Created attachment 354051 [details] sealert error message Description of problem: SELinux is preventing slim (xdm_t) "open","getattr","read" and "unlink" var_run_t. Version-Release number of selected component (if applicable): selinux-policy-targeted-3.6.12-62.fc11.noarch How reproducible: always Steps to Reproduce: 1. Make a livecd from http://cwickert.fedorapeople.org/kickstarts/fedora-livecd-lxde.ks 2. Boot it Actual results: No login manager but a lot of Selinux denials: node=localhost.localdomain type=AVC msg=audit(1245789461.884:10): avc: denied { open } for pid=2554 comm="slim" name="slim.auth" dev=dm-0 ino=136384 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_run_t:s0 tclass=file node=localhost.localdomain type=SYSCALL msg=audit(1245789461.884:10): arch=40000003 syscall=5 success=yes exit=5 a0=88828c3 a1=0 a2=1b6 a3=0 items=0 ppid=1 pid=2554 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="slim" exe="/usr/bin/slim" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null) node=localhost.localdomain type=AVC msg=audit(1245789461.884:11): avc: denied { getattr } for pid=2554 comm="slim" path="/var/run/slim.auth" dev=dm-0 ino=136384 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_run_t:s0 tclass=file node=localhost.localdomain type=SYSCALL msg=audit(1245789461.884:11): arch=40000003 syscall=197 success=yes exit=0 a0=5 a1=bfa65a50 a2=4d2ff4 a3=888b988 items=0 ppid=1 pid=2554 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="slim" exe="/usr/bin/slim" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null) node=localhost.localdomain type=AVC msg=audit(1245789461.883:9): avc: denied { read } for pid=2554 comm="slim" name="slim.auth" dev=dm-0 ino=136384 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_run_t:s0 tclass=file node=localhost.localdomain type=SYSCALL msg=audit(1245789461.883:9): arch=40000003 syscall=33 success=yes exit=0 a0=88828c3 a1=4 a2=6d0a60 a3=88828c3 items=0 ppid=1 pid=2554 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="slim" exe="/usr/bin/slim" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null) node=localhost.localdomain type=AVC msg=audit(1245789280.741:40775): avc: denied { unlink } for pid=4043 comm="slim" name="slim.auth" dev=dm-0 ino=136376 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_run_t:s0 tclass=file node=localhost.localdomain type=SYSCALL msg=audit(1245789280.741:40775): arch=40000003 syscall=10 success=yes exit=0 a0=92af044 a1=a90388 a2=a8eff4 a3=92af044 items=0 ppid=1 pid=4043 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="slim" exe="/usr/bin/slim" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null) Expected results: SLiM showing up Additional info: This is needed for the LXDE Spin and possibly also for the Xfce Spin, if we decide to switch to SLiM.
Comment on attachment 354051 [details] sealert error message This is the alert for getattr, I have similar errors for open, read and unlink.
If you chcon -t xdm_var_run_t /var/run/slim\* Does everything work?
semanage -a -t xdm_var_run_t /var/run/slim.auth did the trick, slim.run already gets created xdm_var_run_t. Would be nice to have this in the policy, so I don't need no hack on the livecd.
Miroslav can you add this labeling? /var/run/slim\.auth -- gen_context(system_u:object_r:xdm_var_run_t,s0)
I will push out a new selinux-policy release with this change tomorrow.
Fixed in selinux-policy-3.6.12-70.fc11
Works fine, thanks!
Sorry, I was too fast. It's still not working. The strange thing is: It works fine when installed, but not from the livecd. Try yourself with the latest LXDE livecd from http://alt.fedoraproject.org/pub/alt/nightly-composes/lxde/ Let me know If I can help you testing, debugging or whatever.
Then this is a bug in the livecd program.
There's not anything the livecd creation can do about it -- the file is created at runtime by slim in /var/run. Since slim isn't explicitly trying to set any contexts before creating the file, it follows the directory default (var_run_t) The easiest way to fix this is probably to have slim move its files to be in a subdir of /var/run -- then the directory can be labeled as it's put down by rpm and then the new files within it will get the right context.
But if slim is running as xdm_t then it should have transitioned to the correct label when it created the file. ls -lZ /usr/bin/slim -rwxr-xr-x. root root system_u:object_r:xdm_exec_t:s0 /usr/bin/slim And we have this line in policy files_pid_filetrans(xdm_t, xdm_var_run_t, { dir file fifo_file sock_file }) WHich says if a process running as xdm_t creates a dir,file. fifo_file or sock_file in var_run_t it will label it xdm_var_run_t So something else is creating this file or the /usr/bin/slim is not labeled correctly.
/var/log/slim.log says /usr/bin/xauth creates the /var/run/slim.auth file. The solution you suggested here: https://bugzilla.redhat.com/show_bug.cgi?id=518068 works.
Using #518068 to track this issue. *** This bug has been marked as a duplicate of bug 518068 ***