Bug 552885 - SELinux blocks LXDM
SELinux blocks LXDM
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
12
x86_64 Linux
medium Severity medium
: ---
: ---
Assigned To: Miroslav Grepl
Fedora Extras Quality Assurance
setroubleshoot_trace_hash:101a235a762...
:
Depends On:
Blocks: LXDE
  Show dependency treegraph
 
Reported: 2010-01-06 08:10 EST by Christoph Wickert
Modified: 2010-03-05 10:11 EST (History)
4 users (show)

See Also:
Fixed In Version: 3.6.32-84.fc12
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-02-11 09:40:24 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Christoph Wickert 2010-01-06 08:10:22 EST
Zusammenfassung:

SELinux is preventing /usr/libexec/rtkit-daemon "setsched" access.

Detaillierte Beschreibung:

[SELinux ist im Permissive-Modus. Dieser Zugriff wurde nicht verweigert.]

SELinux denied access requested by rtkit-daemon. It is not expected that this
access is required by rtkit-daemon and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.

Zugriff erlauben:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Please file a bug
report.

Zusätzliche Informationen:

Quellkontext                  system_u:system_r:rtkit_daemon_t:s0-s0:c0.c1023
Zielkontext                   system_u:system_r:initrc_t:s0
Zielobjekte                   None [ process ]
Quelle                        rtkit-daemon
Quellen-Pfad                  /usr/libexec/rtkit-daemon
Port                          <Unbekannt>
Host                          (removed)
Quellen-RPM-Pakete            rtkit-0.4-1.fc12
Ziel-RPM-Pakete               
RPM-Richtlinie                selinux-policy-3.6.32-59.fc12
SELinux aktiviert             True
Richtlinienversion            targeted
Enforcing-Modus               Permissive
Plugin-Name                   catchall
Hostname                      (removed)
Plattform                     Linux (removed) 2.6.31.9-174.fc12.x86_64
                              #1 SMP Mon Dec 21 05:33:33 UTC 2009 x86_64 x86_64
Anzahl der Alarme             3
Zuerst gesehen                Mi 06 Jan 2010 13:58:38 CET
Zuletzt gesehen               Mi 06 Jan 2010 14:04:21 CET
Lokale ID                     c386a492-7a11-4e9d-b592-c625bee66881
Zeilennummern                 

Raw-Audit-Meldungen           

node=(removed) type=AVC msg=audit(1262783061.90:76): avc:  denied  { setsched } for  pid=2004 comm="rtkit-daemon" scontext=system_u:system_r:rtkit_daemon_t:s0-s0:c0.c1023 tcontext=system_u:system_r:initrc_t:s0 tclass=process

node=(removed) type=SYSCALL msg=audit(1262783061.90:76): arch=c000003e syscall=144 success=yes exit=0 a0=22df a1=40000002 a2=7fff21071130 a3=3e items=0 ppid=1 pid=2004 auid=4294967295 uid=490 gid=479 euid=490 suid=490 fsuid=490 egid=479 sgid=479 fsgid=479 tty=(none) ses=4294967295 comm="rtkit-daemon" exe="/usr/libexec/rtkit-daemon" subj=system_u:system_r:rtkit_daemon_t:s0-s0:c0.c1023 key=(null)



Hash String generated from  selinux-policy-3.6.32-59.fc12,catchall,rtkit-daemon,rtkit_daemon_t,initrc_t,process,setsched
audit2allow suggests:
audit2allow is not installed.
Comment 1 Christoph Wickert 2010-01-06 08:17:02 EST
This happens whenever I log in with lxdm.

How reproducible:
always

Steps to Reproduce:
1. yum install lxdm
2. echo "DISPLAYMANAGER=/usr/bin/lxdm" >> /etc/sysconfig/desktop
3. init 3 && init 5
4. log in

Actual results:
2 SELinux denials (attaching the other one)
Comment 2 Christoph Wickert 2010-01-06 08:18:06 EST
SELinux denied access requested by restorecond. It is not expected that this
access is required by restorecond and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.

Zugriff erlauben:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Please file a bug
report.

Zusätzliche Informationen:

Quellkontext                  system_u:system_r:restorecond_t:s0
Zielkontext                   system_u:system_r:system_dbusd_t:s0-s0:c0.c1023
Zielobjekte                    [ unix_stream_socket ]
Quelle                        restorecond
Quellen-Pfad                  /usr/sbin/restorecond
Port                          <Unbekannt>
Host                          wicktop.localdomain
Quellen-RPM-Pakete            policycoreutils-2.0.78-3.fc12
Ziel-RPM-Pakete               filesystem-2.4.30-2.fc12
RPM-Richtlinie                selinux-policy-3.6.32-59.fc12
SELinux aktiviert             True
Richtlinienversion            targeted
Enforcing-Modus               Permissive
Plugin-Name                   catchall
Hostname                      wicktop.localdomain
Plattform                     Linux wicktop.localdomain 2.6.31.9-174.fc12.x86_64
                              #1 SMP Mon Dec 21 05:33:33 UTC 2009 x86_64 x86_64
Anzahl der Alarme             1
Zuerst gesehen                Mi 06 Jan 2010 13:58:39 CET
Zuletzt gesehen               Mi 06 Jan 2010 13:58:39 CET
Lokale ID                     814d793d-5e37-45ed-b553-5f5617bb6f2b
Zeilennummern                 

Raw-Audit-Meldungen           

node=wicktop.localdomain type=AVC msg=audit(1262782719.998:55): avc:  denied  { connectto } for  pid=8358 comm="restorecond" path=002F746D702F646275732D6E356B5167436B453150 scontext=system_u:system_r:restorecond_t:s0 tcontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tclass=unix_stream_socket

node=wicktop.localdomain type=SYSCALL msg=audit(1262782719.998:55): arch=c000003e syscall=42 success=yes exit=4294967424 a0=4 a1=7fff919d9d10 a2=17 a3=7fff919d9a90 items=0 ppid=1 pid=8358 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=4 comm="restorecond" exe="/usr/sbin/restorecond" subj=system_u:system_r:restorecond_t:s0 key=(null)
Comment 3 Daniel Walsh 2010-01-06 08:35:48 EST
This looks like you are logging in with a context of initrc_t, which is causing all of your problems.

Are you using gdm or kdm to login?  If so you must have a badly labeled system, since the login programs should be running under a different context.

ps -eZ | grep gdm
Comment 4 Christoph Wickert 2010-01-06 09:42:21 EST
(In reply to comment #3)
> Are you using gdm or kdm to login?  

As I wrote in my report I'm using lxdm, the login manager of LXDE. ;)

> If so you must have a badly labeled system,
> since the login programs should be running under a different context.

Oops, after the slim bug I filed I should have been smart enough to find this out myself. I was able to get rid of the messages by applying the following changes:

1. Changed /usr/bin/lxdm and /usr/bin/lxdm-binary from bin_t to xdm_exec_t. (lxdm is just a wrapper that calls lxdm-binary with the proper options, similar to gdm and gdm-binary)
2. Changed /var/run/lxdm.pid from var_run_t to xdm_var_run_t
3. Changed /var/log/lxdm.log from var_log_t to xdm_log_t

After that I got *lots* of errors regarding my homedir, but these disappeared after adding pam_selinux.so to /etc/pam.d/lxdm. I will push these changes in a lxdm update later today.

Now I still get three denials from lxdm:      

SELinux is preventing /usr/bin/lxdm-greeter-gtk "read" access on
/root/.config/ibus/bus/0eb097b761e479c84c90dae54a345666-unix-0.

[...]

node=wicktop.localdomain type=AVC msg=audit(1262786988.461:29160): avc:  denied  { read } for  pid=2770 comm="lxdm-greeter-gt" name="0eb097b761e479c84c90dae54a345666-unix-0" dev=dm-0 ino=667899 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file

node=wicktop.localdomain type=AVC msg=audit(1262786988.461:29160): avc:  denied  { open } for  pid=2770 comm="lxdm-greeter-gt" name="0eb097b761e479c84c90dae54a345666-unix-0" dev=dm-0 ino=667899 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file

node=wicktop.localdomain type=SYSCALL msg=audit(1262786988.461:29160): arch=c000003e syscall=2 success=yes exit=4294967424 a0=1cce510 a1=0 a2=1b6 a3=0 items=0 ppid=1934 pid=2770 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="lxdm-greeter-gt" exe="/usr/bin/lxdm-greeter-gtk" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)


SELinux is preventing /usr/bin/lxdm-greeter-gtk "getattr" access on
/root/.config/ibus/bus/0eb097b761e479c84c90dae54a345666-unix-0.

[similar to "read" above]

I guess for these two I will need to set up a lxdm user with a home of his own, so that lxdm doesn't run as root, right?


SELinux is preventing /usr/bin/lxdm-binary "relabelfrom" access on tty1.

[...]

node=wicktop.localdomain type=AVC msg=audit(1262787012.120:29165): avc:  denied  { relabelfrom } for  pid=1934 comm="lxdm-binary" name="tty1" dev=tmpfs ino=2245 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tty_device_t:s0 tclass=chr_file

node=wicktop.localdomain type=AVC msg=audit(1262787012.120:29165): avc:  denied  { relabelto } for  pid=1934 comm="lxdm-binary" name="tty1" dev=tmpfs ino=2245 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_tty_device_t:s0 tclass=chr_file

node=wicktop.localdomain type=SYSCALL msg=audit(1262787012.120:29165): arch=c000003e syscall=188 success=yes exit=0 a0=7fff1bcc1d10 a1=3c85e15649 a2=1829030 a3=2b items=0 ppid=1 pid=1934 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=500 fsgid=0 tty=(none) ses=2 comm="lxdm-binary" exe="/usr/bin/lxdm-binary" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)


I don't know what to do with this one. And is there anything else that needed to make lxdm work properly? I guess we have covered the important bits.

# rpm -ql lxdm
/etc/lxdm
/etc/lxdm/Xsession
/etc/lxdm/lxdm.conf
/etc/lxdm/xinitrc
/etc/pam.d/lxdm
/usr/bin/lxdm
/usr/bin/lxdm-binary
/usr/bin/lxdm-greeter-gtk
/usr/share/doc/lxdm-0.0.3
[...]
/usr/share/locale/de/LC_MESSAGES/lxdm.mo
[...]
/usr/share/lxdm
/usr/share/lxdm/lxdm.glade
/var/log/lxdm.log
/var/run/lxdm.pid
Comment 5 Daniel Walsh 2010-01-06 10:55:20 EST
rm -rf /root/.config

Will eliminate the AVC about using .config, I believe.  This was caused by a previous login to root via X.  (I think)

Not sure what is causing the relable of the tty_device_t avc.
How are you handling the xauth files?

Miroslav add to xserver.fc

/usr/bin/lxdm				gen_context(system_u:object_r:xdm_exec_t,s0)
/usr/bin/lxdm-binary			gen_context(system_u:object_r:xdm_exec_t,s0)

/var/log/lxdm\.log.*	--	gen_context(system_u:object_r:xdm_log_t,s0)

/var/run/lxdm\.pid	--	gen_context(system_u:object_r:xdm_var_run_t,s0)
Comment 6 Miroslav Grepl 2010-01-08 08:50:27 EST
Added to selinux-policy-3.6.32-68.fc12.noarch
Comment 7 Karel Volný 2010-01-26 11:03:14 EST
I'm afraid the latest changes related to this bug introduced a regression ... I can't login via lxdm with selinux enforcing now (after update to selinux-policy-3.6.32-69.fc12.noarch from selinux-policy-3.6.32-66.fc12.noarch)

there are messages like those below (oh, and btw, how does it come that it is in dmesg and not audit.log? - I have to investigate further)

type=1401 audit(1264520328.747:5): security_compute_sid:  invalid context system_u:system_r:xauth_t:s0-s0:c0.c1023 for scontext=system_u:system_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xauth_exec_t:s0 tclass=process
eth0: no IPv6 routers present
type=1400 audit(1264520499.986:6): avc:  denied  { signull } for  pid=1200 comm="lxdm-binary" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:xserver_t:s0-s0:c0.c1023 tclass=process
type=1401 audit(1264520500.026:7): security_compute_sid:  invalid context system_u:system_r:xauth_t:s0-s0:c0.c1023 for scontext=system_u:system_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xauth_exec_t:s0 tclass=process
type=1400 audit(1264520510.109:8): avc:  denied  { signull } for  pid=1200 comm="lxdm-binary" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:xserver_t:s0-s0:c0.c1023 tclass=process
type=1401 audit(1264520510.130:9): security_compute_sid:  invalid context system_u:system_r:xauth_t:s0-s0:c0.c1023 for scontext=system_u:system_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xauth_exec_t:s0 tclass=process
Comment 8 Daniel Walsh 2010-01-27 10:12:08 EST
What process is running as system_u:system_r:unconfined_t?

Is lxdm running as xdm_t?  Is lxdm using pam_selinux in its pam stack?
Comment 9 Christoph Wickert 2010-01-27 10:26:07 EST
Yes, at least in 0.1.0-0.1. Karel, please try the version from 
https://admin.fedoraproject.org/updates/F12/FEDORA-2010-0381
Comment 10 Karel Volný 2010-01-28 06:07:45 EST
(In reply to comment #9)
> Yes, at least in 0.1.0-0.1. Karel, please try the version from 
> https://admin.fedoraproject.org/updates/F12/FEDORA-2010-0381    

I've got lxdm-0.1.0-0.1.fc12.i686 already installed, and it worked for me before the last upgrade ... I see there are some selinux updates today, going to reboot to try again
Comment 11 Christoph Wickert 2010-01-29 09:07:36 EST
@Miroslav and Daniel:
The latest version of LXDM also has an auth file. I guess /var/run/lxdm.auth needs to be labeled xauth_t because now I get:

SELinux is preventing /usr/bin/xauth "write" access on /var/run.
SELinux is preventing /usr/bin/xauth "link" access on lxdm.auth-c.
SELinux is preventing /usr/bin/xauth "getattr" access on /var/run/lxdm.auth-n.
SELinux is preventing /usr/bin/xauth "remove_name" access on lxdm.auth-n.
Comment 12 Daniel Walsh 2010-01-29 09:37:41 EST
It probably would be better to move these /var/run files into their own director owned by lxdm package.

/var/run/lxdm/

Miroslav can you add 

var/run/lxdm\.auth	--	gen_context(system_u:object_r:xdm_var_run_t,s0)
/var/run/lxdm(/*.)?		gen_context(system_u:object_r:xdm_var_run_t,s0)
Comment 13 Christoph Wickert 2010-01-29 09:40:50 EST
(In reply to comment #12)
> It probably would be better to move these /var/run files into their own
> director owned by lxdm package.
> 
> /var/run/lxdm/

Yeah, guessed that since we already had the same with SLIM. I will talk to upstream about that.
Comment 14 Miroslav Grepl 2010-02-01 08:58:24 EST
> 
> Miroslav can you add 
> 
> var/run/lxdm\.auth -- gen_context(system_u:object_r:xdm_var_run_t,s0)
> /var/run/lxdm(/*.)?  gen_context(system_u:object_r:xdm_var_run_t,s0)    

Added to selinux-policy-3.6.32-80.fc12.
Comment 15 Fedora Update System 2010-02-03 18:18:21 EST
selinux-policy-3.6.32-82.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/selinux-policy-3.6.32-82.fc12
Comment 16 Fedora Update System 2010-02-04 20:42:46 EST
selinux-policy-3.6.32-84.fc12 has been pushed to the Fedora 12 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update selinux-policy'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F12/FEDORA-2010-1492
Comment 17 Fedora Update System 2010-02-11 09:35:27 EST
selinux-policy-3.6.32-84.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 18 Karel Volný 2010-03-05 10:11:21 EST
verified, it works now with selinux-policy-3.6.32-92.fc12 and lxdm-0.1.1-0.1.20100303gite4f7b39.fc12 - thanks!

(and sorry for not responding on this bug earlier)

Note You need to log in before you can comment on or make changes to this bug.