This service will be undergoing maintenance at 00:00 UTC, 2017-10-23 It is expected to last about 30 minutes
Bug 512264 - SELinux blocks SLiM
SELinux blocks SLiM
Status: CLOSED DUPLICATE of bug 518068
Product: Fedora
Classification: Fedora
Component: slim (Show other bugs)
11
All Linux
low Severity medium
: ---
: ---
Assigned To: Lorenzo Villani
Fedora Extras Quality Assurance
: Reopened
Depends On:
Blocks: LXDE
  Show dependency treegraph
 
Reported: 2009-07-16 17:44 EDT by Christoph Wickert
Modified: 2013-01-10 00:17 EST (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-10-10 08:37:43 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
sealert error message (2.60 KB, text/plain)
2009-07-16 17:44 EDT, Christoph Wickert
no flags Details

  None (edit)
Description Christoph Wickert 2009-07-16 17:44:50 EDT
Created attachment 354051 [details]
sealert error message

Description of problem:
SELinux is preventing slim (xdm_t) "open","getattr","read" and "unlink" var_run_t.

Version-Release number of selected component (if applicable):
selinux-policy-targeted-3.6.12-62.fc11.noarch

How reproducible:
always

Steps to Reproduce:
1. Make a livecd from http://cwickert.fedorapeople.org/kickstarts/fedora-livecd-lxde.ks
2. Boot it
  
Actual results:
No login manager but a lot of Selinux denials:

node=localhost.localdomain type=AVC msg=audit(1245789461.884:10): avc:  denied  { open } for  pid=2554 comm="slim" name="slim.auth" dev=dm-0 ino=136384 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_run_t:s0 tclass=file

node=localhost.localdomain type=SYSCALL msg=audit(1245789461.884:10): arch=40000003 syscall=5 success=yes exit=5 a0=88828c3 a1=0 a2=1b6 a3=0 items=0 ppid=1 pid=2554 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="slim" exe="/usr/bin/slim" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)


node=localhost.localdomain type=AVC msg=audit(1245789461.884:11): avc:  denied  { getattr } for  pid=2554 comm="slim" path="/var/run/slim.auth" dev=dm-0 ino=136384 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_run_t:s0 tclass=file

node=localhost.localdomain type=SYSCALL msg=audit(1245789461.884:11): arch=40000003 syscall=197 success=yes exit=0 a0=5 a1=bfa65a50 a2=4d2ff4 a3=888b988 items=0 ppid=1 pid=2554 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="slim" exe="/usr/bin/slim" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)


node=localhost.localdomain type=AVC msg=audit(1245789461.883:9): avc:  denied  { read } for  pid=2554 comm="slim" name="slim.auth" dev=dm-0 ino=136384 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_run_t:s0 tclass=file

node=localhost.localdomain type=SYSCALL msg=audit(1245789461.883:9): arch=40000003 syscall=33 success=yes exit=0 a0=88828c3 a1=4 a2=6d0a60 a3=88828c3 items=0 ppid=1 pid=2554 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="slim" exe="/usr/bin/slim" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)

node=localhost.localdomain type=AVC msg=audit(1245789280.741:40775): avc:  denied  { unlink } for  pid=4043 comm="slim" name="slim.auth" dev=dm-0 ino=136376 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_run_t:s0 tclass=file

node=localhost.localdomain type=SYSCALL msg=audit(1245789280.741:40775): arch=40000003 syscall=10 success=yes exit=0 a0=92af044 a1=a90388 a2=a8eff4 a3=92af044 items=0 ppid=1 pid=4043 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="slim" exe="/usr/bin/slim" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)


Expected results:
SLiM showing up

Additional info:
This is needed for the LXDE Spin and possibly also for the Xfce Spin, if we decide to switch to SLiM.
Comment 1 Christoph Wickert 2009-07-16 17:45:48 EDT
Comment on attachment 354051 [details]
sealert error message

This is the alert for getattr, I have similar errors for open, read and unlink.
Comment 2 Daniel Walsh 2009-07-19 12:06:35 EDT
If you 

chcon -t xdm_var_run_t /var/run/slim\*

Does everything work?
Comment 3 Christoph Wickert 2009-07-23 17:04:20 EDT
semanage -a -t xdm_var_run_t /var/run/slim.auth 
did the trick, slim.run already gets created xdm_var_run_t. Would be nice to have this in the policy, so I don't need no hack on the livecd.
Comment 4 Daniel Walsh 2009-07-27 13:51:20 EDT
Miroslav can you add this labeling?

/var/run/slim\.auth	--	gen_context(system_u:object_r:xdm_var_run_t,s0)
Comment 5 Miroslav Grepl 2009-07-27 14:01:31 EDT
I will push out a new selinux-policy release with this change tomorrow.
Comment 6 Miroslav Grepl 2009-07-28 09:20:54 EDT
Fixed in selinux-policy-3.6.12-70.fc11
Comment 7 Christoph Wickert 2009-08-05 20:28:01 EDT
Works fine, thanks!
Comment 8 Christoph Wickert 2009-08-18 17:33:52 EDT
Sorry, I was too fast. It's still not working. The strange thing is: It works fine when installed, but not from the livecd.

Try yourself with the latest LXDE livecd from 
http://alt.fedoraproject.org/pub/alt/nightly-composes/lxde/

Let me know If I can help you testing, debugging or whatever.
Comment 9 Daniel Walsh 2009-08-18 18:34:43 EDT
Then this is a bug in the livecd program.
Comment 10 Jeremy Katz 2009-08-19 15:12:54 EDT
There's not anything the livecd creation can do about it -- the file is created at runtime by slim in /var/run.  Since slim isn't explicitly trying to set any contexts before creating the file, it follows the directory default (var_run_t)

The easiest way to fix this is probably to have slim move its files to be in a subdir of /var/run -- then the directory can be labeled as it's put down by rpm and then the new files within it will get the right context.
Comment 11 Daniel Walsh 2009-08-20 07:55:59 EDT
But if slim is running as xdm_t then it should have transitioned to the correct label when it created the file.

ls -lZ /usr/bin/slim
-rwxr-xr-x. root root system_u:object_r:xdm_exec_t:s0  /usr/bin/slim

And we have this line in policy

files_pid_filetrans(xdm_t, xdm_var_run_t, { dir file fifo_file sock_file })

WHich says if a process running as xdm_t creates a dir,file. fifo_file or sock_file in var_run_t it will label it xdm_var_run_t

So something else is creating this file or the /usr/bin/slim is not labeled correctly.
Comment 12 Huub Schaeks 2009-08-30 07:59:42 EDT
/var/log/slim.log says /usr/bin/xauth creates the /var/run/slim.auth file.

The solution you suggested here:

https://bugzilla.redhat.com/show_bug.cgi?id=518068

works.
Comment 13 Lorenzo Villani 2009-10-10 08:37:43 EDT
Using #518068 to track this issue.

*** This bug has been marked as a duplicate of bug 518068 ***

Note You need to log in before you can comment on or make changes to this bug.