Bug 446688 - selinux prevents users to login in gdm
selinux prevents users to login in gdm
Status: CLOSED NOTABUG
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
9
i686 Linux
low Severity high
: ---
: ---
Assigned To: Daniel Walsh
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-05-15 13:24 EDT by cornel panceac
Modified: 2008-05-19 14:46 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-05-16 16:10:37 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description cornel panceac 2008-05-15 13:24:36 EDT
Description of problem:
after updates selinux prevents users to login in gdm and to su - in console.

in /var/log/messages, i can see things like:

setroubleshoot: SELinux is preventing access to files with the label, file_t.
For complete SELinux messages. run sealert -l bfab8158-ced8-4e3c-8b2e-2b875153e72c

then

# sealert -l bfab8158-ced8-4e3c-8b2e-2b875153e72c



Summary:



SELinux is preventing access to files with the label, file_t.



Detailed Description:



SELinux permission checks on files labeled file_t are being denied. file_t is

the context the SELinux kernel gives to files that do not have a label. This

indicates a serious labeling problem. No files on an SELinux box should ever be

labeled file_t. If you have just added a new disk drive to the system you can

relabel it using the restorecon command. Otherwise you should relabel the entire

files system.



Allowing Access:



You can execute the following command as root to relabel your computer system:

"touch /.autorelabel; reboot"



Additional Information:



Source Context                system_u:system_r:xdm_t:SystemLow-SystemHigh

Target Context                system_u:object_r:file_t

Target Objects                ./gconfd-gdm [ dir ]

Source                        gconfd-2

Source Path                   /usr/libexec/gconfd-2

Port                          <Unknown>

Host                          guzu.shacknet.nu

Source RPM Packages           GConf2-2.22.0-1.fc9

Target RPM Packages           

Policy RPM                    selinux-policy-3.3.1-42.fc9

Selinux Enabled               True

Policy Type                   targeted

MLS Enabled                   True

Enforcing Mode                Enforcing

Plugin Name                   file

Host Name                     guzu.shacknet.nu

Platform                      Linux guzu.shacknet.nu 2.6.25.3-18.fc9.i686 #1 SMP

                              Tue May 13 05:38:53 EDT 2008 i686 athlon

Alert Count                   818

First Seen                    Thu May 15 20:04:35 2008

Last Seen                     Thu May 15 20:07:54 2008

Local ID                      bfab8158-ced8-4e3c-8b2e-2b875153e72c

Line Numbers                  



Raw Audit Messages            



host=guzu.shacknet.nu type=AVC msg=audit(1210871274.337:886): avc:  denied  {
read } for  pid=6316 comm="gconfd-2" name="gconfd-gdm" dev=sda1 ino=508118
scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023
tcontext=system_u:object_r:file_t:s0 tclass=dir



host=guzu.shacknet.nu type=SYSCALL msg=audit(1210871274.337:886): arch=40000003
syscall=5 success=no exit=-13 a0=9d99bd8 a1=0 a2=bfc357ac a3=9d9c618 items=0
ppid=6315 pid=6316 auid=4294967295 uid=42 gid=42 euid=42 suid=42 fsuid=42
egid=42 sgid=42 fsgid=42 tty=(none) ses=4294967295 comm="gconfd-2"
exe="/usr/libexec/gconfd-2" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)


indeed, autorelabel fixed the problem but,after this, some messages stating that
"the configuration defaults for gnome power manager have not been installed
correctly" shows up in gdm.

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:
Comment 1 Daniel Walsh 2008-05-16 16:10:37 EDT
Did you try what the setroubleshoot command told you to do?

touch /.autorelabel; reboot

This will fix the labeling and everything should be ok.  I have no idea why you
got file_t files, this means files were created on a file system without SELinux
enabled.
Comment 2 cornel panceac 2008-05-17 01:32:46 EDT
as i said before:
"
indeed, autorelabel fixed the problem but,after this, some messages stating that
"the configuration defaults for gnome power manager have not been installed
correctly" shows up in gdm.
"
worth mentioning this was f8 yum upgraded to f9.
also, after the yum upgrade was finished, everyhing worked fine (even postfix
was allowed to do its job!), even after several reboots, and idefinitely didn't
change the selinux from enforcing to something else (and back). still, after
those updates, at the next reboot, nobody could login to gui, and only root
could login to console. also after relabel, two gnome-power messages (as
mentioned above) appears as soon as gdm starts, and a third one appears when i
select my user from gdm.

also, postfix no longer works, as reported on another bugreport for f8.

thnx a lot, have a nice weekend :)
Comment 3 cornel panceac 2008-05-17 07:04:47 EDT
also, after relabeling two times, i still get a lot of messages like this:


Summary:

SELinux is preventing access to files with the label, file_t.

Detailed Description:

SELinux permission checks on files labeled file_t are being denied. file_t is
the context the SELinux kernel gives to files that do not have a label. This
indicates a serious labeling problem. No files on an SELinux box should ever be
labeled file_t. If you have just added a new disk drive to the system you can
relabel it using the restorecon command. Otherwise you should relabel the entire
files system.

Allowing Access:

You can execute the following command as root to relabel your computer system:
"touch /.autorelabel; reboot"

Additional Information:

Source Context                system_u:system_r:tmpreaper_t
Target Context                system_u:object_r:file_t
Target Objects                ./virtual-guzu.KqyqGY [ dir ]
Source                        tmpwatch
Source Path                   /usr/sbin/tmpwatch
Port                          <Unknown>
Host                          guzu.shacknet.nu
Source RPM Packages           tmpwatch-2.9.13-2
Target RPM Packages           
Policy RPM                    selinux-policy-3.3.1-42.fc9
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   file
Host Name                     guzu.shacknet.nu
Platform                      Linux guzu.shacknet.nu 2.6.25.3-18.fc9.i686 #1 SMP
                              Tue May 13 05:38:53 EDT 2008 i686 athlon
Alert Count                   1
First Seen                    Sb 17 mai 2008 13:59:19 +0000
Last Seen                     Sb 17 mai 2008 13:59:19 +0000
Local ID                      668d4920-aabd-40b6-a703-c3a0c993608e
Line Numbers                  

Raw Audit Messages            

host=guzu.shacknet.nu type=AVC msg=audit(1211021959.141:439): avc:  denied  {
read } for  pid=7702 comm="tmpwatch" name="virtual-guzu.KqyqGY" dev=sda1
ino=607062 scontext=system_u:system_r:tmpreaper_t:s0
tcontext=system_u:object_r:file_t:s0 tclass=dir

host=guzu.shacknet.nu type=SYSCALL msg=audit(1211021959.141:439): arch=40000003
syscall=5 success=no exit=-13 a0=804ac62 a1=98800 a2=0 a3=0 items=0 ppid=7700
pid=7702 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=(none) ses=4294967295 comm="tmpwatch" exe="/usr/sbin/tmpwatch"
subj=system_u:system_r:tmpreaper_t:s0 key=(null)


Comment 4 Daniel Walsh 2008-05-19 14:35:08 EDT
autorelabel does not clean-up the /tmp directory.  So you would need to remove
any bogus files from here by hand.  tmpreaper is supposed to be able to remove
them.  So I will fix this.

Fixed in selinux-policy-3.3.1-53.fc9.noarch

Comment 5 cornel panceac 2008-05-19 14:46:08 EDT
thank you very much! ( 'cause yesterday i've got more than 2000 denials in 14
hours :) )

Note You need to log in before you can comment on or make changes to this bug.