Bug 422891 - SELinux is preventing Xorg (xdm_xserver_t) "sys_ptrace" to (xdm_xserver_t).
SELinux is preventing Xorg (xdm_xserver_t) "sys_ptrace" to (xdm_xserver_t).
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
All Linux
low Severity low
: ---
: ---
Assigned To: Daniel Walsh
Fedora Extras Quality Assurance
Depends On:
  Show dependency treegraph
Reported: 2007-12-12 23:43 EST by Jim Cornette
Modified: 2007-12-21 23:49 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2007-12-21 23:49:59 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Forgot the attachment for error output. (1.95 KB, text/plain)
2007-12-12 23:44 EST, Jim Cornette
no flags Details
SELinux Alert (2.13 KB, text/plain)
2007-12-15 13:53 EST, Tom "spot" Callaway
no flags Details

  None (edit)
Description Jim Cornette 2007-12-12 23:43:05 EST
Description of problem:
X will not start in enforcing mode. gnome-settings-daemon crashes even in permissive

Version-Release number of selected component (if applicable):
xorg-x11-server-Xorg -

How reproducible:

Steps to Reproduce:
1. boot with enforcing=0
2. load gnome
3. notice gnome-settings-daemon crashed due to SELinux permissions.
Actual results:
Error message in popup for g-s-daemon

Expected results:
Normal functioning in enforcing.

Additional info:
I had to start the troubleshooter browser with the -S option. The -b option did
not load the browser
Comment 1 Jim Cornette 2007-12-12 23:44:31 EST
Created attachment 286561 [details]
Forgot the attachment for error output.
Comment 2 Daniel Walsh 2007-12-13 11:13:16 EST
Fixed in selinux-policy-3.2.3-2
Comment 3 Tom "spot" Callaway 2007-12-15 13:50:45 EST
selinux-policy-3.2.3-2.fc9 doesn't fix this, even with a filesystem relabel.
Comment 4 Tom "spot" Callaway 2007-12-15 13:53:57 EST
Created attachment 289702 [details]
SELinux Alert
Comment 5 Daniel Walsh 2007-12-17 17:37:55 EST
This avc is being generated due to a leaked file descriptor in gdm.  It has
already been reported and should not effect the login process.
Comment 6 Jim Cornette 2007-12-17 23:50:46 EST
It still fails in enforcing from spawning. I still see the original error. What
action can be taken to fix the leaked file descriptor?
Comment 7 Daniel Walsh 2007-12-18 09:41:09 EST
Are you saying that you still can log in, in enforcing mode?  This is probably
fixed in selinux-policy-3.2.4-3.fc9

The gdm avc needs to be fixed in GDM,  There is an open bug report.
Comment 8 Jim Cornette 2007-12-18 17:37:04 EST
No, I have to be in permissive. GDM fails to spawn in enforcing.
I'll wait for the fix for the gdm problem. Thanks!
Comment 9 Daniel Walsh 2007-12-19 12:07:42 EST
When you login what context are you getting?  

Updated policy has changed the default user to unconfined_u

You can do this on your machine by executing

# semanage login -m -s unconfined_u __default__
# semanage login -m -s unconfined_u root

Comment 10 Jim Cornette 2007-12-19 23:39:36 EST
Running those two commands did not make a difference for me. Currently SELInix
is even preventing me from logging in, performing commands like setenforce
without getting a setenforce () or something similar.
I relabeled the system, ran the commands followed by a reboot. No help. 
Comment 11 Daniel Walsh 2007-12-20 16:28:52 EST
Ok this is the hal breakage.

Hal is reading a file from Policy Kit places in a bad directory.  A patch has
been sent to the hal/policykit maintainer.  to fix the location.  And as of
tonight selinux-policy-3.2.5-3.fc9  will allow hal to read from the bad
location.  Hopefully PolicyKit will fix the bug soon, so I can revert the policy.

Fixed for now in selinux-policy-3.2.5-3.fc9

Comment 12 Jim Cornette 2007-12-21 23:49:59 EST
selinux-policy-3.2.5-3.fc9 does patch the problem, Closing bug report and
waiting for real fix in hal.

Note You need to log in before you can comment on or make changes to this bug.