c0.c1023
tty=(none) uid=42
Comment 1 Jim Cornette 2007-11-22 22:47:13 EST
Also dbus-daemon error.
Summary
    SELinux is preventing dbus-daemon (xdm_t) "read" to <Unknown> (xdm_t).

Detailed Description
    SELinux denied access requested by dbus-daemon. It is not expected that this
    access is required by dbus-daemon and this access may signal an intrusion
    attempt. It is also possible that the specific version or configuration of
    the application is causing it to require additional access.

Allowing Access
    You can generate a local policy module to allow this access - see
    http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can disable
    SELinux protection altogether. Disabling SELinux protection is not
    recommended. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi
    against this package.

Additional Information        

Source Context                system_u:system_r:xdm_t:SystemLow-SystemHigh
Target Context                system_u:system_r:xdm_t:SystemLow-SystemHigh
Target Objects                None [ netlink_selinux_socket ]
Affected RPM Packages         
Policy RPM                    selinux-policy-3.0.8-44.fc8
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Permissive
Plugin Name                   plugins.catchall
Host Name                     HP-JCF7
Platform                      Linux HP-JCF7 2.6.23.1-49.fc8 #1 SMP Thu Nov 8
                              21:41:26 EST 2007 i686 athlon
Alert Count                   1
First Seen                    Thu 22 Nov 2007 10:02:16 PM EST
Last Seen                     Thu 22 Nov 2007 10:02:16 PM EST
Local ID                      c42e506e-ece6-4d1b-8fb0-adae6be08744
Line Numbers                  

Raw Audit Messages            

avc: denied { read } for comm=dbus-daemon pid=3159
scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tclass=netlink_selinux_socket
tcontext=system_u:system_r:xdm_t:s0-s0:c0.c1023

Comment 2 David Zeuthen 2007-11-26 13:54:45 EST
Wrong component.
Comment 3 Daniel Walsh 2007-11-26 22:36:36 EST
Ray is this something new?  xdm starting dbus-daemon, or is this a labeling
problem and the xdm is not transitioning to the user context.

Jim does your labeling look ok?

fixfiles restore

Comment 4 Jim Cornette 2007-11-27 17:28:24 EST
The system was relabeled twice. The first relabel was done with fixfiles relabel
with SELinux in permissive mode. The second relabeling was done with touch
/.autorelabel.

I am running fixfiles restore from a gnome-terminal which is putting a series of
astericks in a line.

The computer will not launch gdm with SELInux in enforcing. GDM is pretty much
in an ill state even when it launches in permissive. 
This error does not happen if running in enforcing in runlevel 3 and using
startx. The error only seems to be present when launching X through gdm in
permissive.
Comment 5 Jim Cornette 2007-11-27 18:04:37 EST
fixfiles restore had an output of "Read error on pipe" among the tail end of the
process. The cursor was offset by the additional * which followed as shown below:

fixfiles restore
*******************************************************************************
********************************************************************************
********************************************************************************
*************************************************Read error on pipe.
*********[root@localhost
Comment 6 Ray Strode [halfline] 2007-11-29 10:45:45 EST
gdm runs its own dbus-daemon now in rawhide (separate from the user's session
dbus-daemon)
Comment 7 Daniel Walsh 2007-12-01 08:33:08 EST
Fixed in selinux-policy-3.2.1-1.fc9
Comment 8 Jim Cornette 2007-12-01 22:38:36 EST
Confirmed errors no longer present when in runlevel 3 with SELinux in enforcing.
Thanks! Closing bug as resolved.

Note You need to log in before you can comment on or make changes to this bug.