This service will be undergoing maintenance at 00:00 UTC, 2017-10-23 It is expected to last about 30 minutes
Bug 480847 - SELinux is preventing polkit-read-aut (polkit_auth_t) "write" to /var/log/gdm/:1-greeter.log (xserver_log_t).
SELinux is preventing polkit-read-aut (polkit_auth_t) "write" to /var/log/gdm...
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: gdm (Show other bugs)
10
All Linux
low Severity medium
: ---
: ---
Assigned To: Miroslav Grepl
Fedora Extras Quality Assurance
: SELinux
: 484451 484564 485326 (view as bug list)
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2009-01-20 16:12 EST by Matěj Cepl
Modified: 2009-08-23 13:07 EDT (History)
11 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-08-23 13:07:16 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Here's another selinux_alert fyi (3.11 KB, text/plain)
2009-02-04 04:16 EST, morgan read
no flags Details
selinux_is_preventing_polkit-read-aut (polkit_auth_t) "gettattr" fs_t.txt (2.17 KB, text/plain)
2009-08-03 04:19 EDT, faith
no flags Details

  None (edit)
Description Matěj Cepl 2009-01-20 16:12:14 EST
SELinux is preventing polkit-read-aut (polkit_auth_t) "write" to
/var/log/gdm/:1-greeter.log (xserver_log_t).

Detailed Description:

SELinux denied access requested by polkit-read-aut. It is not expected that this
access is required by polkit-read-aut and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.

Allowing Access:

Sometimes labeling problems can cause SELinux denials. You could try to restore
the default system file context for /var/log/gdm/:1-greeter.log,

restorecon -v '/var/log/gdm/:1-greeter.log'

If this does not work, there is currently no automatic way to allow this access.
Instead, you can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                system_u:system_r:polkit_auth_t:SystemLow-
                              SystemHigh
Target Context                system_u:object_r:xserver_log_t
Target Objects                /var/log/gdm/:1-greeter.log [ file ]
Source                        polkit-read-aut
Source Path                   /usr/libexec/polkit-read-auth-helper
Port                          <Unknown>
Host                          <Unknown>
Source RPM Packages           PolicyKit-0.9-4.fc10
Target RPM Packages           
Policy RPM                    selinux-policy-3.5.13-39.fc10
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall_file
Host Name                     viklef.ceplovi.cz
Platform                      Linux viklef.ceplovi.cz 2.6.27.10-168.fc10.i686 #1
                              SMP Wed Jan 7 18:33:32 EST 2009 i686 i686
Alert Count                   5
First Seen                    Mon Jan 19 18:23:41 2009
Last Seen                     Mon Jan 19 18:24:07 2009
Local ID                      b330152c-e02f-40f6-bd55-0fdfd1093d14
Line Numbers                  927, 928, 929, 930, 940, 941, 942, 943, 1040, 1041

Raw Audit Messages            

type=AVC msg=audit(1232385847.306:3365): avc:  denied  { write } for  pid=5535 comm="polkit-read-aut" path="/var/log/gdm/:1-greeter.log" dev=dm-0 ino=1306922 scontext=system_u:system_r:polkit_auth_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xserver_log_t:s0 tclass=file

type=SYSCALL msg=audit(1232385847.306:3365): arch=40000003 syscall=11 success=yes exit=0 a0=5217fb4 a1=bf9160e0 a2=bf916afc a3=bf9160e0 items=0 ppid=5406 pid=5535 auid=4294967295 uid=42 gid=42 euid=42 suid=42 fsuid=42 egid=87 sgid=87 fsgid=87 tty=(none) ses=4294967295 comm="polkit-read-aut" exe="/usr/libexec/polkit-read-auth-helper" subj=system_u:system_r:polkit_auth_t:s0-s0:c0.c1023 key=(null)

==========================

Summary:

SELinux is preventing polkit-read-aut (polkit_auth_t) "write" to
/var/log/gdm/:0-greeter.log (xserver_log_t).

Detailed Description:

SELinux denied access requested by polkit-read-aut. It is not expected that this
access is required by polkit-read-aut and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.

Allowing Access:

Sometimes labeling problems can cause SELinux denials. You could try to restore
the default system file context for /var/log/gdm/:0-greeter.log,

restorecon -v '/var/log/gdm/:0-greeter.log'

If this does not work, there is currently no automatic way to allow this access.
Instead, you can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                system_u:system_r:polkit_auth_t:SystemLow-
                              SystemHigh
Target Context                system_u:object_r:xserver_log_t
Target Objects                /var/log/gdm/:0-greeter.log [ file ]
Source                        polkit-read-aut
Source Path                   /usr/libexec/polkit-read-auth-helper
Port                          <Unknown>
Host                          <Unknown>
Source RPM Packages           PolicyKit-0.9-4.fc10
Target RPM Packages           
Policy RPM                    selinux-policy-3.5.13-39.fc10
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall_file
Host Name                     viklef.ceplovi.cz
Platform                      Linux viklef.ceplovi.cz 2.6.27.10-168.fc10.i686 #1
                              SMP Wed Jan 7 18:33:32 EST 2009 i686 i686
Alert Count                   5
First Seen                    Mon Jan 19 23:38:33 2009
Last Seen                     Mon Jan 19 23:38:41 2009
Local ID                      893e7a70-3438-4b61-9bb6-c5d533d80619
Line Numbers                  6187, 6188, 6189, 6190, 6191, 6192, 6193, 6194,
                              6195, 6196

Raw Audit Messages            

type=AVC msg=audit(1232404721.753:10): avc:  denied  { write } for  pid=2914 comm="polkit-read-aut" path="/var/log/gdm/:0-greeter.log" dev=dm-0 ino=1306908 scontext=system_u:system_r:polkit_auth_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xserver_log_t:s0 tclass=file

type=SYSCALL msg=audit(1232404721.753:10): arch=40000003 syscall=11 success=yes exit=0 a0=5217fb4 a1=bfccc480 a2=bfccce9c a3=bfccc480 items=0 ppid=2863 pid=2914 auid=4294967295 uid=42 gid=42 euid=42 suid=42 fsuid=42 egid=87 sgid=87 fsgid=87 tty=(none) ses=4294967295 comm="polkit-read-aut" exe="/usr/libexec/polkit-read-auth-helper" subj=system_u:system_r:polkit_auth_t:s0-s0:c0.c1023 key=(null)

=========================

From #desktop:

(21:17:59) mcepl: Jan 19 07:56:31 viklef setroubleshoot: SELinux is preventing polkit-read-aut (polkit_auth_t) "write" to /var/log/gdm/:0-greeter.log (xserver_log_t).
(21:18:27) halfline: ah
(21:18:47) halfline: i wonder why policykit is trying to read :0-greeter.log
(21:18:52) halfline: err write to !
(21:19:16) halfline: oh
(21:19:34) halfline: actually makes sense
(21:19:57) halfline: :0-greeter.log should be xserver_log_t
(21:20:08) mcepl: yes, it is (see the message)
(21:20:30) halfline: *shouldn't
(21:20:34) halfline: it's not an xserver log
(21:20:36) mcepl: oh
(21:20:42) halfline: it's the greeter session stdout
(21:20:44) mcepl: no, /var/log/messages
(21:20:55) mcepl: oh I see
(21:21:53) halfline: should probably be a new xdm_var_log_t or some such
(21:22:04) halfline: worth filing if you haven't already
Comment 1 Daniel Walsh 2009-01-21 09:06:08 EST
Is this a leaked file descriptor or are you setting stdout of polkit-read-auth to /var/log/gdm/:0-greeter.log?
Comment 2 Matěj Cepl 2009-01-21 10:54:52 EST
(In reply to comment #1)
> Is this a leaked file descriptor or are you setting stdout of polkit-read-auth
> to /var/log/gdm/:0-greeter.log?

Halfline thought that it might be just wrong label for the file (should be xdm_var_log_t instead of xserver_log_t).
Comment 3 Daniel Walsh 2009-01-21 14:39:15 EST
There is no xdm_var_log_t.

This is the correct label.

Or I can add a new one, but the question is whether this is intentional that we want to grab the output from polkit-read-auth, or is it a leak.
Comment 4 Ray Strode [halfline] 2009-01-21 17:01:55 EST
right, I wasn't saying there was a xdm_var_log_t, was saying there should be one:

"(21:21:53) halfline: should probably be a new xdm_var_log_t or some such"

See the irc conversation Matej pasted.

:0-greeter.log is akin to ~/.xsession-errors but for the gdm user.  It's where all programs in the greeter session (including things that use policykit) output their debug spew.
Comment 5 morgan read 2009-02-04 04:16:11 EST
Created attachment 330841 [details]
Here's another selinux_alert fyi
Comment 6 morgan read 2009-02-04 04:17:23 EST
Summary for above attachment:
SELinux is preventing polkit-read-aut (polkit_auth_t) "write" to
/var/log/gdm/:0-greeter.log (xserver_log_t).
Comment 7 Daniel Walsh 2009-02-04 09:57:07 EST
Ray and I have talked about making this append and relabeling /var/log/gdm

to xdm_log_t.


Then we can allow the confined domains to append to the log, rather then write.

write allows you to truncate the log files.


But for F10 this app should be able to write xserver_log_t.

In F11 it will append to xdm_log_t.

Miroslav and you fix this?
Comment 8 Miroslav Grepl 2009-02-06 11:50:23 EST
Fixed in selinux-policy-3.5.13-44.fc10
Comment 9 John Mellor 2009-02-08 14:35:05 EST
This looks like the same bug as 484564
Comment 10 John Mellor 2009-02-08 14:41:09 EST
Can we get this rolled over into fedora-updates-testing, so that we can actually get this fixed version?
Comment 11 Miroslav Grepl 2009-02-09 04:50:48 EST
*** Bug 484564 has been marked as a duplicate of this bug. ***
Comment 12 Miroslav Grepl 2009-02-09 04:54:02 EST
*** Bug 484451 has been marked as a duplicate of this bug. ***
Comment 13 Miroslav Grepl 2009-02-09 05:03:03 EST
It was pushed on Friday last week. I tested today and works fine.

# yum install --enablerepo=updates-testing selinux-policy-targeted
Comment 14 Miroslav Grepl 2009-02-13 05:13:22 EST
*** Bug 485326 has been marked as a duplicate of this bug. ***
Comment 15 faith 2009-08-03 04:19:11 EDT
Created attachment 355968 [details]
selinux_is_preventing_polkit-read-aut (polkit_auth_t) "gettattr" fs_t.txt

mine looks slightly different; should I worry about this?  linux newbie: so far I've only used Firefox & T-bird but will be doing other work incl web dev and adjusting network access, documents.  **Haven't been able to print since upgrade from F10 to F11**
Comment 16 faith 2009-08-03 04:25:57 EDT
add'l notes:  was having all kinds of problems, think before F11 upgrade, like constant dropped connection, couldn't read or save text anywhere but text editor, 30 min boot - now just have to login twice and about 10 min boot but lost printing after F11 upgrade.  newbie not sure if has anything to do w/this. many more SELinux alerts since F11 but will check/file rpts separately. thanks
Comment 17 Daniel Walsh 2009-08-04 06:14:21 EDT
Faith, please send me email, and I will work with you on fixing your problem.

dwalsh@redhat.com
Comment 18 faith 2009-08-23 10:03:00 EDT
I sent the email, but I don't know that anything ever got fixed.  Remember, my error was slightly different (see above comment from me) than the original error filed in this bug report.  Please advise how I can tell if my problem has been fixed.  Last time my SELinux reported this error was on 8/17.  Computer is used daily.  Thanks
Comment 19 Daniel Walsh 2009-08-23 13:07:16 EDT
Sounds good Faith.   You are probably all set.  Reopen bug if you see any more problems.

Note You need to log in before you can comment on or make changes to this bug.