Bug 528790 - SELinux is preventing /usr/libexec/gdm-session-worker "getattr" access on /tmp/.X11-unix/X0.
Summary: SELinux is preventing /usr/libexec/gdm-session-worker "getattr" access on /tm...
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: rawhide
Hardware: x86_64
OS: Linux
low
medium
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: setroubleshoot_trace_hash:201f873b5eb...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-10-13 18:13 UTC by Christian Kujau
Modified: 2009-10-18 17:08 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2009-10-15 19:36:40 UTC
Type: ---


Attachments (Terms of Use)

Description Christian Kujau 2009-10-13 18:13:08 UTC
Summary:

SELinux is preventing /usr/libexec/gdm-session-worker "getattr" access on
/tmp/.X11-unix/X0.

Detailed Description:

[gdm-session-wor has a permissive type (xdm_t). This access was not denied.]

SELinux denied access requested by gdm-session-wor. It is not expected that this
access is required by gdm-session-wor and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Please file a bug
report.

Additional Information:

Source Context                system_u:system_r:xdm_t:s0-s0:c0.c1023
Target Context                system_u:object_r:root_t:s0
Target Objects                /tmp/.X11-unix/X0 [ sock_file ]
Source                        gdm-session-wor
Source Path                   /usr/libexec/gdm-session-worker
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           gdm-2.28.0-9.fc12
Target RPM Packages           
Policy RPM                    selinux-policy-3.6.32-24.fc12
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     (removed)
Platform                      Linux (removed) 2.6.31.1-56.fc12.x86_64
                              #1 SMP Tue Sep 29 16:16:22 EDT 2009 x86_64 x86_64
Alert Count                   2
First Seen                    Tue 13 Oct 2009 10:46:35 AM PDT
Last Seen                     Tue 13 Oct 2009 10:51:47 AM PDT
Local ID                      81e55d18-7674-43da-9fac-40c4a97279c1
Line Numbers                  

Raw Audit Messages            

node=(removed) type=AVC msg=audit(1255456307.387:2358): avc:  denied  { getattr } for  pid=9518 comm="gdm-session-wor" path="/tmp/.X11-unix/X0" dev=tmpfs ino=43023 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:root_t:s0 tclass=sock_file

node=(removed) type=SYSCALL msg=audit(1255456307.387:2358): arch=c000003e syscall=6 success=yes exit=0 a0=7fff3d45ca80 a1=7fff3d45c9b0 a2=7fff3d45c9b0 a3=3fb items=0 ppid=8248 pid=9518 auid=500 uid=0 gid=500 euid=0 suid=0 fsuid=0 egid=500 sgid=500 fsgid=500 tty=(none) ses=5 comm="gdm-session-wor" exe="/usr/libexec/gdm-session-worker" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)



Hash String generated from  selinux-policy-3.6.32-24.fc12,catchall,gdm-session-wor,xdm_t,root_t,sock_file,getattr
audit2allow suggests:

#============= xdm_t ==============
allow xdm_t root_t:sock_file getattr;

Comment 1 Christian Kujau 2009-10-13 18:18:10 UTC
I'm using tmpfs for /tmp (I don't have a spare partition I could encrypt, but I don't want tmp files on my disk either) and I think this is causing this "error".

* /etc/fstab
tmpfs                   /tmp                tmpfs   nosuid              0 0

* /proc/mounts

tmpfs /tmp tmpfs rw,rootcontext=system_u:object_r:tmp_t:s0,seclabel,nosuid,relatime 0 0

Comment 2 Daniel Walsh 2009-10-15 19:36:40 UTC
You seem to have a badly mislabeled system

touch /.autorelabel; reboot

Should clean it up.

Repoen if this bug persists.

Comment 3 Christian Kujau 2009-10-15 21:10:10 UTC
Hi Daniel,

care to elaborate a bit on the "mislabeling process"? This is a freshly installed system, not much has been configured yet (apart from /tmp being mounted as tmpfs), I wonder what caused the system to be "mislabled".

I'll try your workaround as soon as I get access to the system again.

Thanks!

Comment 4 Daniel Walsh 2009-10-15 21:20:35 UTC
Actually what is the label on /tmp?

ls -LZ /tmp

It should be tmp_t and not root_t

restorecon -R -v /tmp

Should fix.

Comment 5 Christian Kujau 2009-10-18 01:49:27 UTC
Hm, the errormessage does not occur any more (it did occur as a notification window for the first few logins to Gnome), but from the /proc/mounts entry above I see:

tmpfs /tmp tmpfs
rw,rootcontext=system_u:object_r:tmp_t:s0,seclabel,nosuid,relatime 0 0  

Now I see:

----------------------------------------------------------
# ls -LZ /tmp
drwx------. christian christian unconfined_u:object_r:user_tmp_t:s0 keyring-6XBMYu
drwx------. christian christian unconfined_u:object_r:user_tmp_t:s0 orbit-christian
drwx------. gdm       gdm       system_u:object_r:xdm_tmp_t:s0   orbit-gdm
drwx------. christian christian unconfined_u:object_r:user_tmp_t:s0 pulse-8h57TbygR0Pe
drwx------. gdm       gdm       system_u:object_r:xdm_tmp_t:s0   pulse-PKdhtXMmr18n
drwx------. christian christian unconfined_u:object_r:user_tmp_t:s0 virtual-christian.Zo5wWn

# ls -LZd /tmp
drwxrwxrwt. root root system_u:object_r:tmp_t:s0       /tmp

# grep /tmp /proc/mounts 
tmpfs /tmp tmpfs rw,rootcontext=system_u:object_r:tmp_t:s0,seclabel,nosuid,relatime 0 0
----------------------------------------------------------

Since the error is gone, I do not feel to relabel anything. I was just reporting this thingy, because SELinux told me to. Maybe this can be documented as a "known issue when /tmp is a tmpfs". Or maybe not, because it's a far too exotic configuration (is it?).

Thanks,
Christian.

Comment 6 Daniel Walsh 2009-10-18 17:08:45 UTC
I have no idea why it happened at all.  I always use /tmp as a tmpfs and have not seen the problem.


Note You need to log in before you can comment on or make changes to this bug.