Bug 439897 - xdm* SELinux denials -- gdm crashes with SELinux enforcing
xdm* SELinux denials -- gdm crashes with SELinux enforcing
Status: CLOSED NOTABUG
Product: Fedora
Classification: Fedora
Component: gdm (Show other bugs)
rawhide
All Linux
low Severity low
: ---
: ---
Assigned To: jmccann
Fedora Extras Quality Assurance
: SELinux
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-03-31 17:58 EDT by Matěj Cepl
Modified: 2015-01-14 18:20 EST (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-04-01 04:14:45 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
/var/log/audit/audit.log (2.39 MB, text/plain)
2008-04-01 04:00 EDT, Matěj Cepl
no flags Details
output of find /tmp/ -context '*user_tmp*' (24.97 KB, text/plain)
2008-04-01 04:05 EDT, Matěj Cepl
no flags Details

  None (edit)
Description Matěj Cepl 2008-03-31 17:58:24 EDT
Description of problem:

Together with the module described in bug 439893 I had to create another SELinux
policy module for xdm* stuff:

module myxdm 1.0;

require {
        type user_tmp_t;
        type xdm_t;
        type rpm_var_lib_t;
        class dir { write rmdir read remove_name create add_name };
        class file { write getattr link read lock create };
}

#============= xdm_t ==============
allow xdm_t rpm_var_lib_t:file { read lock getattr };
allow xdm_t user_tmp_t:dir { write rmdir read remove_name create add_name };
allow xdm_t user_tmp_t:file { write getattr link read lock create };


Version-Release number of selected component (if applicable):
hal-0.5.11-0.2.rc2.fc9.i386
hal-docs-0.5.11-0.2.rc2.fc9.i386
selinux-policy-targeted-3.3.1-26.fc9.noarch
hal-devel-0.5.11-0.2.rc2.fc9.i386
xorg-x11-server-utils-7.3-3.fc9.i386
xorg-x11-server-debuginfo-1.4.99.901-13.20080314.fc9.i386
gdm-2.21.10-0.2008.03.26.3.fc9.i386
hal-info-20080317-2.fc9.noarch
xorg-x11-server-Xorg-1.4.99.901-13.20080314.fc9.i386
hal-debuginfo-0.5.11-0.2.rc2.fc9.i386
hal-libs-0.5.11-0.2.rc2.fc9.i386
xorg-x11-server-utils-debuginfo-7.3-3.fc9.i386
xorg-x11-server-common-1.4.99.901-13.20080314.fc9.i386


How reproducible:
100%

Steps to Reproduce:
1.login via gdm with SELinux in the Enforcing mode
2.
3.
  
Actual results:
crash

Expected results:
being logged-in
Comment 1 Daniel Walsh 2008-04-01 01:33:54 EDT
What files is xdm creating in /tmp that are labeled for a user_tmp?  Why would
xdm ever need to use the rpm library?

I think we need the audit.log for these.
Comment 2 Matěj Cepl 2008-04-01 04:00:22 EDT
Created attachment 299865 [details]
/var/log/audit/audit.log

I am not sure whether this is not residuum from my previous very screwed up
computer, but here is the /var/log/audit/audit.log
Comment 3 Matěj Cepl 2008-04-01 04:05:21 EDT
Created attachment 299866 [details]
output of find /tmp/ -context '*user_tmp*'
Comment 4 Daniel Walsh 2008-04-01 04:14:45 EDT
It looks to me like you logged in as gdm_t at some point in permissive mode and
this generated a lot of spurious avc message.

I am closing the Bug, if you continue to see errors, please reopen.

Note You need to log in before you can comment on or make changes to this bug.