Bug 415261 - system-config-selinux doesn't have anything to configure
system-config-selinux doesn't have anything to configure
Status: CLOSED WORKSFORME
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
8
All Linux
low Severity low
: ---
: ---
Assigned To: Josef Kubin
Ben Levenson
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-12-07 01:39 EST by Greg Martyn
Modified: 2008-01-08 17:44 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-01-08 17:44:12 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Greg Martyn 2007-12-07 01:39:34 EST
Description of problem:
I installed from KDE live CD. Had to set selinux to permissive mode get it to
work. I'd like to turn it to enforcing, but X doesn't start when I do. Also,
when I run system-config-selinux, there are no booleans to configure.

Version-Release number of selected component (if applicable):
Name   : selinux-policy-targeted
Arch   : noarch
Version: 3.0.8
Release: 62.fc8

How reproducible:
Always. Reinstalled twice, same problem.

Steps to Reproduce:
1. Install from Fedora 8 KDE live CD with selinux enforce=0
2. Once the system is running, set enforce=1
3. Restart X
  
Actual results:
Dropped to a terminal. System-config-display can't even start X.

Expected results:
X starts

Additional info:
Comment 1 Daniel Walsh 2007-12-10 11:29:44 EST
Are you seeing avc messages?  Did you build this on your own or get it from
somewhere?

I just build the 8 kde iso and it works fine for me?
Comment 2 Daniel Walsh 2007-12-10 11:30:13 EST
Could this be a problem with nvidia card requiring execstack?
Comment 3 Greg Martyn 2007-12-10 11:57:07 EST
I tried the nvidia, nv and vesa drivers. None work. Selinux worked with fc7.

I got it from:
http://torrent.fedoraproject.org/torrents/Fedora-8-Live-KDE-x86_64.torrent

Before I was saying that X doesn't start because I was looking for the kdm
screen.  Steps:

While in a working X session:
echo "1" > /selinux/enforce
Alt+Ctrl+Backspace
Terminal login screen

While in a working X session:
echo "0" > /selinux/enforce
Alt+Ctrl+Backspace
KDM login screen

If I run startx as root, X starts, but it only shows a black and white woven
pattern with a black X outlined in white as the cursor. Nothing more happens.
Comment 4 Greg Martyn 2007-12-10 11:57:55 EST
I do get avc messages while running in permissive mode.
Comment 5 Daniel Walsh 2007-12-12 10:55:10 EST
Please attach.

I talked to the developer and he has also tested these.
Comment 6 Greg Martyn 2007-12-12 12:31:25 EST
from /var/log/messages
Dec 12 12:21:38 localhost kdm[3939]: X server died during startup
Dec 12 12:21:38 localhost kdm[3939]: X server for display :0 can't be started,
session disabled

From /var/log/setroubleshoot/setroubleshootd.log
2007-12-11 00:10:35,232 [email.WARNING] cannot open file
/var/lib/setroubleshoot/email_alert_recipients, No such file or directory
2007-12-11 01:48:40,473 [program.ERROR] Can not handle AVC'S related to
dispatcher. exiting
setroubleshoot context=system_u:system_r:setroubleshootd_t:s0, AVC
scontext=system_u:system_r:setroubleshootd_t:s0

From /var/log/audit/audit.log
type=MAC_STATUS msg=audit(1197480095.254:740): enforcing=1 old_enforcing=0 auid=662
type=SYSCALL msg=audit(1197480095.254:740): arch=c000003e syscall=1 success=yes
exit=2 a0=1 a1=2aaaaf747000 a2=2 a3=65 items=0 ppid=23533 pid=23540 auid=662
uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 comm="bash"
exe="/bin/bash" subj=unconfined_u:system_r:unconfined_t:s0 key=(null)
type=USER_AVC msg=audit(1197480095.262:741): user pid=3104 uid=81
auid=4294967295 subj=system_u:system_r:system_dbusd_t:s0 msg='avc:  received
setenforce notice (enforcing=1) : exe="?" (sauid=81, hostname=?, addr=?,
terminal=?)'
type=AVC msg=audit(1197480097.308:742): avc:  denied  { search } for  pid=3981
comm="X" name=".X11-unix" dev=md0 ino=344094
scontext=system_u:system_r:xdm_xserver_t:s0-s0:c0.c1023
tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=dir
type=SYSCALL msg=audit(1197480097.308:742): arch=c000003e syscall=87 success=no
exit=-13 a0=9dddd2 a1=9ddc70 a2=2aa7860 a3=1 items=0 ppid=3939 pid=3981
auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty7
comm="X" exe="/usr/bin/Xorg" subj=system_u:system_r:xdm_xserver_t:s0-s0:c0.c1023
key=(null)
type=AVC msg=audit(1197480097.501:743): avc:  denied  { getattr } for  pid=23576
comm="X" path="/tmp/.X11-unix" dev=md0 ino=344094
scontext=system_u:system_r:xdm_xserver_t:s0-s0:c0.c1023
tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=dir
type=SYSCALL msg=audit(1197480097.501:743): arch=c000003e syscall=6 success=no
exit=-13 a0=58dc45 a1=7fff8294f750 a2=7fff8294f750 a3=3266b529f0 items=0
ppid=3939 pid=23576 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=(none) comm="X" exe="/usr/bin/Xorg"
subj=system_u:system_r:xdm_xserver_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1197480097.501:744): avc:  denied  { getattr } for  pid=23576
comm="X" path="/tmp/.X11-unix" dev=md0 ino=344094
scontext=system_u:system_r:xdm_xserver_t:s0-s0:c0.c1023
tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=dir
type=SYSCALL msg=audit(1197480097.501:744): arch=c000003e syscall=6 success=no
exit=-13 a0=58dc45 a1=7fff8294f750 a2=7fff8294f750 a3=3266b529f0 items=0
ppid=3939 pid=23576 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=(none) comm="X" exe="/usr/bin/Xorg"
subj=system_u:system_r:xdm_xserver_t:s0-s0:c0.c1023 key=(null)
Comment 7 Daniel Walsh 2007-12-13 15:51:11 EST
This is strange.   Looks like the .X11-unix socket domain got started by
something from initrc_t.  It should have been labeled xdm_xserver_tmp_t 

When you boot up in permissive mode, what process is running as initrc_t?

ps -eZ |grep initrc_t

The real strange thing is this works fine on my test machine.
Comment 8 Greg Martyn 2007-12-13 16:50:44 EST
I'm pretty sure I can reproduce this -- I had trouble with selinux even after
reinstalling f8 twice.

After my last post, I did a restorecon on /tmp/.X11-unix hoping to fix things
but the situation is the same. Unfortunately I don't know what the previous
label was.

Another thing I should mention is that my root partition is part of a soft raid
1 mirror. ext3 file system.

root@localhost ~> ll -Z /tmp/.X11-unix
srwxrwxrwx  root root system_u:object_r:initrc_tmp_t:s0 X0=

ps -eZ |grep initrc_t
system_u:system_r:initrc_t:s0    3372 ?        00:00:00 mysqld_safe
system_u:system_r:initrc_t:s0    3604 ?        00:00:00 nasd
system_u:system_r:initrc_t:s0    3739 ?        00:00:06 lisa

I'll check the md5sum of the install cd in a minute..
Comment 9 Greg Martyn 2007-12-13 17:42:42 EST
it passed the media check
Comment 10 Greg Martyn 2007-12-16 16:23:59 EST
also:

root@localhost ~> setsebool -P samba_enable_home_dirs=1
libsemanage.semanage_link_sandbox: Could not access sandbox base file
/etc/selinux/targeted/modules/tmp/base.pp. No such file or directory.
Could not change policy booleans
Comment 11 Daniel Walsh 2007-12-18 11:31:10 EST
I misread this bugzilla from the beginning.  You say you installed from the kde
disk and the SELinux is failing.  I will take a look at this tomorrow.  This
might be a problem with the livecd installer.

Comment 12 Daniel Walsh 2008-01-03 11:06:23 EST
Josef can you try to duplicate this?
Comment 13 Josef Kubin 2008-01-08 17:44:12 EST
I've tried to reproduce in environment of vmware and it works without described
problem.
After installation I've made `yum -y update` of course, several times reboot. 
(including `touch /.autorelabel; reboot`), login-logout, `echo "1" >
/selinux/enforce`, `echo "0" > /selinux/enforce`, ...
I would like to reproduce mentioned behaviour, but no luck.

# rpm -q selinux-policy
selinux-policy-3.0.8.72.fc8

If you will be able to reliably reproduce your problem - ideally in vmware -
please reopen the bug and closely describe your steps.
Thank you!

Note You need to log in before you can comment on or make changes to this bug.