Bug 440431 - SELinux is preventing gnome-power-man (xdm_t) "execstack" to <Neznámé> (xdm_t).
Summary: SELinux is preventing gnome-power-man (xdm_t) "execstack" to <Neznámé> (xdm_t).
Alias: None
Product: Fedora
Classification: Fedora
Component: gnome-power-manager
Version: 9
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Richard Hughes
QA Contact: Fedora Extras Quality Assurance
Depends On:
TreeView+ depends on / blocked
Reported: 2008-04-03 14:49 UTC by Matěj Cepl
Modified: 2018-04-11 08:37 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2008-09-10 12:44:46 UTC

Attachments (Terms of Use)

Description Matěj Cepl 2008-04-03 14:49:13 UTC
Description of problem:


SELinux is preventing gnome-power-man (xdm_t) "execstack" to <Neznámé>

Podrobný popis:

SELinux denied access requested by gnome-power-man. It is not expected that this
access is required by gnome-power-man and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.

Povolení přístupu:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Další informace:

Kontext zdroje                system_u:system_r:xdm_t:SystemLow-SystemHigh
Kontext cíle                 system_u:system_r:xdm_t:SystemLow-SystemHigh
Objekty cíle                 None [ process ]
Zdroj                         gnome-power-man
Cesta zdroje                  /usr/bin/gnome-power-manager
Port                          <Neznámé>
Počítač                    viklef.ceplovi.cz
RPM balíčky zdroje          gnome-power-manager-2.22.1-1.fc9
RPM balíčky cíle           
RPM politiky                  selinux-policy-3.3.1-27.0.mc.1.fc9
Selinux povolen               True
Typ politiky                  targeted
MLS povoleno                  True
Vynucovací režim            Enforcing
Název zásuvného modulu     catchall
Název počítače            viklef.ceplovi.cz
Platforma                     Linux viklef.ceplovi.cz
                              2.6.25-0.185.rc7.git6.fc9.i686 #1 SMP Tue Apr 1
                              13:48:40 EDT 2008 i686 i686
Počet uporoznění           1
Poprvé viděno               Čt 3. duben 2008, 07:50:26 CEST
Naposledy viděno             Čt 3. duben 2008, 07:50:26 CEST
Místní ID                   60efc6a2-07f9-4813-aefe-16ea0b64ba5f
Čísla řádků              

Původní zprávy auditu      

host=viklef.ceplovi.cz type=AVC msg=audit(1207201826.587:5): avc:  denied  {
execstack } for  pid=2775 comm="gnome-power-man"
tcontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tclass=process

host=viklef.ceplovi.cz type=SYSCALL msg=audit(1207201826.587:5): arch=40000003
syscall=125 success=no exit=-13 a0=bfdbb000 a1=1000 a2=1000007 a3=fffff000
items=0 ppid=2770 pid=2775 auid=4294967295 uid=42 gid=42 euid=42 suid=42
fsuid=42 egid=42 sgid=42 fsgid=42 tty=(none) ses=4294967295
comm="gnome-power-man" exe="/usr/bin/gnome-power-manager"
subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)

Comment 1 Daniel Walsh 2008-04-04 21:06:13 UTC
Your system is heavily mislabeled, causing xdm_t to try to run java apps.

I believe we finally got your machine labeling corrected and it fixed these

Comment 2 Matěj Cepl 2008-04-05 06:17:57 UTC
Sorry, Dan, what Java app are you talking about? gnome-power-manager is
certainly not the one and it has all the business to run even inside of gdm.

Comment 3 Matěj Cepl 2008-04-05 06:18:57 UTC
... and note also that this has happened well after heavy relabelling and couple
of days computer working in the Enforcing mode.

Comment 4 Daniel Walsh 2008-04-06 09:46:03 UTC
Well when you login, if you bring up a terminal what does id -Z say?

If it says xdm_t you still have a problem.

If it says unconfined_t then that is correct, and if xdm_t is still asking for
execstack on gnome-power-manager we need to bring in the gdm guys.

Comment 5 Matěj Cepl 2008-04-06 21:17:29 UTC
[matej@viklef ~]$ id -Z
[matej@viklef ~]$ id
uid=500(matej) gid=500(matej)
[matej@viklef ~]$ sudo -i
[sudo] password for root: 
[root@viklef ~]# id -Z
[root@viklef ~]# id
uid=0(root) gid=0(root)
[root@viklef ~]# logout
[matej@viklef ~]$ 

Comment 6 Daniel Walsh 2008-04-08 12:48:06 UTC
But is this still happening after we fixed up the machine?

Ray is xdm now running gnome-power-manager?

Comment 7 Matthias Clasen 2008-04-15 14:33:38 UTC
xdm isn't
but gdm is

Comment 8 Daniel Walsh 2008-04-15 14:44:12 UTC
That is what I meant,  gnome-power-manager should not be requiring execstack.

Comment 9 John Poelstra 2008-04-19 20:17:05 UTC
Is this considered a bug that needs to be fixed for F9?

Comment 10 Daniel Walsh 2008-04-20 11:08:50 UTC
Does the powermanagement code work in enforcing mode, from gdm?

Comment 11 Matthias Clasen 2008-04-21 02:41:37 UTC
Doesn't look like g-p-m requires execstack

[mclasen@localhost Desktop]$ execstack -q /usr/bin/gnome-power-manager 
- /usr/bin/gnome-power-manager

Comment 12 Matěj Cepl 2008-04-21 22:42:51 UTC
(In reply to comment #10)
> Does the powermanagement code work in enforcing mode, from gdm?

It seems like working -- icon is in the notification area and makes some
reasonably wild guesses. Matthias, how to test it's working?

Comment 13 Matthias Clasen 2008-04-22 03:33:59 UTC
Matej, use the Suspend/Hibernate menu items that you get on the icon. Do these
work ?

Comment 14 Matěj Cepl 2008-04-22 13:29:30 UTC
(In reply to comment #13)
> Matej, use the Suspend/Hibernate menu items that you get on the icon. Do these
> work ?

Yes, that's what I use -- too lazy for pm-suspend ;-).

Comment 15 Bug Zapper 2008-05-14 08:37:18 UTC
Changing version to '9' as part of upcoming Fedora 9 GA.
More information and reason for this action is here:

Comment 16 Richard Hughes 2008-09-10 12:44:46 UTC
gnome-power-manager doesn't need execstack -- I think there's a corrupt file somewhere.

Note You need to log in before you can comment on or make changes to this bug.