Bugzilla (bugzilla.redhat.com) will be under maintenance for infrastructure upgrades and will not be available on July 31st between 12:30 AM - 05:30 AM UTC. We appreciate your understanding and patience. You can follow status.redhat.com for details.
Bug 518068 - selinux prevents slim from starting
Summary: selinux prevents slim from starting
Keywords:
Status: CLOSED NEXTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: slim
Version: rawhide
Hardware: All
OS: Linux
urgent
medium
Target Milestone: ---
Assignee: Lorenzo Villani
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
: 512264 518771 533631 (view as bug list)
Depends On:
Blocks: LXDE
TreeView+ depends on / blocked
 
Reported: 2009-08-18 17:21 UTC by cornel panceac
Modified: 2009-11-10 16:07 UTC (History)
9 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2009-10-21 22:08:14 UTC
Type: ---


Attachments (Terms of Use)

Description cornel panceac 2009-08-18 17:21:00 UTC
Description of problem:
trying to start lxde-i386-20090817.14 livecd, slim does not start. after booting with selinux=0 and installing to hard drive, i've found this message(s) in /var/log/messages, when booting without selinux=0

Aug 18 16:54:32 localhost kernel: type=1400 audit(1250603672.920:18344): avc:  denied  { read } for  pid=1118 comm="slim" name="slim.auth" dev=sda6 ino=79101 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_run_t:s0 tclass=file

Version-Release number of selected component (if applicable):

# rpm -q selinux-policy
selinux-policy-3.6.26-8.fc12.noarch


How reproducible:

always

Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:

there are also other avc messages in /var/log/messages regarding NetworkManager but, since i was unable to start, ihave no ide about the impatc on the system. the messages are like this:

Aug 18 16:54:41 localhost kernel: type=1400 audit(1250603681.278:18347): avc:  denied  { read } for  pid=1301 comm="NetworkManager" name="null" dev=tmpfs ino=9364 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=file

Comment 1 Daniel Walsh 2009-08-18 22:18:20 UTC
Why is there a file labeled device_t?  Seems to be some problem in initrd which is causing this

What does

find /dev -name null -type f -printf "%p %Z\n"

Show?

Where is slim.auth located?

Comment 2 Daniel Walsh 2009-08-18 22:20:58 UTC
/var/run/slim.auth has the wrong context on it.

Something went wrong on the livecd creation as this file should have been labeled correctly.

Comment 3 cornel panceac 2009-08-19 04:16:53 UTC
(In reply to comment #1)
> Why is there a file labeled device_t?  Seems to be some problem in initrd which
> is causing this
> 
> What does
> 
> find /dev -name null -type f -printf "%p %Z\n"
> 
> Show?
> 
> Where is slim.auth located?  

yes, i've found slim.auth on /var/run.

find /dev -name null -type f -printf "%p %Z\n"

returns nothing.

right now i'm searching for the one who generated the iso. thank you.

Comment 4 cornel panceac 2009-08-20 14:42:45 UTC
the issue is still present on alpha rc2 (lxde live "cd" x86)

Comment 5 Daniel Walsh 2009-08-20 16:22:44 UTC
Can you bring this up single user mode and tell me if the file exists?

If yes restorecon it and bring it all the way up and see if you can log in.

Comment 6 cornel panceac 2009-08-20 16:53:14 UTC
hmm. i've just checked the sha1sum and is different from the published one:

e931b0e43ac123d32a60a7b632fb66087cd5dfdf

i've downloaded again and again i got the above sha1sum. so either the computing is different, or the published sha1sum is wrong.

i'll check those things and report back asap.

Comment 7 cornel panceac 2009-08-20 17:06:10 UTC
sorry but comment #4 was wrong: even if selinux still prevents slim for starting, the error is different:

selinux is preventing slim (xdm_t) "read" var_run_t

restorecon /usr/bin/slim

doesn't help.

Comment 8 cornel panceac 2009-08-20 17:17:02 UTC
here's the complete sealert: (after setenforce 0)

# sealert -l bc9bad9e-877f-4d71-afd3-d9242adfe773

Summary:

SELinux is preventing slim (xdm_t) "read" var_run_t.

Detailed Description:

[SELinux is in permissive mode, the operation would have been denied but was
permitted due to permissive mode.]

SELinux denied access requested by slim. It is not expected that this access is
required by slim and this access may signal an intrusion attempt. It is also
possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Please file a bug
report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package.

Additional Information:

Source Context                system_u:system_r:xdm_t:s0-s0:c0.c1023
Target Context                system_u:object_r:var_run_t:s0
Target Objects                slim.auth [ file ]
Source                        slim
Source Path                   /usr/bin/slim
Port                          <Unknown>
Host                          localhost.localdomain
Source RPM Packages           slim-1.3.1-7.fc12
Target RPM Packages           
Policy RPM                    selinux-policy-3.6.26-8.fc12
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Permissive
Plugin Name                   catchall
Host Name                     localhost.localdomain
Platform                      Linux localhost.localdomain
                              2.6.31-0.125.4.2.rc5.git2.fc12.i686 #1 SMP Tue Aug
                              11 21:20:05 EDT 2009 i686 athlon
Alert Count                   349
First Seen                    Thu Aug 20 16:56:56 2009
Last Seen                     Thu Aug 20 17:08:42 2009
Local ID                      bc9bad9e-877f-4d71-afd3-d9242adfe773
Line Numbers                  

Raw Audit Messages            

node=localhost.localdomain type=AVC msg=audit(1250802522.810:24558): avc:  denied  { read } for  pid=2289 comm="slim" name="slim.auth" dev=dm-0 ino=67650 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_run_t:s0 tclass=file

node=localhost.localdomain type=SYSCALL msg=audit(1250802522.810:24558): arch=40000003 syscall=33 success=yes exit=0 a0=99218c3 a1=4 a2=733b18 a3=99218c3 items=0 ppid=1 pid=2289 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="slim" exe="/usr/bin/slim" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)

Comment 9 Daniel Walsh 2009-08-20 17:20:43 UTC
Sorry, I was not specific enough
Bring machine up to single user mode or level 3 and check for the existance of slim.auth?  

ls -lz /var/run/slim.auth

If it is  there, delete it and continue to boot to level 5,  See if you can login.  If you can, then something created the file with the wrong context.  If you can not, check what the context of slim is

ps -eZ | grep slim

Comment 10 cornel panceac 2009-08-20 17:46:29 UTC
in runlevel 1 and 3 there's no /var/run/slim*

once i reached runlevel 5, there's an slim.auth there and ls -lZ returns

... system_u:object_u:object_r:var_run_t:s0 /var/run/slim.auth ...

ps -eZ returns

... system_u:system_r:xdm_t:s0-s0:c0.c1023 ...

ps ax | grep slim shows a process

/usr/bin/X -auth /var/run/slim.auth

wich is probably the process creating the file.

once i kill this process, slim respawns bringing a new X -auth with it..

Comment 11 Daniel Walsh 2009-08-20 19:01:56 UTC
OK, that is a problem.  Can SLIM be changed to use its own directory in /var/run

/var/run/slim/slim.auth

That way we can label /var/run/slim as xdm_var_run_t and this will just work properly.

Comment 12 Huub Schaeks 2009-08-30 11:51:22 UTC
In /etc/slim.conf you can put

authfile     /var/run/slim/slim.auth

to achieve this. Your solution works on my Leonidas install.

Comment 13 Daniel Walsh 2009-08-31 13:49:27 UTC
If slim will make that the default, I will fix the labeling.

Comment 14 Christoph Wickert 2009-10-09 09:49:15 UTC
Dan, can you please make this change ASAP? I need it for my LXDE spin, so please let rel-eng tag the package for F-12 beta. I will take care of the changes in slim.

Comment 15 Daniel Walsh 2009-10-09 12:02:38 UTC
Labeling is already in F-12 beta.

Comment 16 Daniel Walsh 2009-10-09 12:02:59 UTC
selinux-policy-3.6.32-22.fc12.noarch

Comment 17 Lorenzo Villani 2009-10-10 12:36:22 UTC
*** Bug 518771 has been marked as a duplicate of this bug. ***

Comment 18 Lorenzo Villani 2009-10-10 12:37:44 UTC
*** Bug 512264 has been marked as a duplicate of this bug. ***

Comment 19 Lorenzo Villani 2009-10-10 13:16:16 UTC
Please test: http://koji.fedoraproject.org/koji/buildinfo?buildID=136049

Comment 20 Fedora Update System 2009-10-10 13:35:25 UTC
slim-1.3.1-8.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/slim-1.3.1-8.fc12

Comment 21 cornel panceac 2009-10-20 06:04:42 UTC
(In reply to comment #14)
> Dan, can you please make this change ASAP? I need it for my LXDE spin, so
> please let rel-eng tag the package for F-12 beta. I will take care of the
> changes in slim.  

f12 beta rc2 x86 lxde live cd still has the selinux+slim issue.

Comment 22 Daniel Walsh 2009-10-20 12:39:25 UTC
What version of selinux-policy is in there?

Comment 23 Christoph Wickert 2009-10-20 12:49:38 UTC
Dan, the policy is fixed, but the liveimage still contains the old slim package.

(In reply to comment #19)
> Please test: http://koji.fedoraproject.org/koji/buildinfo?buildID=136049  

Looks good, so I can remove my workaround from the ks. Tagging slim-1.3.1-8.fc12 requested at https://fedorahosted.org/rel-eng/ticket/2585

Comment 24 Christoph Wickert 2009-10-20 15:32:06 UTC
slim-1.3.1-8.fc12 was tagged for F12. Lorenzo, please withdraw/delete the pending update from bodhi before you close this bug.

Thanks everybody, well done!

Comment 25 Lorenzo Villani 2009-10-21 22:08:14 UTC
All pending update requests were tagged for f12-final. Closing.

Comment 26 Lorenzo Villani 2009-11-10 16:07:13 UTC
*** Bug 533631 has been marked as a duplicate of this bug. ***


Note You need to log in before you can comment on or make changes to this bug.