Bug 430932 - Domtrans from xdm_t to mono_t is required for beagled
Domtrans from xdm_t to mono_t is required for beagled
Status: CLOSED NOTABUG
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
8
All Linux
low Severity low
: ---
: ---
Assigned To: Daniel Walsh
Fedora Extras Quality Assurance
: Reopened
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-01-30 12:46 EST by Jochen Schmitt
Modified: 2008-09-09 14:23 EDT (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-09-09 14:23:04 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Pwatch which allows domtrans from xdm_t to mono_t (452 bytes, patch)
2008-01-30 12:48 EST, Jochen Schmitt
no flags Details | Diff
The audit log (1.44 MB, text/plain)
2008-03-02 13:49 EST, Jochen Schmitt
no flags Details
Output of ps -eZ | grep xdm (3.41 KB, text/plain)
2008-03-02 13:51 EST, Jochen Schmitt
no flags Details
PAM gdm configuration file (649 bytes, text/plain)
2008-03-03 11:09 EST, Jochen Schmitt
no flags Details

  None (edit)
Description Jochen Schmitt 2008-01-30 12:46:15 EST
I have got the following AVC message:

type=AVC msg=audit(1200003288.583:16): avc:  denied  { execheap } for  pid=3452
comm="beagled" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023
tcontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tclass=process
type=SYSCALL msg=audit(1200003288.583:16): arch=c000003e syscall=10 success=yes
exit=0 a0=f04000 a1=1000 a2=7 a3=3688d529f0 items=0 ppid=1 pid=3452
auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500
fsgid=500 tty=(none) comm="beagled" exe="/usr/bin/mono"
subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)

because beagled is a mono application, a domain transition from the xdm_t to the
mono_t domain is required.
Comment 1 Jochen Schmitt 2008-01-30 12:48:29 EST
Created attachment 293457 [details]
Pwatch which allows domtrans from xdm_t to mono_t
Comment 2 Daniel Walsh 2008-01-30 14:22:33 EST
Why would xdm_t ever run beagled.  This looks like when you login you are
logging in as xdm_t which indicates something far worse is going on, on your
machine.

You should be logged in as unconfined_t.

What does 
# id -Z

Do you have a special configuration of /etc/pam.d/gdm?
Comment 3 Jochen Schmitt 2008-01-30 14:35:05 EST
I'm using kdm for login and i thing xdm_t may be the right domain for the
diskplay mananger.

$ id -Z
system_u:system_r:xdm_t:SystemLow-SystemHigh

xmd_t in the Konsole windows???

I think, we need the domtrans to unconfined_T after the login in kdm.

Best Regards:

Comment 4 Daniel Walsh 2008-01-30 14:44:32 EST
Does the /etc/pam.d/kdm have pam_selinux in it?
Comment 5 Daniel Walsh 2008-02-26 17:06:57 EST
I believe this is a configuration problem.  Closing as notabug, reopen if you
still have problems.
Comment 6 Jochen Schmitt 2008-02-28 10:13:57 EST
I have tryout gdm and kde and the domain will stall stay in xdm_t. So I want to 
reopen this bug.
Comment 7 Daniel Walsh 2008-02-28 12:44:14 EST
Ok you can try relabeling.

First make sure you are up to date on policy

yum -y upgrade selinux-policy
touch /.autorelabel
reboot

Login via gdm_greater and see what context you have? id -Z
If you login via login or sshd what context do you have?  id -Z
Comment 8 Jochen Schmitt 2008-02-28 16:04:43 EST
The relabeling of the system doesn't solve the issue.
Comment 9 Daniel Walsh 2008-02-28 16:42:20 EST
Please attach your audit.log

ps -eZ | grep xdm

Comment 10 Jochen Schmitt 2008-03-02 13:49:46 EST
Created attachment 296518 [details]
The audit log

this file contains the audit log
Comment 11 Jochen Schmitt 2008-03-02 13:51:03 EST
Created attachment 296519 [details]
Output of ps -eZ | grep xdm

Because the output of ps -eZ | grep xdm is large, I have created an attachment.
Comment 12 Daniel Walsh 2008-03-03 10:54:48 EST
You have /dev/null labeled as etc_runtime_t?

You have device files under fusefs?

/mnt/winxp/SFU/dev/comport1

Can you attach /etc/pam.d/gdm
Comment 13 Jochen Schmitt 2008-03-03 11:08:18 EST
(In reply to comment #12)
> You have /dev/null labeled as etc_runtime_t?

No, It's labled as system_u:object_r:null_device_t 
 
> You have device files under fusefs?

Yes.

> /mnt/winxp/SFU/dev/comport1

/mnt/wixp is a ntfs partition.

 
> Can you attach /etc/pam.d/gdm

Of Corse.

Comment 14 Jochen Schmitt 2008-03-03 11:09:32 EST
Created attachment 296626 [details]
PAM gdm configuration file
Comment 15 Daniel Walsh 2008-03-03 13:09:06 EST
I have no idea what is going on here.  It seems that you are never transitioning
from xdm_t to unconfined_t.  Looks like all the context are correct, gdm pam
config is correct.

If you login via local login or sshd what does id -Z show?
Comment 16 Daniel Walsh 2008-03-03 13:10:37 EST
Your avc messages show /dev/null labeled etc_runtime_t?  grep /dev/null in the
audit.log.

What file system are you using?
Comment 17 Jochen Schmitt 2008-03-03 13:37:44 EST
(In reply to comment #15)

> If you login via local login or sshd what does id -Z show?

$ id -Z
system_u:system_r:unconfined_t:SystemLow-SystemHigh

Comment 18 Daniel Walsh 2008-03-03 14:41:40 EST
Which is what is supposed to happen.
Comment 19 Ray Strode [halfline] 2008-03-03 15:07:22 EST
are you using autologin in gdm?
Comment 20 Jochen Schmitt 2008-03-03 15:20:45 EST
No.
Comment 21 Jochen Schmitt 2008-03-04 12:00:54 EST
(In reply to comment #18)
> Which is what is supposed to happen.

I expect the the context should be:

unconfined_t

Comment 22 Daniel Walsh 2008-03-04 15:14:25 EST
Execute
# semanage user -a -P unconfined -R "unconfined_r system_r" -r s0-s0:c0.c1023
unconfined_u 
If this fails execute 
# semanage user -m -P unconfined -R "unconfined_r system_r" -r s0-s0:c0.c1023
unconfined_u 

Finally execute
# semanage login -m -s unconfined_u -r s0-s0:c0.c1023 __default__ 

Now try to login.
Comment 23 Jochen Schmitt 2008-03-04 15:59:43 EST
I have tried your suggestion. Unfortunately, I don't get the expected result.

$ id -Z
system_u:system_r:xdm_t:SystemLow-SystemHigh
Comment 24 Daniel Walsh 2008-03-04 16:08:31 EST
semodule login -l
semodule user -l
Comment 25 Jochen Schmitt 2008-03-05 11:44:21 EST
Your suggested commands didn't worked:

# semodule login -l
unknown additional arguments:
 login

Comment 26 Daniel Walsh 2008-03-05 16:07:10 EST
Sorry, should have been semanage.  What does the output of these commands show?

semanage login -l
semanage user -l
Comment 27 Daniel Walsh 2008-05-07 14:06:50 EDT
Sorry seems that you went away, I am closing this as worksforme or you can
reopen if you are still having the problem.
Comment 28 Jochen Schmitt 2008-05-08 11:03:02 EDT
Unfortunately, the reported issue still exist, so I will reopen this but.

# export LANG="C"; semanage login -l

Login Name                SELinux User              MLS/MCS Range

__default__               unconfined_u              SystemLow-SystemHigh
root                      system_u                  SystemLow-SystemHigh
system_u                  system_u                  SystemLow-SystemHigh

# export LANG="C"; semanage user -l

                Labeling   MLS/       MLS/
SELinux User    Prefix     MCS Level  MCS Range                      SELinux Roles

root            sysadm     s0         SystemLow-SystemHigh           system_r
sysadm_r staff_r
staff_u         staff      s0         SystemLow-SystemHigh           sysadm_r
staff_r
sysadm_u        sysadm     s0         SystemLow-SystemHigh           sysadm_r
system_u        user       s0         SystemLow-SystemHigh           system_r
unconfied_u     unconfined s0         -s0:c0                         system_r
unconfined_r
unconfined_u    unconfined s0         SystemLow-SystemHigh           system_r
unconfined_r
user_u          user       s0         s0                             system_r user_r
xguest_u        xguest     s0         s0                             xguest_r
Comment 29 Daniel Walsh 2008-09-08 16:35:58 EDT
semanage login -m -s unconfined_u root

Note You need to log in before you can comment on or make changes to this bug.