500525 – gdm denials on livecd boot

Bug 500525 - gdm denials on livecd boot

Summary: gdm denials on livecd boot

Keywords:
Status:	CLOSED RAWHIDE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	LiveCD - Xfce
Sub Component:
Version:	rawhide
Hardware:	All
OS:	Linux
Priority:	low
Severity:	medium
Target Milestone:	---
Assignee:	Kevin Fenzi
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2009-05-13 04:46 UTC by Kevin Fenzi
Modified:	2013-01-10 05:13 UTC (History)
CC List:	6 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2009-06-06 05:50:56 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Kevin Fenzi 2009-05-13 04:46:31 UTC

Xfce i686 live media as of today (2009-05-12) has some gdm denials on boot: 

type=AVC msg=audit(1242203547.059:24642): avc:  denied  { read } for  pid=1881 comm="gdm-simple-gree" name="liveuser" dev=dm-0 ino=93054 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:home_root_t:s0 tclass=dir
type=AVC msg=audit(1242203551.058:24643): avc:  denied  { read } for  pid=1881 comm="gdm-simple-gree" name="liveuser" dev=dm-0 ino=93054 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:home_root_t:s0 tclass=dir
type=AVC msg=audit(1242203555.059:24644): avc:  denied  { read } for  pid=1881 comm="gdm-simple-gree" name="liveuser" dev=dm-0 ino=93054 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:home_root_t:s0 tclass=dir
type=AVC msg=audit(1242203559.059:24645): avc:  denied  { read } for  pid=1881 comm="gdm-simple-gree" name="liveuser" dev=dm-0 ino=93054 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:home_root_t:s0 tclass=dir
type=AVC msg=audit(1242203563.059:24646): avc:  denied  { read } for  pid=1881 comm="gdm-simple-gree" name="liveuser" dev=dm-0 ino=93054 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:home_root_t:s0 tclass=dir
type=AVC msg=audit(1242203567.058:24647): avc:  denied  { read } for  pid=1881 comm="gdm-simple-gree" name="liveuser" dev=dm-0 ino=93054 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:home_root_t:s0 tclass=dir
type=AVC msg=audit(1242203571.058:24648): avc:  denied  { read } for  pid=1881 comm="gdm-simple-gree" name="liveuser" dev=dm-0 ino=93054 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:home_root_t:s0 tclass=dir
type=AVC msg=audit(1242203575.059:24649): avc:  denied  { read } for  pid=1881 comm="gdm-simple-gree" name="liveuser" dev=dm-0 ino=93054 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:home_root_t:s0 tclass=dir
type=AVC msg=audit(1242203579.059:24650): avc:  denied  { read } for  pid=1881 comm="gdm-simple-gree" name="liveuser" dev=dm-0 ino=93054 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:home_root_t:s0 tclass=dir
type=AVC msg=audit(1242203583.058:24651): avc:  denied  { read } for  pid=1881 comm="gdm-simple-gree" name="liveuser" dev=dm-0 ino=93054 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:home_root_t:s0 tclass=dir
type=AVC msg=audit(1242203587.059:24652): avc:  denied  { read } for  pid=1881 comm="gdm-simple-gree" name="liveuser" dev=dm-0 ino=93054 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:home_root_t:s0 tclass=dir
type=AVC msg=audit(1242203591.058:24653): avc:  denied  { read } for  pid=1881 comm="gdm-simple-gree" name="liveuser" dev=dm-0 ino=93054 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:home_root_t:s0 tclass=dir
type=AVC msg=audit(1242203595.058:24654): avc:  denied  { read } for  pid=1881 comm="gdm-simple-gree" name="liveuser" dev=dm-0 ino=93054 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:home_root_t:s0 tclass=dir
type=AVC msg=audit(1242203599.058:24655): avc:  denied  { read } for  pid=1881 comm="gdm-simple-gree" name="liveuser" dev=dm-0 ino=93054 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:home_root_t:s0 tclass=dir
type=AVC msg=audit(1242203603.060:24656): avc:  denied  { read } for  pid=1881 comm="gdm-simple-gree" name="liveuser" dev=dm-0 ino=93054 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:home_root_t:s0 tclass=dir
type=AVC msg=audit(1242203603.952:24662): avc:  denied  { read write } for  pid=1983 comm="gdm-session-wor" name="liveuser" dev=dm-0 ino=93054 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:home_root_t:s0 tclass=dir
type=AVC msg=audit(1242203603.952:24663): avc:  denied  { write } for  pid=1983 comm="gdm-session-wor" name="liveuser" dev=dm-0 ino=93054 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:home_root_t:s0 tclass=dir
type=AVC msg=audit(1242203603.952:24664): avc:  denied  { write } for  pid=1983 comm="gdm-session-wor" name="liveuser" dev=dm-0 ino=93054 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:home_root_t:s0 tclass=dir
type=AVC msg=audit(1242203603.953:24665): avc:  denied  { write } for  pid=1983 comm="gdm-session-wor" name="liveuser" dev=dm-0 ino=93054 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:home_root_t:s0 tclass=dir

Comment 1 Daniel Walsh 2009-05-13 14:00:31 UTC

The liveuser directory is mislabeled.  It should not be home_root_t it should be user_home_dir_t?

Comment 2 Jeremy Katz 2009-05-13 15:45:22 UTC

The x86 desktop image I built yesterday has things labeled fine.  I'll kick off an XFCE one while I'm gone to lunch, but there shouldn't be anything different.

Have a log of the image build?  Any errors during boot (especially during the live initscript)?

Comment 3 Kevin Fenzi 2009-05-13 16:14:59 UTC

yeah, I do have a log. Nothing leaps out there.

We do a: 

chown -R liveuser:liveuser /home/liveuser

at the end of the livesys, because we add some files (which get owned by root by default). 
Perhaps thats resetting the context?

Comment 4 Jeremy Katz 2009-05-13 17:02:09 UTC

Aha, that's exactly it.  You're adding things in %post and not on boot.  So yes, you'll also need a restorecon in the %post as well if that's how you want to do things in addition to the chown.

That said, you also really probably don't _want_ to be doing that as part of %post and instead want to do it on each boot in the livesys initscript.  Otherwise, the files are on the image that gets dd'd to the user's hard drive after they install rather than just being present in the overlay.

Comment 5 Kevin Fenzi 2009-05-13 17:09:16 UTC

I'm not sure I understand. 

How can we modify the livesys initscript script except in %post?

Its created in the post in fedora-live-base.ks, you want us to add our special cases there?

Comment 6 Jeremy Katz 2009-05-13 17:25:32 UTC

You can append to it with

cat >> /etc/init.d/livesys << EOF
[do stuff here]
EOF

in your %post (much as is already done for screensaver disabling)

Comment 7 Rahul Sundaram 2009-05-13 17:47:52 UTC

Kevin, please ask whoever is responsible for bugzilla administration to reassign yourself instead of me as the owner of fedora xfce live component in bugzilla.  Thanks.

Comment 8 Kevin Fenzi 2009-05-13 20:19:49 UTC

ok. I did the one-liner fix for F11 here, and we will do the more proper fix for f12. 

Rahul: will do.

Comment 9 Kevin Fenzi 2009-06-06 05:50:56 UTC

This was fixed for f11.

Note You need to log in before you can comment on or make changes to this bug.