Bug 512264 - SELinux blocks SLiM
Summary: SELinux blocks SLiM
Keywords:
Status: CLOSED DUPLICATE of bug 518068
Alias: None
Product: Fedora
Classification: Fedora
Component: slim
Version: 11
Hardware: All
OS: Linux
low
medium
Target Milestone: ---
Assignee: Lorenzo Villani
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks: LXDE
TreeView+ depends on / blocked
 
Reported: 2009-07-16 21:44 UTC by Christoph Wickert
Modified: 2013-01-10 05:17 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2009-10-10 12:37:43 UTC
Type: ---


Attachments (Terms of Use)
sealert error message (2.60 KB, text/plain)
2009-07-16 21:44 UTC, Christoph Wickert
no flags Details

Description Christoph Wickert 2009-07-16 21:44:50 UTC
Created attachment 354051 [details]
sealert error message

Description of problem:
SELinux is preventing slim (xdm_t) "open","getattr","read" and "unlink" var_run_t.

Version-Release number of selected component (if applicable):
selinux-policy-targeted-3.6.12-62.fc11.noarch

How reproducible:
always

Steps to Reproduce:
1. Make a livecd from http://cwickert.fedorapeople.org/kickstarts/fedora-livecd-lxde.ks
2. Boot it
  
Actual results:
No login manager but a lot of Selinux denials:

node=localhost.localdomain type=AVC msg=audit(1245789461.884:10): avc:  denied  { open } for  pid=2554 comm="slim" name="slim.auth" dev=dm-0 ino=136384 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_run_t:s0 tclass=file

node=localhost.localdomain type=SYSCALL msg=audit(1245789461.884:10): arch=40000003 syscall=5 success=yes exit=5 a0=88828c3 a1=0 a2=1b6 a3=0 items=0 ppid=1 pid=2554 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="slim" exe="/usr/bin/slim" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)


node=localhost.localdomain type=AVC msg=audit(1245789461.884:11): avc:  denied  { getattr } for  pid=2554 comm="slim" path="/var/run/slim.auth" dev=dm-0 ino=136384 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_run_t:s0 tclass=file

node=localhost.localdomain type=SYSCALL msg=audit(1245789461.884:11): arch=40000003 syscall=197 success=yes exit=0 a0=5 a1=bfa65a50 a2=4d2ff4 a3=888b988 items=0 ppid=1 pid=2554 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="slim" exe="/usr/bin/slim" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)


node=localhost.localdomain type=AVC msg=audit(1245789461.883:9): avc:  denied  { read } for  pid=2554 comm="slim" name="slim.auth" dev=dm-0 ino=136384 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_run_t:s0 tclass=file

node=localhost.localdomain type=SYSCALL msg=audit(1245789461.883:9): arch=40000003 syscall=33 success=yes exit=0 a0=88828c3 a1=4 a2=6d0a60 a3=88828c3 items=0 ppid=1 pid=2554 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="slim" exe="/usr/bin/slim" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)

node=localhost.localdomain type=AVC msg=audit(1245789280.741:40775): avc:  denied  { unlink } for  pid=4043 comm="slim" name="slim.auth" dev=dm-0 ino=136376 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_run_t:s0 tclass=file

node=localhost.localdomain type=SYSCALL msg=audit(1245789280.741:40775): arch=40000003 syscall=10 success=yes exit=0 a0=92af044 a1=a90388 a2=a8eff4 a3=92af044 items=0 ppid=1 pid=4043 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="slim" exe="/usr/bin/slim" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)


Expected results:
SLiM showing up

Additional info:
This is needed for the LXDE Spin and possibly also for the Xfce Spin, if we decide to switch to SLiM.

Comment 1 Christoph Wickert 2009-07-16 21:45:48 UTC
Comment on attachment 354051 [details]
sealert error message

This is the alert for getattr, I have similar errors for open, read and unlink.

Comment 2 Daniel Walsh 2009-07-19 16:06:35 UTC
If you 

chcon -t xdm_var_run_t /var/run/slim\*

Does everything work?

Comment 3 Christoph Wickert 2009-07-23 21:04:20 UTC
semanage -a -t xdm_var_run_t /var/run/slim.auth 
did the trick, slim.run already gets created xdm_var_run_t. Would be nice to have this in the policy, so I don't need no hack on the livecd.

Comment 4 Daniel Walsh 2009-07-27 17:51:20 UTC
Miroslav can you add this labeling?

/var/run/slim\.auth	--	gen_context(system_u:object_r:xdm_var_run_t,s0)

Comment 5 Miroslav Grepl 2009-07-27 18:01:31 UTC
I will push out a new selinux-policy release with this change tomorrow.

Comment 6 Miroslav Grepl 2009-07-28 13:20:54 UTC
Fixed in selinux-policy-3.6.12-70.fc11

Comment 7 Christoph Wickert 2009-08-06 00:28:01 UTC
Works fine, thanks!

Comment 8 Christoph Wickert 2009-08-18 21:33:52 UTC
Sorry, I was too fast. It's still not working. The strange thing is: It works fine when installed, but not from the livecd.

Try yourself with the latest LXDE livecd from 
http://alt.fedoraproject.org/pub/alt/nightly-composes/lxde/

Let me know If I can help you testing, debugging or whatever.

Comment 9 Daniel Walsh 2009-08-18 22:34:43 UTC
Then this is a bug in the livecd program.

Comment 10 Jeremy Katz 2009-08-19 19:12:54 UTC
There's not anything the livecd creation can do about it -- the file is created at runtime by slim in /var/run.  Since slim isn't explicitly trying to set any contexts before creating the file, it follows the directory default (var_run_t)

The easiest way to fix this is probably to have slim move its files to be in a subdir of /var/run -- then the directory can be labeled as it's put down by rpm and then the new files within it will get the right context.

Comment 11 Daniel Walsh 2009-08-20 11:55:59 UTC
But if slim is running as xdm_t then it should have transitioned to the correct label when it created the file.

ls -lZ /usr/bin/slim
-rwxr-xr-x. root root system_u:object_r:xdm_exec_t:s0  /usr/bin/slim

And we have this line in policy

files_pid_filetrans(xdm_t, xdm_var_run_t, { dir file fifo_file sock_file })

WHich says if a process running as xdm_t creates a dir,file. fifo_file or sock_file in var_run_t it will label it xdm_var_run_t

So something else is creating this file or the /usr/bin/slim is not labeled correctly.

Comment 12 Huub Schaeks 2009-08-30 11:59:42 UTC
/var/log/slim.log says /usr/bin/xauth creates the /var/run/slim.auth file.

The solution you suggested here:

https://bugzilla.redhat.com/show_bug.cgi?id=518068

works.

Comment 13 Lorenzo Villani 2009-10-10 12:37:43 UTC
Using #518068 to track this issue.

*** This bug has been marked as a duplicate of bug 518068 ***


Note You need to log in before you can comment on or make changes to this bug.