Bug 473286 - Prevents login
Prevents login
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
10
All Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Ben Levenson
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-11-27 09:21 EST by David Highley
Modified: 2009-08-12 15:51 EDT (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-08-12 15:51:49 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Audit log file. (288.22 KB, text/x-log)
2008-11-27 09:21 EST, David Highley
no flags Details

  None (edit)
Description David Highley 2008-11-27 09:21:44 EST
Created attachment 324885 [details]
Audit log file.

Description of problem:
With selinux in enforce mode login is prevented.

Version-Release number of selected component (if applicable):
selinux-policy-targeted-3.5.13-18.fc10.noarch

How reproducible:
Everytime

Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:
Attached an audit log file
Comment 1 Daniel Walsh 2008-12-01 14:46:49 EST
Fixed in selinux-policy-3.5.13-26.fc10
Comment 2 David Highley 2008-12-10 01:44:02 EST
Installed selinux-policy-3.5.26.fc10 and did a setenforce Enforcing. Rebooted system and have same issues with several pop dialog failure messages, spining busy indicator that never goes away until I do a setenforce Permissive. Checked /var/log/messages and see indications of labeling issue. Touched /.autorelabel and another reboot and all seems to be working. Do not know how a labeling issue cropped up with a new install all ready. Thanks for the fix.
Comment 3 Daniel Walsh 2008-12-10 09:14:27 EST
What AVC did you see that caused you to think you needed to relabel?
Comment 4 David Highley 2008-12-10 10:23:14 EST
In /var/log/messages:
Dec  9 22:30:23 redwood setroubleshoot: SELinux is preventing the gconfd-2 from
using potentially mislabeled files (./orbit-gdm). For complete SELinux messages.
 run sealert -l 040d5276-2d1c-4063-bb73-f5de7a83b38d

sealert returned:
[root@redwood ~]# sealert -l 040d5276-2d1c-4063-bb73-f5de7a83b38d

Summary:

SELinux is preventing the gconfd-2 from using potentially mislabeled files
(./orbit-gdm).

Detailed Description:

[SELinux is in permissive mode, the operation would have been denied but was
permitted due to permissive mode.]

SELinux has denied gconfd-2 access to potentially mislabeled file(s)
(./orbit-gdm). This means that SELinux will not allow gconfd-2 to use these
files. It is common for users to edit files in their home directory or tmp
directories and then move (mv) them to system directories. The problem is that
the files end up with the wrong file context which confined applications are not
allowed to access.

Allowing Access:

If you want gconfd-2 to access this files, you need to relabel them using
restorecon -v './orbit-gdm'. You might want to relabel the entire directory
using restorecon -R -v './orbit-gdm'.

Additional Information:

Source Context                system_u:system_r:xdm_dbusd_t:s0-s0:c0.c1023
Target Context                system_u:object_r:xdm_tmp_t:s0
Target Objects                ./orbit-gdm [ dir ]
Source                        gconfd-2
Source Path                   /usr/libexec/gconfd-2
Port                          <Unknown>
Host                          redwood
Source RPM Packages           GConf2-2.24.0-1.fc10
Target RPM Packages
Policy RPM                    selinux-policy-3.5.13-26.fc10
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Permissive
Plugin Name                   home_tmp_bad_labels
Host Name                     redwood
Platform                      Linux redwood 2.6.27.7-134.fc10.x86_64 #1 SMP Mon
                              Dec 1 22:21:35 EST 2008 x86_64 x86_64
Alert Count                   2
First Seen                    Tue Dec  9 20:22:43 2008
Last Seen                     Tue Dec  9 20:28:58 2008
Local ID                      040d5276-2d1c-4063-bb73-f5de7a83b38d
Line Numbers

Raw Audit Messages

node=redwood type=AVC msg=audit(1228883338.840:151): avc:  denied  { search } for  pid=3717 comm="gconfd-2" name="orbit-gdm" dev=dm-0 ino=1169210 scontext=system_u:system_r:xdm_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xdm_tmp_t:s0 tclass=dir

node=redwood type=AVC msg=audit(1228883338.840:151): avc:  denied  { write } for  pid=3717 comm="gconfd-2" name="orbit-gdm" dev=dm-0 ino=1169210 scontext=system_u:system_r:xdm_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xdm_tmp_t:s0 tclass=dir

node=redwood type=AVC msg=audit(1228883338.840:151): avc:  denied  { add_name } for  pid=3717 comm="gconfd-2" name="linc-e85-0-7e11423acd5da" scontext=system_u:system_r:xdm_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xdm_tmp_t:s0 tclass=dir

node=redwood type=AVC msg=audit(1228883338.840:151): avc:  denied  { create } for  pid=3717 comm="gconfd-2" name="linc-e85-0-7e11423acd5da" scontext=system_u:system_r:xdm_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xdm_tmp_t:s0 tclass=sock_file

node=redwood type=SYSCALL msg=audit(1228883338.840:151): arch=c000003e syscall=49 success=yes exit=0 a0=c a1=d1e460 a2=2a a3=32df455704 items=0 ppid=3716 pid=3717 auid=4294967295 uid=42 gid=42 euid=42 suid=42 fsuid=42 egid=42 sgid=42 fsgid=42 tty=(none) ses=4294967295 comm="gconfd-2" exe="/usr/libexec/gconfd-2" subj=system_u:system_r:xdm_dbusd_t:s0-s0:c0.c1023 key=(null)

Still see the following in the /var/log/messages file at boot, but the relabel may not have been done yet:
Dec  9 22:35:43 redwood kernel: type=1404 audit(1228890693.218:4): enforcing=0 o
ld_enforcing=1 auid=4294967295 ses=4294967295
Dec  9 22:35:43 redwood kernel: scsi 2:0:0:0: Direct-Access     HP       Officej
et 7310xi 1.00 PQ: 0 ANSI: 2
Dec  9 22:35:43 redwood kernel: sd 2:0:0:0: [sdb] Attached SCSI removable disk
Dec  9 22:35:43 redwood kernel: sd 2:0:0:0: Attached scsi generic sg3 type 0
Dec  9 22:35:43 redwood kernel: SELinux:  Context system_u:object_r:pppd_script_
exec_t:s0 is not valid (left unmapped).
Dec  9 22:35:43 redwood kernel: SELinux:  Context system_u:object_r:NetworkManag
er_script_exec_t:s0 is not valid (left unmapped).
Dec  9 22:35:43 redwood kernel: SELinux:  Context system_u:object_r:nscd_script_
exec_t:s0 is not valid (left unmapped).
Dec  9 22:35:43 redwood kernel: SELinux:  Context system_u:object_r:httpd_script
_exec_t:s0 is not valid (left unmapped).
Dec  9 22:35:43 redwood kernel: SELinux:  Context system_u:object_r:ntpd_script_
exec_t:s0 is not valid (left unmapped).
Dec  9 22:35:43 redwood kernel: SELinux:  Context system_u:object_r:syslogd_scri
pt_exec_t:s0 is not valid (left unmapped).
Dec  9 22:35:43 redwood kernel: SELinux:  Context system_u:object_r:gamin_exec_t
:s0 is not valid (left unmapped).
Dec  9 22:35:43 redwood kernel: type=1404 audit(1228890940.778:5): enforcing=1 o
ld_enforcing=0 auid=4294967295 ses=4294967295

See these denied entries in /var/log/audit/audit:
type=AVC msg=audit(1228890629.562:192): avc:  denied  { execute } for  pid=6336
comm="NetworkManager" name="nscd" dev=dm-0 ino=1063264 scontext=system_u:system_
r:NetworkManager_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file
type=SYSCALL msg=audit(1228890629.562:192): arch=c000003e syscall=59 success=no
exit=-13 a0=13910a0 a1=138fd10 a2=7ffff9859550 a3=1999999999999999 items=0 ppid=
2090 pid=6336 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fs
gid=0 tty=(none) ses=4294967295 comm="NetworkManager" exe="/usr/sbin/NetworkMana
ger" subj=system_u:system_r:NetworkManager_t:s0 key=(null)

Wished the audit file had dates so I could know correlation with the messages file.
Comment 5 Daniel Walsh 2008-12-10 10:40:43 EST
Use ausearch -m avc

THis will give you the dates.
Comment 6 David Highley 2009-08-12 00:46:25 EDT
Thanks, sorry I did not realize this was in a retest state. Everything has been working. We can close this report.

Note You need to log in before you can comment on or make changes to this bug.