Bug 512264 – SELinux blocks SLiM

Bug 512264 - SELinux blocks SLiM

Summary:	SELinux blocks SLiM

Status:	CLOSED DUPLICATE of bug 518068

Aliases:	None

Product:	Fedora
Classification:	Fedora
Component:	slim (Show other bugs)
Sub Component:
Version:	11
Hardware:	All Linux

Priority	low Severity medium
Target Milestone:	---
Target Release:	---
Assigned To:	Lorenzo Villani
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:

URL:
Whiteboard:
Keywords:	Reopened

Depends On:
Blocks:	LXDE
	Show dependency tree / graph

Reported:	2009-07-16 17:44 EDT by Christoph Wickert
Modified:	2013-01-10 00:17 EST (History)
CC List:	6 users (show)

See Also:
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Story Points:	---
Clone Of:
Environment:
Last Closed:	2009-10-10 08:37:43 EDT
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
sealert error message (2.60 KB, text/plain) 2009-07-16 17:44 EDT, Christoph Wickert	no flags	Details
Add an attachment (proposed patch, testcase, etc.)

Groups: None (edit)

Description Christoph Wickert 2009-07-16 17:44:50 EDT

Created attachment 354051 [details]
sealert error message

Description of problem:
SELinux is preventing slim (xdm_t) "open","getattr","read" and "unlink" var_run_t.

Version-Release number of selected component (if applicable):
selinux-policy-targeted-3.6.12-62.fc11.noarch

How reproducible:
always

Steps to Reproduce:
1. Make a livecd from http://cwickert.fedorapeople.org/kickstarts/fedora-livecd-lxde.ks
2. Boot it
  
Actual results:
No login manager but a lot of Selinux denials:

node=localhost.localdomain type=AVC msg=audit(1245789461.884:10): avc:  denied  { open } for  pid=2554 comm="slim" name="slim.auth" dev=dm-0 ino=136384 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_run_t:s0 tclass=file

node=localhost.localdomain type=SYSCALL msg=audit(1245789461.884:10): arch=40000003 syscall=5 success=yes exit=5 a0=88828c3 a1=0 a2=1b6 a3=0 items=0 ppid=1 pid=2554 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="slim" exe="/usr/bin/slim" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)


node=localhost.localdomain type=AVC msg=audit(1245789461.884:11): avc:  denied  { getattr } for  pid=2554 comm="slim" path="/var/run/slim.auth" dev=dm-0 ino=136384 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_run_t:s0 tclass=file

node=localhost.localdomain type=SYSCALL msg=audit(1245789461.884:11): arch=40000003 syscall=197 success=yes exit=0 a0=5 a1=bfa65a50 a2=4d2ff4 a3=888b988 items=0 ppid=1 pid=2554 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="slim" exe="/usr/bin/slim" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)


node=localhost.localdomain type=AVC msg=audit(1245789461.883:9): avc:  denied  { read } for  pid=2554 comm="slim" name="slim.auth" dev=dm-0 ino=136384 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_run_t:s0 tclass=file

node=localhost.localdomain type=SYSCALL msg=audit(1245789461.883:9): arch=40000003 syscall=33 success=yes exit=0 a0=88828c3 a1=4 a2=6d0a60 a3=88828c3 items=0 ppid=1 pid=2554 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="slim" exe="/usr/bin/slim" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)

node=localhost.localdomain type=AVC msg=audit(1245789280.741:40775): avc:  denied  { unlink } for  pid=4043 comm="slim" name="slim.auth" dev=dm-0 ino=136376 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_run_t:s0 tclass=file

node=localhost.localdomain type=SYSCALL msg=audit(1245789280.741:40775): arch=40000003 syscall=10 success=yes exit=0 a0=92af044 a1=a90388 a2=a8eff4 a3=92af044 items=0 ppid=1 pid=4043 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="slim" exe="/usr/bin/slim" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)


Expected results:
SLiM showing up

Additional info:
This is needed for the LXDE Spin and possibly also for the Xfce Spin, if we decide to switch to SLiM.

Comment 1 Christoph Wickert 2009-07-16 17:45:48 EDT

Comment on attachment 354051 [details]
sealert error message

This is the alert for getattr, I have similar errors for open, read and unlink.

Comment 2 Daniel Walsh 2009-07-19 12:06:35 EDT

If you 

chcon -t xdm_var_run_t /var/run/slim\*

Does everything work?

Comment 3 Christoph Wickert 2009-07-23 17:04:20 EDT

semanage -a -t xdm_var_run_t /var/run/slim.auth 
did the trick, slim.run already gets created xdm_var_run_t. Would be nice to have this in the policy, so I don't need no hack on the livecd.

Comment 4 Daniel Walsh 2009-07-27 13:51:20 EDT

Miroslav can you add this labeling?

/var/run/slim\.auth	--	gen_context(system_u:object_r:xdm_var_run_t,s0)

Comment 5 Miroslav Grepl 2009-07-27 14:01:31 EDT

I will push out a new selinux-policy release with this change tomorrow.

Comment 6 Miroslav Grepl 2009-07-28 09:20:54 EDT

Fixed in selinux-policy-3.6.12-70.fc11

Comment 7 Christoph Wickert 2009-08-05 20:28:01 EDT

Works fine, thanks!

Comment 8 Christoph Wickert 2009-08-18 17:33:52 EDT

Sorry, I was too fast. It's still not working. The strange thing is: It works fine when installed, but not from the livecd.

Try yourself with the latest LXDE livecd from 
http://alt.fedoraproject.org/pub/alt/nightly-composes/lxde/

Let me know If I can help you testing, debugging or whatever.

Comment 9 Daniel Walsh 2009-08-18 18:34:43 EDT

Then this is a bug in the livecd program.

Comment 10 Jeremy Katz 2009-08-19 15:12:54 EDT

There's not anything the livecd creation can do about it -- the file is created at runtime by slim in /var/run.  Since slim isn't explicitly trying to set any contexts before creating the file, it follows the directory default (var_run_t)

The easiest way to fix this is probably to have slim move its files to be in a subdir of /var/run -- then the directory can be labeled as it's put down by rpm and then the new files within it will get the right context.

Comment 11 Daniel Walsh 2009-08-20 07:55:59 EDT

But if slim is running as xdm_t then it should have transitioned to the correct label when it created the file.

ls -lZ /usr/bin/slim
-rwxr-xr-x. root root system_u:object_r:xdm_exec_t:s0  /usr/bin/slim

And we have this line in policy

files_pid_filetrans(xdm_t, xdm_var_run_t, { dir file fifo_file sock_file })

WHich says if a process running as xdm_t creates a dir,file. fifo_file or sock_file in var_run_t it will label it xdm_var_run_t

So something else is creating this file or the /usr/bin/slim is not labeled correctly.

Comment 12 Huub Schaeks 2009-08-30 07:59:42 EDT

/var/log/slim.log says /usr/bin/xauth creates the /var/run/slim.auth file.

The solution you suggested here:

https://bugzilla.redhat.com/show_bug.cgi?id=518068

works.

Comment 13 Lorenzo Villani 2009-10-10 08:37:43 EDT

Using #518068 to track this issue.

*** This bug has been marked as a duplicate of bug 518068 ***

Note You need to log in before you can comment on or make changes to this bug.