Bug 510650 - gdm-session-worker blocked
gdm-session-worker blocked
Status: CLOSED WONTFIX
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
11
All Linux
low Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Ben Levenson
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2009-07-10 00:04 EDT by David Highley
Modified: 2009-08-21 17:43 EDT (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-08-21 17:43:11 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description David Highley 2009-07-10 00:04:34 EDT
Description of problem:
Looks like gdm-session-worker gets blocked. Could not determine impact of block.

Version-Release number of selected component (if applicable):
selinux-policy-targeted-3.6.12-53.fc11.noarch

How reproducible:
Every time

Steps to Reproduce:
1.Log in
2.
3.
  
Actual results:


Expected results:


Additional info:
time->Fri Jul  3 12:28:52 2009
type=SYSCALL msg=audit(1246649332.183:26): arch=c000003e syscall=2 success=no exit=-13 a0=11ab330 a1=c2 a2=180 a3=20 items=0 ppid=3399 pid=3450 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="gdm-session-wor" exe="/usr/libexec/gdm-session-worker" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1246649332.183:26): avc:  denied  { add_name } for  pid=3450 comm="gdm-session-wor" name=".xsession-errors.XXW9QFWU" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:admin_home_t:s0 tclass=dir
Comment 1 Daniel Walsh 2009-07-10 08:20:25 EDT
Are you attempting to login as root via gdm?  This is not allowed via policy and is turned off by default in GDM.
Comment 2 David Highley 2009-07-10 09:28:25 EDT
Yes, we log in as root when setting up systems. It is unrealistic to expect administration people not to. Initially there are no other log in accounts available.
Comment 3 Daniel Walsh 2009-07-10 09:51:48 EDT
Well since GDM denies the ability to login as root, you must have changed this somehow, and you can setup accounts during the install, either via kickstart or the firstboot.

You can login via local login, sshd but not via X because it is considered very dangerous to run an Xwindows Session as root.  (Running firefox for example.)



SELinux has to treat the /root directory differently then normal /home since the ability to write to the /root directory would allow an app to write something to /.bashrc and then all admins for ever would just execute that code.

Note You need to log in before you can comment on or make changes to this bug.