Bug 564320 - can't login via lxdm with selinux enforcing
can't login via lxdm with selinux enforcing
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
13
All Linux
low Severity medium
: ---
: ---
Assigned To: Miroslav Grepl
Fedora Extras Quality Assurance
: Reopened
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2010-02-12 07:34 EST by Karel Volný
Modified: 2013-01-10 00:42 EST (History)
8 users (show)

See Also:
Fixed In Version: lxdm-0.2.0-4.fc12
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-05-18 19:35:26 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Karel Volný 2010-02-12 07:34:07 EST
Description of problem:
If I try to login via lxdm, it does not work and after entering the password I get back to enter the username.
Turning off selinux via setenforce 0 and restarting lxdm (e.g. via init 3, init 5) helps the problem, I can login without any problem then.

Version-Release number of selected component (if applicable):
selinux-policy-3.6.32-84.fc12.noarch

How reproducible:
always

Steps to Reproduce:
1. install "minimal" system with LXDE
2. try to login
  
Actual results:
type=1400 audit(1265975890.633:13538): avc:  denied  { signull } for  pid=1347 comm="lxdm-binary" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:xserver_t:s0-s0:c0.c1023 tclass=process

Expected results:
no errors, user can login

Additional info:
I thought this is a consequence of bug #552885. But the latest selinux-policy did not fix the issue.
Comment 1 Daniel Walsh 2010-02-12 10:08:04 EST
Do you have pam_selinux in the lxdm pam stack?
Comment 2 Daniel Walsh 2010-02-12 10:09:35 EST
Miroslav add

allow xdm_t xserver_t:process { signal signull };

to F12 policy.
Comment 3 Miroslav Grepl 2010-02-12 10:54:21 EST
Fixed in selinux-policy-3.6.32-90.fc12
Comment 4 Christoph Wickert 2010-02-12 13:25:27 EST
Karel, are you using the lxdm version from updates-testing as mentioned in bug 552885? Somehow it's stuck in the updates system, status is "pending" for two weeks now.
Please try https://admin.fedoraproject.org/updates/F12/FEDORA-2010-0381

(In reply to comment #1)
> Do you have pam_selinux in the lxdm pam stack?    

Yes, we already had this in bug 552885.
Comment 5 Anonymous account 2010-02-15 22:57:37 EST
(In reply to comment #4)
> Karel, are you using the lxdm version from updates-testing as mentioned in bug
> 552885? Somehow it's stuck in the updates system, status is "pending" for two
> weeks now.   

This bug has been driving me crazy for awhile now but I haven't had time (or courage, maybe!) to test out the above fix.  I'm curious, why is it "stuck" and how do you "unstick" it?
Comment 6 Christoph Wickert 2010-02-16 03:13:24 EST
Please don't ask me, I don't know because I didn't write bodhi. The update is literally stuck between updates-testing and stable, this means it doesn't get pushed on the regular pushes although it should. I have no idea if there is a way to manually push the updates and I will ask rel-eng to do this.

Until then, please download the package manually and install it. It's just a few clicks, nothing will break.
Comment 7 Christoph Wickert 2010-02-19 06:56:43 EST
Dan, Miroslav, things have changed in lxdm 0.2.0 (not yet built):
lxdm and lxdm-binary were moved to sbindir. Please adjust the policy as follows:

$ ls -Z /usr/sbin/lxdm*
-rwxr-xr-x. root root system_u:object_r:xdm_exec_t:s0  /usr/sbin/lxdm
-rwxr-xr-x. root root system_u:object_r:xdm_exec_t:s0  /usr/sbin/lxdm-binary

With these changes one alert remains:

SELinux is preventing /usr/sbin/lxdm-binary "relabelfrom" access on tty1.

Quellkontext                  system_u:system_r:xdm_t:s0-s0:c0.c1023
Zielkontext                   system_u:object_r:tty_device_t:s0
Zielobjekte                   tty1 [ chr_file ]
Quelle                        lxdm-binary
Quellen-Pfad                  /usr/sbin/lxdm-binary
Port                          <Unbekannt>
Quellen-RPM-Pakete            lxdm-0.2.0-0.1.gite3afbb576.fc12
Ziel-RPM-Pakete               
RPM-Richtlinie                selinux-policy-3.6.32-84.fc12
SELinux aktiviert             True
Richtlinienversion            targeted
Enforcing-Modus               Permissive
Plugin-Name                   catchall
Hostname                      wicktop.localdomain
Anzahl der Alarme             2
Zuerst gesehen                Fr 19 Feb 2010 12:46:36 CET
Zuletzt gesehen               Fr 19 Feb 2010 12:46:36 CET
Lokale ID                     70aa338a-5c32-462d-b3d6-c127fdc6d4c4
Zeilennummern                 

Raw-Audit-Meldungen           

node=wicktop.localdomain type=AVC msg=audit(1266579996.892:13): avc:  denied  { relabelfrom } for  pid=1998 comm="lxdm-binary" name="tty1" dev=tmpfs ino=2301 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tty_device_t:s0 tclass=chr_file

node=wicktop.localdomain type=AVC msg=audit(1266579996.892:13): avc:  denied  { relabelto } for  pid=1998 comm="lxdm-binary" name="tty1" dev=tmpfs ino=2301 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_tty_device_t:s0 tclass=chr_file

node=wicktop.localdomain type=SYSCALL msg=audit(1266579996.892:13): arch=c000003e syscall=188 success=yes exit=0 a0=7fffe2afe560 a1=3d22815689 a2=13fc8c0 a3=2b items=0 ppid=1 pid=1998 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="lxdm-binary" exe="/usr/sbin/lxdm-binary" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)
Comment 8 Daniel Walsh 2010-02-19 07:24:07 EST
Why is lxdm not using pseudo devices?  It seems to be taking the "physical" device tty1 and relabeling it to a user_tty_device_t.  local login does this but I have never seen gdm or kdm do this?

Miroslav, make the /usr/bin->/usr/sbin changes

usr/(s)?bin/lxdm				gen_context(system_u:object_r:xdm_exec_t,s0)
/usr/(s)?bin/lxdm-binary			gen_context(system_u:object_r:xdm_exec_t,s0)
Comment 9 Christoph Wickert 2010-02-19 08:19:41 EST
What are "pseudo" devices in this case?
Comment 10 Daniel Walsh 2010-02-19 08:31:45 EST
/dev/pts/0
Comment 11 dgod.osa 2010-02-23 07:52:04 EST
hi, I don't know selinux well, but to this bug, what operation will cause relable, as my lxdm code really don't do any thing about selinux, it's a little strage to me.
Comment 12 dgod.osa 2010-02-23 07:55:26 EST
as lxdm it self not do the relabel, is it possible that, pam or consolekit do it?
Comment 13 Daniel Walsh 2010-02-23 09:09:24 EST
Yes lxdm does the relabel.
Comment 14 dgod.osa 2010-02-23 10:07:41 EST
what system call or operation will relabel tty?
Comment 15 Daniel Walsh 2010-02-23 11:24:38 EST
pam_selinux is handed a tty and it attempts to relabel it.  In this case it is being handed the physical console rather then a pseudo terminal.  Which I think is wrong.  But I can make the change if this is the correct behaviour.
Comment 16 dgod.osa 2010-02-23 11:32:46 EST
I think use tty is correct, lxdm use it for vt switch.
Can just remove pam_selinux.so from pam config a solution?
Comment 17 Daniel Walsh 2010-02-23 12:04:05 EST
No because this is needed for SELinux.
Comment 18 Daniel Walsh 2010-02-23 12:06:55 EST
Miroslav add

term_relabel_all_ttys(xdm_t)
Comment 19 Miroslav Grepl 2010-02-23 12:32:22 EST
Fixed in selinux-policy-3.6.32-92.fc12
Comment 20 Fedora Update System 2010-02-23 15:55:38 EST
selinux-policy-3.6.32-92.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/selinux-policy-3.6.32-92.fc12
Comment 21 Fedora Update System 2010-02-25 22:42:15 EST
selinux-policy-3.6.32-92.fc12 has been pushed to the Fedora 12 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update selinux-policy'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F12/FEDORA-2010-2953
Comment 22 Fedora Update System 2010-03-02 21:31:42 EST
lxdm-0.1.1-0.1.20100303gite4f7b39.fc13 has been submitted as an update for Fedora 13.
http://admin.fedoraproject.org/updates/lxdm-0.1.1-0.1.20100303gite4f7b39.fc13
Comment 23 Fedora Update System 2010-03-02 21:32:15 EST
lxdm-0.1.1-0.1.20100303gite4f7b39.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/lxdm-0.1.1-0.1.20100303gite4f7b39.fc12
Comment 24 Fedora Update System 2010-03-02 21:33:15 EST
lxdm-0.1.1-0.1.20100303gite4f7b39.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/lxdm-0.1.1-0.1.20100303gite4f7b39.fc11
Comment 25 Fedora Update System 2010-03-03 03:16:59 EST
lxdm-0.1.1-0.1.20100303gite4f7b39.fc13 has been pushed to the Fedora 13 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update lxdm'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F13/FEDORA-2010-3515
Comment 26 Fedora Update System 2010-03-03 19:05:39 EST
lxdm-0.1.1-0.1.20100303gite4f7b39.fc11 has been pushed to the Fedora 11 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update lxdm'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F11/FEDORA-2010-3534
Comment 27 Fedora Update System 2010-03-03 19:05:56 EST
lxdm-0.1.1-0.1.20100303gite4f7b39.fc12 has been pushed to the Fedora 12 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update lxdm'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F12/FEDORA-2010-3535
Comment 28 Fedora Update System 2010-03-03 19:11:01 EST
selinux-policy-3.6.32-92.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 29 Frank Murphy 2010-03-14 09:42:42 EDT
I cannot login using lxdm live-boot on F13 nightly build:
lxde-x86_64-20100312.22.iso

keeps looping user<>password
 this is with setenforce=0 as kernel argument.

only "telinit 3" allows login as root or liveuser,
then type startx.
Comment 30 Daniel Walsh 2010-03-14 22:50:44 EDT
Report this as a lxdm bug not an SELinux problem.
Comment 31 Christoph Wickert 2010-03-15 04:59:42 EDT
Frank, if it happens with setenforce=0, it cannot be a SELinux problem. Please file a new bug against LXDM. if you see any SELinux alerts, please reopen this bug and attach them here. And please don't forget to mention what version of the components you are using.
Comment 32 Fedora Update System 2010-03-23 19:23:51 EDT
lxdm-0.1.1-0.2.20100303gite4f7b39.fc13 has been pushed to the Fedora 13 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 33 Christoph Wickert 2010-04-05 16:32:25 EDT
(In reply to comment #18)
> Miroslav add
> 
> term_relabel_all_ttys(xdm_t)    

Was this really added? I still see the "relabelfrom" error on login and the "relabelto" one after logout.

$ rpm -q selinux-policy lxdm
selinux-policy-3.6.32-106.fc12.noarch
lxdm-0.2.0-0.2.20100405gitd65ce94.fc12.x86_64
Comment 34 Daniel Walsh 2010-04-06 08:54:04 EDT
Chris please show the latest avc messages.
Comment 35 Christoph Wickert 2010-04-06 09:31:23 EDT
Zusammenfassung:

SELinux is preventing /usr/sbin/lxdm-binary "relabelfrom" access on tty1.

Detaillierte Beschreibung:

[SELinux ist in freizügigem Modus. Dieser Zugriff wurde nicht verweigert.]

SELinux denied access requested by lxdm-binary. It is not expected that this
access is required by lxdm-binary and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.

Zugriff erlauben:

You can generate a local policy module to allow this access - see FAQ
(http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug
report.

Zusätzliche Informationen:

Quellkontext                  system_u:system_r:xdm_t:s0-s0:c0.c1023
Zielkontext                   system_u:object_r:tty_device_t:s0
Zielobjekte                   tty1 [ chr_file ]
Quelle                        lxdm-binary
Quellpfad                     /usr/sbin/lxdm-binary
Port                          <Unbekannt>
Host                          wicktop.localdomain
RPM-Pakete der Quelle         lxdm-0.2.0-0.2.20100405gitd65ce94.fc12
RPM-Pakete des Ziels          
Richtlinien-RPM               selinux-policy-3.6.32-106.fc12
SELinux aktiviert             True
Richtlinientyp                targeted
Enforcing-Modus               Permissive
Plugin-Name                   catchall
Rechnername                   wicktop.localdomain
Plattform                     Linux wicktop.localdomain 2.6.32.10-90.fc12.x86_64
                              #1 SMP Tue Mar 23 09:47:08 UTC 2010 x86_64 x86_64
Anzahl der Alarme             6
Zuerst gesehen                Mo 05 Apr 2010 22:26:45 CEST
Zuletzt gesehen               Di 06 Apr 2010 10:44:02 CEST
Lokale ID                     b194f7a6-31e9-46d8-9b7c-e71defb8727f
Zeilennummern                 

Raw-Audit-Meldungen           

node=wicktop.localdomain type=AVC msg=audit(1270543442.589:25): avc:  denied  { relabelfrom } for  pid=4071 comm="lxdm-binary" name="tty1" dev=devtmpfs ino=4994 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tty_device_t:s0 tclass=chr_file

node=wicktop.localdomain type=SYSCALL msg=audit(1270543442.589:25): arch=c000003e syscall=188 success=yes exit=0 a0=7fff6c09fa20 a1=3e6a615669 a2=1aecf50 a3=2b items=0 ppid=1 pid=4071 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="lxdm-binary" exe="/usr/sbin/lxdm-binary" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)



Zusammenfassung:

SELinux is preventing /usr/sbin/lxdm-binary "relabelto" access on tty1.

Detaillierte Beschreibung:

[SELinux ist in freizügigem Modus. Dieser Zugriff wurde nicht verweigert.]

SELinux denied access requested by lxdm-binary. It is not expected that this
access is required by lxdm-binary and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.

Zugriff erlauben:

You can generate a local policy module to allow this access - see FAQ
(http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug
report.

Zusätzliche Informationen:

Quellkontext                  system_u:system_r:xdm_t:s0-s0:c0.c1023
Zielkontext                   system_u:object_r:tty_device_t:s0
Zielobjekte                   tty1 [ chr_file ]
Quelle                        lxdm-binary
Quellpfad                     /usr/sbin/lxdm-binary
Port                          <Unbekannt>
Host                          wicktop.localdomain
RPM-Pakete der Quelle         lxdm-0.2.0-0.2.20100405gitd65ce94.fc12
RPM-Pakete des Ziels          
Richtlinien-RPM               selinux-policy-3.6.32-106.fc12
SELinux aktiviert             True
Richtlinientyp                targeted
Enforcing-Modus               Permissive
Plugin-Name                   catchall
Rechnername                   wicktop.localdomain
Plattform                     Linux wicktop.localdomain 2.6.32.10-90.fc12.x86_64
                              #1 SMP Tue Mar 23 09:47:08 UTC 2010 x86_64 x86_64
Anzahl der Alarme             2
Zuerst gesehen                Di 06 Apr 2010 01:31:02 CEST
Zuletzt gesehen               Di 06 Apr 2010 01:32:12 CEST
Lokale ID                     d4eac8d3-a7d4-4795-9142-0ce614a2bd3b
Zeilennummern                 

Raw-Audit-Meldungen           

node=wicktop.localdomain type=AVC msg=audit(1270510332.22:756): avc:  denied  { relabelto } for  pid=22400 comm="lxdm-binary" name="tty1" dev=devtmpfs ino=4994 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tty_device_t:s0 tclass=chr_file

node=wicktop.localdomain type=SYSCALL msg=audit(1270510332.22:756): arch=c000003e syscall=188 success=yes exit=0 a0=7fff0d0a71b0 a1=3e6a615669 a2=11dd780 a3=22 items=0 ppid=1 pid=22400 auid=502 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=23 comm="lxdm-binary" exe="/usr/sbin/lxdm-binary" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)
Comment 36 Miroslav Grepl 2010-04-08 06:46:15 EDT
Dan,

term_relabel_unallocated_ttys(xdm_t)

is needed.
Comment 37 Daniel Walsh 2010-04-08 08:55:24 EDT
Yes I have this in F13.
Comment 38 Miroslav Grepl 2010-04-08 09:07:19 EDT
Fixed in selinux-policy-3.6.32-110.fc12
Comment 39 Fedora Update System 2010-04-08 21:39:48 EDT
lxdm-0.2.0-0.2.20100405gitd65ce94.fc12 has been pushed to the Fedora 12 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update lxdm'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/lxdm-0.2.0-0.2.20100405gitd65ce94.fc12
Comment 40 Fedora Update System 2010-04-09 09:26:16 EDT
selinux-policy-3.6.32-110.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/selinux-policy-3.6.32-110.fc12
Comment 41 Fedora Update System 2010-04-10 06:31:10 EDT
selinux-policy-3.6.32-110.fc12 has been pushed to the Fedora 12 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update selinux-policy'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/selinux-policy-3.6.32-110.fc12
Comment 42 Fedora Update System 2010-04-20 09:19:41 EDT
selinux-policy-3.6.32-110.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 43 Michael Monreal 2010-05-02 06:16:28 EDT
What about F13? I installed a F13 system yesterday and yum update'd it, still I was not able to use lxdm until selinux was disabled.
Comment 44 Christoph Wickert 2010-05-02 06:51:24 EDT
This should be fixed long ago, at least I was told so three times now. Let me test...
Comment 45 Christoph Wickert 2010-05-02 09:58:55 EDT
Confirmed, it's still not working in enforcing more, on the other hand I get no alerts if I try in permissive mode. Dan, Miroslav, any ideas how to further debug this?

After trying in enforcing mode, I see the flowing 2 alerts:

Zusammenfassung:

SELinux hindert /usr/libexec/lxdm-greeter-gtk "setattr" am Zugriff auf
/root/.config/ibus/bus.

Detaillierte Beschreibung:

[SELinux ist in freizügigem Modus. Dieser Zugriff wurde nicht verweigert.]

SELinux verweigerte den von lxdm-greeter-gt angeforderten Zugriff. Da nicht
davon ausgegangen wird, dass dieser Zugriff von lxdm-greeter-gt benötigt wird,
signalisiert dies möglicherweise einen Einbruchsversuch. Es ist ausserdem
möglich, dass diese spezielle Version oder Konfiguration der Anwendung den
zusätzlichen Zugriff verursacht.

Zugriff erlauben:

Beschränkte Prozesse können so konfiguriert werden, dass sie mit
unterschiedlichen Zugriffen laufen, SELinux stellt Booleans zur Verfügung, mit
deren Hilfe Sie den Zugriff bei Bedarf ein- und ausschalten können. Der
boolesche Wert allow_polyinstantiation ist ungültig gesetzt.
Boolesche Beschreibung:
Enable polyinstantiated directory support.<br

Befehl berichtigen:

# setsebool -P allow_polyinstantiation 1

Zusätzliche Informationen:

Quellkontext                  system_u:system_r:xdm_t:s0-s0:c0.c1023
Zielkontext                   system_u:object_r:config_home_t:s0
Zielobjekte                   /root/.config/ibus/bus [ dir ]
Quelle                        lxdm-greeter-gt
Quellpfad                     /usr/libexec/lxdm-greeter-gtk
Port                          <Unbekannt>
Host                          wicktop.localdomain
RPM-Pakete der Quelle         lxdm-0.2.0-0.3.20100405gitd65ce94.fc13
RPM-Pakete des Ziels          
Richtlinien-RPM               selinux-policy-3.7.19-6.fc13
SELinux aktiviert             True
Richtlinientyp                targeted
Enforcing-Modus               Permissive
Plugin-Name                   catchall_boolean
Rechnername                   wicktop.localdomain
Plattform                     Linux wicktop.localdomain 2.6.33.2-57.fc13.x86_64
                              #1 SMP Tue Apr 20 08:57:50 UTC 2010 x86_64 x86_64
Anzahl der Alarme             2
Zuerst gesehen                So 02 Mai 2010 15:36:13 CEST
Zuletzt gesehen               So 02 Mai 2010 15:39:38 CEST
Lokale ID                     20c6515a-7e9d-47a0-bf1f-2c3717d55b6c
Zeilennummern                 

Raw-Audit-Meldungen           

node=wicktop.localdomain type=AVC msg=audit(1272807578.109:23): avc:  denied  { setattr } for  pid=3610 comm="lxdm-greeter-gt" name="bus" dev=dm-0 ino=679407 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:config_home_t:s0 tclass=dir

node=wicktop.localdomain type=SYSCALL msg=audit(1272807578.109:23): arch=c000003e syscall=90 success=yes exit=0 a0=22b5e50 a1=1c0 a2=22b5fd0 a3=7fffa7fc2d60 items=0 ppid=3591 pid=3610 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="lxdm-greeter-gt" exe="/usr/libexec/lxdm-greeter-gtk" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)



Zusammenfassung:

SELinux hindert /usr/libexec/lxdm-greeter-gtk "setattr" am Zugriff auf
/root/.config/ibus/bus.

Detaillierte Beschreibung:

[SELinux ist in freizügigem Modus. Dieser Zugriff wurde nicht verweigert.]

SELinux verweigerte den von lxdm-greeter-gt angeforderten Zugriff. Da nicht
davon ausgegangen wird, dass dieser Zugriff von lxdm-greeter-gt benötigt wird,
signalisiert dies möglicherweise einen Einbruchsversuch. Es ist ausserdem
möglich, dass diese spezielle Version oder Konfiguration der Anwendung den
zusätzlichen Zugriff verursacht.

Zugriff erlauben:

Beschränkte Prozesse können so konfiguriert werden, dass sie mit
unterschiedlichen Zugriffen laufen, SELinux stellt Booleans zur Verfügung, mit
deren Hilfe Sie den Zugriff bei Bedarf ein- und ausschalten können. Der
boolesche Wert allow_polyinstantiation ist ungültig gesetzt.
Boolesche Beschreibung:
Enable polyinstantiated directory support.<br

Befehl berichtigen:

# setsebool -P allow_polyinstantiation 1

Zusätzliche Informationen:

Quellkontext                  system_u:system_r:xdm_t:s0-s0:c0.c1023
Zielkontext                   system_u:object_r:config_home_t:s0
Zielobjekte                   /root/.config/ibus/bus [ dir ]
Quelle                        lxdm-greeter-gt
Quellpfad                     /usr/libexec/lxdm-greeter-gtk
Port                          <Unbekannt>
Host                          wicktop.localdomain
RPM-Pakete der Quelle         lxdm-0.2.0-0.3.20100405gitd65ce94.fc13
RPM-Pakete des Ziels          
Richtlinien-RPM               selinux-policy-3.7.19-6.fc13
SELinux aktiviert             True
Richtlinientyp                targeted
Enforcing-Modus               Permissive
Plugin-Name                   catchall_boolean
Rechnername                   wicktop.localdomain
Plattform                     Linux wicktop.localdomain 2.6.33.2-57.fc13.x86_64
                              #1 SMP Tue Apr 20 08:57:50 UTC 2010 x86_64 x86_64
Anzahl der Alarme             2
Zuerst gesehen                So 02 Mai 2010 15:36:13 CEST
Zuletzt gesehen               So 02 Mai 2010 15:39:38 CEST
Lokale ID                     20c6515a-7e9d-47a0-bf1f-2c3717d55b6c
Zeilennummern                 

Raw-Audit-Meldungen           

node=wicktop.localdomain type=AVC msg=audit(1272807578.109:23): avc:  denied  { setattr } for  pid=3610 comm="lxdm-greeter-gt" name="bus" dev=dm-0 ino=679407 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:config_home_t:s0 tclass=dir

node=wicktop.localdomain type=SYSCALL msg=audit(1272807578.109:23): arch=c000003e syscall=90 success=yes exit=0 a0=22b5e50 a1=1c0 a2=22b5fd0 a3=7fffa7fc2d60 items=0 ppid=3591 pid=3610 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="lxdm-greeter-gt" exe="/usr/libexec/lxdm-greeter-gtk" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)
Comment 46 Daniel Walsh 2010-05-03 14:27:20 EDT
Are you logging in as root?
Comment 47 Christoph Wickert 2010-05-03 15:32:21 EDT
No, root login is disabled as in GDM. I guess this is from LXDM itself.

I found something interesting in /var/log/messages:

May  2 15:36:18 wicktop setroubleshoot: SELinux hindert /usr/libexec/lxdm-greeter-gtk "setattr" am Zugriff auf /root/.config/ibus/bus. For complete SELinux messages. run sealert -l 20c6515a-7e9d-47a0-bf1f-2c3717d55b6c
May  2 15:36:58 wicktop dbus: Can't send to audit system: USER_AVC avc:  received setenforce notice (enforcing=0)#012: exe="?" sauid=81 hostname=? addr=? terminal=?

This might explain why we are not seeing another denial in sealert.

And two more denials:


Zusammenfassung:

SELinux verhindert /usr/sbin/lxdm-binary "signull" Zugriff .

Zusätzliche Informationen:

Quellkontext                  system_u:system_r:xdm_t:s0-s0:c0.c1023
Zielkontext                   unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
                              023
Zielobjekte                   None [ process ]
Quelle                        lxdm-binary
Quellpfad                     /usr/sbin/lxdm-binary
Port                          <Unbekannt>
Host                          (entfernt)
RPM-Pakete der Quelle         lxdm-0.2.0-0.3.20100405gitd65ce94.fc13
RPM-Pakete des Ziels          
Richtlinien-RPM               selinux-policy-3.7.19-6.fc13
SELinux aktiviert             True
Richtlinientyp                targeted
Enforcing-Modus               Permissive
Plugin-Name                   catchall
Rechnername                   (entfernt)
Plattform                     Linux wicktop.localdomain 2.6.33.2-57.fc13.x86_64
                              #1 SMP Tue Apr 20 08:57:50 UTC 2010 x86_64 x86_64
Anzahl der Alarme             1
Zuerst gesehen                Mo 03 Mai 2010 01:31:01 CEST
Zuletzt gesehen               Mo 03 Mai 2010 01:31:01 CEST
Lokale ID                     5fb018a6-2ca4-47d1-baa4-7bb74c3cedec
Zeilennummern                 

Raw-Audit-Meldungen           

node=wicktop.localdomain type=AVC msg=audit(1272843061.67:168): avc:  denied  { signull } for  pid=3584 comm="lxdm-binary" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process

node=wicktop.localdomain type=SYSCALL msg=audit(1272843061.67:168): arch=c000003e syscall=62 success=yes exit=0 a0=e6b a1=0 a2=360ad82330 a3=1 items=0 ppid=1 pid=3584 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="lxdm-binary" exe="/usr/sbin/lxdm-binary" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)



Zusammenfassung:

SELinux verhindert /bin/bash "open" Zugriff on console.

Zusätzliche Informationen:

Quellkontext                  system_u:system_r:ksmtuned_t:s0
Zielkontext                   system_u:object_r:console_device_t:s0
Zielobjekte                   console [ chr_file ]
Quelle                        ksmtuned
Quellpfad                     /bin/bash
Port                          <Unbekannt>
Host                          wicktop.localdomain
RPM-Pakete der Quelle         bash-4.1.2-4.fc13
RPM-Pakete des Ziels          
Richtlinien-RPM               selinux-policy-3.7.19-6.fc13
SELinux aktiviert             True
Richtlinientyp                targeted
Enforcing-Modus               Permissive
Plugin-Name                   catchall
Rechnername                   wicktop.localdomain
Plattform                     Linux wicktop.localdomain 2.6.33.2-57.fc13.x86_64
                              #1 SMP Tue Apr 20 08:57:50 UTC 2010 x86_64 x86_64
Anzahl der Alarme             11
Zuerst gesehen                So 02 Mai 2010 15:39:33 CEST
Zuletzt gesehen               Mo 03 Mai 2010 19:34:55 CEST
Lokale ID                     a59d8195-6820-472c-b54f-e68919a463f9
Zeilennummern                 

Raw-Audit-Meldungen           

node=wicktop.localdomain type=AVC msg=audit(1272908095.277:22): avc:  denied  { open } for  pid=3541 comm="ksmtuned" name="console" dev=devtmpfs ino=5511 scontext=system_u:system_r:ksmtuned_t:s0 tcontext=system_u:object_r:console_device_t:s0 tclass=chr_file

node=wicktop.localdomain type=SYSCALL msg=audit(1272908095.277:22): arch=c000003e syscall=2 success=yes exit=3 a0=cea010 a1=802 a2=c a3=1000 items=0 ppid=3540 pid=3541 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ksmtuned" exe="/bin/bash" subj=system_u:system_r:ksmtuned_t:s0 key=(null)
Comment 48 Daniel Walsh 2010-05-04 10:24:39 EDT
the ksmtuned and dbus messages are unrelated.

ksmtuned is fixed in the latest policy.

I will add the signull rule.

If you add that rule does login work in enforcing mode?

# grep signull /var/log/audit/audit.log | audit2allow -M myxdm
# semodule -i myxdm.pp
Comment 49 Daniel Walsh 2010-05-04 10:54:35 EDT
On my machine it is trying to read /etc/shadow directly and failing.  How does one setup lxdm to use pam?
Comment 50 Christoph Wickert 2010-05-05 19:02:57 EDT
(In reply to comment #48)
> I will add the signull rule.
> 
> If you add that rule does login work in enforcing mode?

Doesn't work. I have built 0.2.0 final with a patch from upstream that makes lxdm use pam instead of reading /etc/shadow. Still no luck.

These are the denials I get:


Zusammenfassung:

SELinux verhindert /usr/libexec/lxdm-greeter-gtk "write" Zugriff on /etc/lxdm.

Detaillierte Beschreibung:

[SELinux ist in freizügigem Modus. Dieser Zugriff wurde nicht verweigert.]

SELinux verweigerte den von lxdm-greeter-gt angeforderten Zugriff. Da nicht
davon ausgegangen wird, dass dieser Zugriff von lxdm-greeter-gt benötigt wird,
signalisiert dies möglicherweise einen Einbruchsversuch. Es ist ausserdem
möglich, dass diese spezielle Version oder Konfiguration der Anwendung den
zusätzlichen Zugriff verursacht.

Zugriff erlauben:

Sie können ein lokales Richtlininenmodul generieren, um diesen Zugriff zu
erlauben siehe FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385)
Bitte reichen Sie einen Fehlerbericht ein.

Zusätzliche Informationen:

Quellkontext                  system_u:system_r:xdm_t:s0-s0:c0.c1023
Zielkontext                   system_u:object_r:etc_t:s0
Zielobjekte                   /etc/lxdm [ dir ]
Quelle                        lxdm-greeter-gt
Quellpfad                     /usr/libexec/lxdm-greeter-gtk
Port                          <Unbekannt>
Host                          (entfernt)
RPM-Pakete der Quelle         lxdm-0.2.0-1.fc13
RPM-Pakete des Ziels          lxdm-0.2.0-1.fc13
Richtlinien-RPM               selinux-policy-3.7.19-10.fc13
SELinux aktiviert             True
Richtlinientyp                targeted
Enforcing-Modus               Permissive
Plugin-Name                   catchall
Rechnername                   (entfernt)
Plattform                     Linux wicktop.localdomain 2.6.33.3-72.fc13.x86_64
                              #1 SMP Wed Apr 28 15:48:01 UTC 2010 x86_64 x86_64
Anzahl der Alarme             8
Zuerst gesehen                Do 06 Mai 2010 00:18:57 CEST
Zuletzt gesehen               Do 06 Mai 2010 00:22:18 CEST
Lokale ID                     a6a15dd5-f554-4a09-806b-a8bff4c16f5f
Zeilennummern                 

Raw-Audit-Meldungen           

node=wicktop.localdomain type=AVC msg=audit(1273098138.408:25854): avc:  denied  { write } for  pid=3653 comm="lxdm-greeter-gt" name="lxdm" dev=dm-0 ino=524918 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=dir

node=wicktop.localdomain type=AVC msg=audit(1273098138.408:25854): avc:  denied  { add_name } for  pid=3653 comm="lxdm-greeter-gt" name="lxdm.conf.PEGHCV" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=dir

node=wicktop.localdomain type=AVC msg=audit(1273098138.408:25854): avc:  denied  { create } for  pid=3653 comm="lxdm-greeter-gt" name="lxdm.conf.PEGHCV" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=file

node=wicktop.localdomain type=AVC msg=audit(1273098138.408:25854): avc:  denied  { write } for  pid=3653 comm="lxdm-greeter-gt" name="lxdm.conf.PEGHCV" dev=dm-0 ino=524486 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=file

node=wicktop.localdomain type=SYSCALL msg=audit(1273098138.408:25854): arch=c000003e syscall=2 success=yes exit=7 a0=19e65a0 a1=c2 a2=1b6 a3=0 items=0 ppid=3625 pid=3653 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="lxdm-greeter-gt" exe="/usr/libexec/lxdm-greeter-gtk" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)



Zusammenfassung:

SELinux verhindert /usr/libexec/lxdm-greeter-gtk "remove_name" Zugriff on
lxdm.conf.PEGHCV.

Detaillierte Beschreibung:

[SELinux ist in freizügigem Modus. Dieser Zugriff wurde nicht verweigert.]

SELinux verweigerte den von lxdm-greeter-gt angeforderten Zugriff. Da nicht
davon ausgegangen wird, dass dieser Zugriff von lxdm-greeter-gt benötigt wird,
signalisiert dies möglicherweise einen Einbruchsversuch. Es ist ausserdem
möglich, dass diese spezielle Version oder Konfiguration der Anwendung den
zusätzlichen Zugriff verursacht.

Zugriff erlauben:

Sie können ein lokales Richtlininenmodul generieren, um diesen Zugriff zu
erlauben siehe FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385)
Bitte reichen Sie einen Fehlerbericht ein.

Zusätzliche Informationen:

Quellkontext                  system_u:system_r:xdm_t:s0-s0:c0.c1023
Zielkontext                   system_u:object_r:etc_t:s0
Zielobjekte                   lxdm.conf.PEGHCV [ dir ]
Quelle                        lxdm-greeter-gt
Quellpfad                     /usr/libexec/lxdm-greeter-gtk
Port                          <Unbekannt>
Host                          wicktop.localdomain
RPM-Pakete der Quelle         lxdm-0.2.0-1.fc13
RPM-Pakete des Ziels          
Richtlinien-RPM               selinux-policy-3.7.19-10.fc13
SELinux aktiviert             True
Richtlinientyp                targeted
Enforcing-Modus               Permissive
Plugin-Name                   catchall
Rechnername                   wicktop.localdomain
Plattform                     Linux wicktop.localdomain 2.6.33.3-72.fc13.x86_64
                              #1 SMP Wed Apr 28 15:48:01 UTC 2010 x86_64 x86_64
Anzahl der Alarme             6
Zuerst gesehen                Do 06 Mai 2010 00:18:58 CEST
Zuletzt gesehen               Do 06 Mai 2010 00:22:18 CEST
Lokale ID                     60c06c0d-87c3-4d8d-92f2-46ee4c9f3e3a
Zeilennummern                 

Raw-Audit-Meldungen           

node=wicktop.localdomain type=AVC msg=audit(1273098138.451:25855): avc:  denied  { remove_name } for  pid=3653 comm="lxdm-greeter-gt" name="lxdm.conf.PEGHCV" dev=dm-0 ino=524486 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=dir

node=wicktop.localdomain type=AVC msg=audit(1273098138.451:25855): avc:  denied  { rename } for  pid=3653 comm="lxdm-greeter-gt" name="lxdm.conf.PEGHCV" dev=dm-0 ino=524486 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=file

node=wicktop.localdomain type=AVC msg=audit(1273098138.451:25855): avc:  denied  { unlink } for  pid=3653 comm="lxdm-greeter-gt" name="lxdm.conf" dev=dm-0 ino=524482 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=file

node=wicktop.localdomain type=SYSCALL msg=audit(1273098138.451:25855): arch=c000003e syscall=82 success=yes exit=0 a0=1899fa0 a1=407c10 a2=19e6590 a3=7fff67087b40 items=0 ppid=3625 pid=3653 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="lxdm-greeter-gt" exe="/usr/libexec/lxdm-greeter-gtk" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)



Zusammenfassung:

SELinux verhindert /bin/bash "open" Zugriff on console.

Detaillierte Beschreibung:

[SELinux ist in freizügigem Modus. Dieser Zugriff wurde nicht verweigert.]

SELinux verweigerte den von ksmtuned angeforderten Zugriff. Da nicht davon
ausgegangen wird, dass dieser Zugriff von ksmtuned benötigt wird, signalisiert
dies möglicherweise einen Einbruchsversuch. Es ist ausserdem möglich, dass
diese spezielle Version oder Konfiguration der Anwendung den zusätzlichen
Zugriff verursacht.

Zugriff erlauben:

Sie können ein lokales Richtlininenmodul generieren, um diesen Zugriff zu
erlauben siehe FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385)
Bitte reichen Sie einen Fehlerbericht ein.

Zusätzliche Informationen:

Quellkontext                  system_u:system_r:ksmtuned_t:s0
Zielkontext                   system_u:object_r:console_device_t:s0
Zielobjekte                   console [ chr_file ]
Quelle                        ksmtuned
Quellpfad                     /bin/bash
Port                          <Unbekannt>
Host                          wicktop.localdomain
RPM-Pakete der Quelle         bash-4.1.2-4.fc13
RPM-Pakete des Ziels          
Richtlinien-RPM               selinux-policy-3.7.19-10.fc13
SELinux aktiviert             True
Richtlinientyp                targeted
Enforcing-Modus               Permissive
Plugin-Name                   catchall
Rechnername                   wicktop.localdomain
Plattform                     Linux wicktop.localdomain 2.6.33.3-72.fc13.x86_64
                              #1 SMP Wed Apr 28 15:48:01 UTC 2010 x86_64 x86_64
Anzahl der Alarme             19
Zuerst gesehen                So 02 Mai 2010 15:39:33 CEST
Zuletzt gesehen               Do 06 Mai 2010 00:40:55 CEST
Lokale ID                     a59d8195-6820-472c-b54f-e68919a463f9
Zeilennummern                 

Raw-Audit-Meldungen           

node=wicktop.localdomain type=AVC msg=audit(1273099255.979:22): avc:  denied  { open } for  pid=3599 comm="ksmtuned" name="console" dev=devtmpfs ino=5459 scontext=system_u:system_r:ksmtuned_t:s0 tcontext=system_u:object_r:console_device_t:s0 tclass=chr_file

node=wicktop.localdomain type=SYSCALL msg=audit(1273099255.979:22): arch=c000003e syscall=2 success=yes exit=3 a0=bbd010 a1=802 a2=c a3=1000 items=0 ppid=3598 pid=3599 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ksmtuned" exe="/bin/bash" subj=system_u:system_r:ksmtuned_t:s0 key=(null)


Dgod, why is lxdm trying to *write* files in /etc/lxdm? Shouldn't his take place in /var/ somewhere?
Comment 51 dgod.osa 2010-05-05 21:26:32 EDT
the write to /etc fail should not affect the login. I found file at /var/run will cleaned after reboot. maybe /var/lib is a good position, change the greetr.c to what it should be.
#ifndef VCONFIG_FILE
#define VCONFIG_FILE "/etc/lxdm/lxdm.conf"
#endif

to make less log, you can test lxdm without greeter, comment the greeter line at config file, there's a very simple ui.
Comment 52 Daniel Walsh 2010-05-06 08:39:02 EDT
Ok when you have an updated lxdm with this fixed,  I will try again.
Comment 53 Christoph Wickert 2010-05-07 07:18:36 EDT
(In reply to comment #51)
> maybe /var/lib is a good position, change the greetr.c to what it should be.
> #ifndef VCONFIG_FILE
> #define VCONFIG_FILE "/etc/lxdm/lxdm.conf"
> #endif

Even with that change I still get a SELinux denial about lxdm-greeter-gtk trying to write to /etc/lxdm/.

I think /var/run/lxdm/ should only be used for changes made through lxdm, e.g. language or session. Or are they stored by user now?

> to make less log, you can test lxdm without greeter, comment the greeter line
> at config file, there's a very simple ui.    

I don't want less log but *more* details. /var/log/lxdm.log doesn't contain much useful info.
Comment 54 Christoph Wickert 2010-05-07 07:26:48 EDT
(In reply to comment #52)
> Ok when you have an updated lxdm with this fixed,  I will try again.    

Here is a scratch build:
http://koji.fedoraproject.org/koji/taskinfo?taskID=2171670

The remaining denials I see with this one are:


Zusammenfassung:

SELinux verhindert /usr/libexec/lxdm-greeter-gtk "write" Zugriff on /etc/lxdm.

Zusätzliche Informationen:

Quellkontext                  system_u:system_r:xdm_t:s0-s0:c0.c1023
Zielkontext                   system_u:object_r:etc_t:s0
Zielobjekte                   /etc/lxdm [ dir ]
Quelle                        lxdm-greeter-gt
Quellpfad                     /usr/libexec/lxdm-greeter-gtk
Port                          <Unbekannt>
Host                          wicktop.localdomain
RPM-Pakete der Quelle         lxdm-0.2.0-1.fc13
RPM-Pakete des Ziels          lxdm-0.2.0-1.fc13
Richtlinien-RPM               selinux-policy-3.7.19-10.fc13
SELinux aktiviert             True
Richtlinientyp                targeted
Enforcing-Modus               Permissive
Plugin-Name                   catchall
Rechnername                   wicktop.localdomain
Plattform                     Linux wicktop.localdomain 2.6.33.3-72.fc13.x86_64
                              #1 SMP Wed Apr 28 15:48:01 UTC 2010 x86_64 x86_64
Anzahl der Alarme             8
Zuerst gesehen                Do 06 Mai 2010 00:18:57 CEST
Zuletzt gesehen               Do 06 Mai 2010 00:22:18 CEST
Lokale ID                     a6a15dd5-f554-4a09-806b-a8bff4c16f5f
Zeilennummern                 

Raw-Audit-Meldungen           

node=wicktop.localdomain type=AVC msg=audit(1273098138.408:25854): avc:  denied  { write } for  pid=3653 comm="lxdm-greeter-gt" name="lxdm" dev=dm-0 ino=524918 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=dir

node=wicktop.localdomain type=AVC msg=audit(1273098138.408:25854): avc:  denied  { add_name } for  pid=3653 comm="lxdm-greeter-gt" name="lxdm.conf.PEGHCV" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=dir

node=wicktop.localdomain type=AVC msg=audit(1273098138.408:25854): avc:  denied  { create } for  pid=3653 comm="lxdm-greeter-gt" name="lxdm.conf.PEGHCV" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=file

node=wicktop.localdomain type=AVC msg=audit(1273098138.408:25854): avc:  denied  { write } for  pid=3653 comm="lxdm-greeter-gt" name="lxdm.conf.PEGHCV" dev=dm-0 ino=524486 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=file

node=wicktop.localdomain type=SYSCALL msg=audit(1273098138.408:25854): arch=c000003e syscall=2 success=yes exit=7 a0=19e65a0 a1=c2 a2=1b6 a3=0 items=0 ppid=3625 pid=3653 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="lxdm-greeter-gt" exe="/usr/libexec/lxdm-greeter-gtk" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)


Zusammenfassung:

SELinux verhindert /usr/libexec/lxdm-greeter-gtk "remove_name" Zugriff on
lxdm.conf.PEGHCV.

Zusätzliche Informationen:

Quellkontext                  system_u:system_r:xdm_t:s0-s0:c0.c1023
Zielkontext                   system_u:object_r:etc_t:s0
Zielobjekte                   lxdm.conf.PEGHCV [ dir ]
Quelle                        lxdm-greeter-gt
Quellpfad                     /usr/libexec/lxdm-greeter-gtk
Port                          <Unbekannt>
Host                          wicktop.localdomain
RPM-Pakete der Quelle         lxdm-0.2.0-1.fc13
RPM-Pakete des Ziels          
Richtlinien-RPM               selinux-policy-3.7.19-10.fc13
SELinux aktiviert             True
Richtlinientyp                targeted
Enforcing-Modus               Permissive
Plugin-Name                   catchall
Rechnername                   wicktop.localdomain
Plattform                     Linux wicktop.localdomain 2.6.33.3-72.fc13.x86_64
                              #1 SMP Wed Apr 28 15:48:01 UTC 2010 x86_64 x86_64
Anzahl der Alarme             6
Zuerst gesehen                Do 06 Mai 2010 00:18:58 CEST
Zuletzt gesehen               Do 06 Mai 2010 00:22:18 CEST
Lokale ID                     60c06c0d-87c3-4d8d-92f2-46ee4c9f3e3a
Zeilennummern                 

Raw-Audit-Meldungen           

node=wicktop.localdomain type=AVC msg=audit(1273098138.451:25855): avc:  denied  { remove_name } for  pid=3653 comm="lxdm-greeter-gt" name="lxdm.conf.PEGHCV" dev=dm-0 ino=524486 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=dir

node=wicktop.localdomain type=AVC msg=audit(1273098138.451:25855): avc:  denied  { rename } for  pid=3653 comm="lxdm-greeter-gt" name="lxdm.conf.PEGHCV" dev=dm-0 ino=524486 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=file

node=wicktop.localdomain type=AVC msg=audit(1273098138.451:25855): avc:  denied  { unlink } for  pid=3653 comm="lxdm-greeter-gt" name="lxdm.conf" dev=dm-0 ino=524482 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=file

node=wicktop.localdomain type=SYSCALL msg=audit(1273098138.451:25855): arch=c000003e syscall=82 success=yes exit=0 a0=1899fa0 a1=407c10 a2=19e6590 a3=7fff67087b40 items=0 ppid=3625 pid=3653 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="lxdm-greeter-gt" exe="/usr/libexec/lxdm-greeter-gtk" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)



Zusammenfassung:

SELinux hindert /usr/libexec/lxdm-greeter-gtk "setattr" am Zugriff auf
/root/.config/ibus/bus.

Zusätzliche Informationen:

Quellkontext                  system_u:system_r:xdm_t:s0-s0:c0.c1023
Zielkontext                   system_u:object_r:config_home_t:s0
Zielobjekte                   /root/.config/ibus/bus [ dir ]
Quelle                        lxdm-greeter-gt
Quellpfad                     /usr/libexec/lxdm-greeter-gtk
Port                          <Unbekannt>
Host                          wicktop.localdomain
RPM-Pakete der Quelle         lxdm-0.2.0-2.fc13
RPM-Pakete des Ziels          
Richtlinien-RPM               selinux-policy-3.7.19-10.fc13
SELinux aktiviert             True
Richtlinientyp                targeted
Enforcing-Modus               Permissive
Plugin-Name                   catchall_boolean
Rechnername                   wicktop.localdomain
Plattform                     Linux wicktop.localdomain 2.6.33.3-79.fc13.x86_64
                              #1 SMP Mon May 3 22:37:18 UTC 2010 x86_64 x86_64
Anzahl der Alarme             32
Zuerst gesehen                So 02 Mai 2010 15:36:13 CEST
Zuletzt gesehen               Fr 07 Mai 2010 12:47:54 CEST
Lokale ID                     20c6515a-7e9d-47a0-bf1f-2c3717d55b6c
Zeilennummern                 

Raw-Audit-Meldungen           

node=wicktop.localdomain type=AVC msg=audit(1273229274.229:27968): avc:  denied  { setattr } for  pid=4501 comm="lxdm-greeter-gt" name="bus" dev=dm-0 ino=679407 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:config_home_t:s0 tclass=dir

node=wicktop.localdomain type=SYSCALL msg=audit(1273229274.229:27968): arch=c000003e syscall=90 success=yes exit=0 a0=14bbba0 a1=1c0 a2=145cd90 a3=7fff8bef4c70 items=0 ppid=3651 pid=4501 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=2 comm="lxdm-greeter-gt" exe="/usr/libexec/lxdm-greeter-gtk" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)



Zusammenfassung:

SELinux verhindert /bin/bash "open" Zugriff on console.

Zusätzliche Informationen:

Quellkontext                  system_u:system_r:ksmtuned_t:s0
Zielkontext                   system_u:object_r:console_device_t:s0
Zielobjekte                   console [ chr_file ]
Quelle                        ksmtuned
Quellpfad                     /bin/bash
Port                          <Unbekannt>
Host                          wicktop.localdomain
RPM-Pakete der Quelle         bash-4.1.2-4.fc13
RPM-Pakete des Ziels          
Richtlinien-RPM               selinux-policy-3.7.19-10.fc13
SELinux aktiviert             True
Richtlinientyp                targeted
Enforcing-Modus               Permissive
Plugin-Name                   catchall
Rechnername                   wicktop.localdomain
Plattform                     Linux wicktop.localdomain 2.6.33.3-79.fc13.x86_64
                              #1 SMP Mon May 3 22:37:18 UTC 2010 x86_64 x86_64
Anzahl der Alarme             24
Zuerst gesehen                So 02 Mai 2010 15:39:33 CEST
Zuletzt gesehen               Fr 07 Mai 2010 12:49:59 CEST
Lokale ID                     a59d8195-6820-472c-b54f-e68919a463f9
Zeilennummern                 

Raw-Audit-Meldungen           

node=wicktop.localdomain type=AVC msg=audit(1273229399.488:22): avc:  denied  { open } for  pid=3607 comm="ksmtuned" name="console" dev=devtmpfs ino=5460 scontext=system_u:system_r:ksmtuned_t:s0 tcontext=system_u:object_r:console_device_t:s0 tclass=chr_file

node=wicktop.localdomain type=SYSCALL msg=audit(1273229399.488:22): arch=c000003e syscall=2 success=yes exit=3 a0=1124010 a1=802 a2=c a3=1000 items=0 ppid=3606 pid=3607 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ksmtuned" exe="/bin/bash" subj=system_u:system_r:ksmtuned_t:s0 key=(null)


In addition I still see the 'Can't send to audit system' message:
May  7 12:58:59 wicktop dbus: Can't send to audit system: USER_AVC avc:  received setenforce notice (enforcing=0)#012: exe="?" sauid=81 hostname=? addr=? terminal=?
Comment 55 dgod.osa 2010-05-07 10:39:50 EDT
when I debug into pam-selinux, I have an log

May  8 05:57:40 dgod lxdm-binary: pam_selinux(lxdm:session): Open Session
May  8 05:57:40 dgod lxdm-binary: pam_selinux(lxdm:session): Username= dgod SELinux User = unconfined_u Level= s0-s0:c0.c1023
May  8 05:57:40 dgod lxdm-binary: pam_selinux(lxdm:session): Would you like to enter a security context? [N]  dgod
May  8 05:57:40 dgod lxdm-binary: pam_selinux(lxdm:session): Unable to get valid context for dgod

look into the pam_selinux code, it should be get_ordered_context_list_with_level return something wrong, I don't know how can work around it.
Comment 56 Daniel Walsh 2010-05-07 16:39:41 EDT
Make sure lxdm is running as xdm_t.  If you modify the code make sure you run restorecon on the executable.

The SELinux code is asking the system what the context to execute the user who is logging in.

It does this by looking at its context.

If I am xdm_t and dwalsh is logging in then I will run him in as staff_t.

If I am unconfined_t and dwalsh is logging in, I have no idea what to log him in as, so I will ask the user.
Comment 57 Fedora Update System 2010-05-09 17:31:37 EDT
lxdm-0.2.0-2.fc13 has been submitted as an update for Fedora 13.
http://admin.fedoraproject.org/updates/lxdm-0.2.0-2.fc13
Comment 58 Christoph Wickert 2010-05-09 17:35:01 EDT
The SELinux problems should be fixed now from the LXDM side. Is there a way to get rid of my custom policy again for testing? And has the signull rule been added to the policy we currently have in F13?
Comment 59 Daniel Walsh 2010-05-10 09:26:52 EDT
semodule -r MYPOL

Should remove your custom policy.  Do not include the pp.
Comment 60 Christoph Wickert 2010-05-10 16:54:14 EDT
Even with custom policy,  selinux-policy-3.7.19-13.fc13 and lxdm-0.2.0-2.fc13 it doesn't work for me. I cannot log in, although Dgod says everythign should be fixed and he can login. On the other hand I don't see any more denials from sealert. I am clueless.
Comment 61 Fedora Update System 2010-05-10 17:51:00 EDT
lxdm-0.2.0-2.fc13 has been pushed to the Fedora 13 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update lxdm'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/lxdm-0.2.0-2.fc13
Comment 62 Christoph Wickert 2010-05-11 05:01:30 EDT
Dan, can you look at the remaining alarms? This is crucial for the LXDE spin, otherwise we would have to switch back to SLIM as login manager.

Dgod, why is LXDM still trying to write to /etc/lxdm?

Zusammenfassung:

SELinux verhindert /usr/libexec/lxdm-greeter-gtk "write" Zugriff on /etc/lxdm.

Zusätzliche Informationen:

Quellkontext                  system_u:system_r:xdm_t:s0-s0:c0.c1023
Zielkontext                   system_u:object_r:etc_t:s0
Zielobjekte                   /etc/lxdm [ dir ]
Quelle                        lxdm-greeter-gt
Quellpfad                     /usr/libexec/lxdm-greeter-gtk
Port                          <Unbekannt>
Host                          wicktop.localdomain
RPM-Pakete der Quelle         lxdm-0.2.0-1.fc13
RPM-Pakete des Ziels          lxdm-0.2.0-1.fc13
Richtlinien-RPM               selinux-policy-3.7.19-10.fc13
SELinux aktiviert             True
Richtlinientyp                targeted
Enforcing-Modus               Permissive
Plugin-Name                   catchall
Rechnername                   wicktop.localdomain
Plattform                     Linux wicktop.localdomain 2.6.33.3-72.fc13.x86_64
                              #1 SMP Wed Apr 28 15:48:01 UTC 2010 x86_64 x86_64
Anzahl der Alarme             8
Zuerst gesehen                Do 06 Mai 2010 00:18:57 CEST
Zuletzt gesehen               Do 06 Mai 2010 00:22:18 CEST
Lokale ID                     a6a15dd5-f554-4a09-806b-a8bff4c16f5f
Zeilennummern                 

Raw-Audit-Meldungen           

node=wicktop.localdomain type=AVC msg=audit(1273098138.408:25854): avc:  denied  { write } for  pid=3653 comm="lxdm-greeter-gt" name="lxdm" dev=dm-0 ino=524918 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=dir

node=wicktop.localdomain type=AVC msg=audit(1273098138.408:25854): avc:  denied  { add_name } for  pid=3653 comm="lxdm-greeter-gt" name="lxdm.conf.PEGHCV" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=dir

node=wicktop.localdomain type=AVC msg=audit(1273098138.408:25854): avc:  denied  { create } for  pid=3653 comm="lxdm-greeter-gt" name="lxdm.conf.PEGHCV" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=file

node=wicktop.localdomain type=AVC msg=audit(1273098138.408:25854): avc:  denied  { write } for  pid=3653 comm="lxdm-greeter-gt" name="lxdm.conf.PEGHCV" dev=dm-0 ino=524486 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=file

node=wicktop.localdomain type=SYSCALL msg=audit(1273098138.408:25854): arch=c000003e syscall=2 success=yes exit=7 a0=19e65a0 a1=c2 a2=1b6 a3=0 items=0 ppid=3625 pid=3653 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="lxdm-greeter-gt" exe="/usr/libexec/lxdm-greeter-gtk" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)



Zusammenfassung:

SELinux verhindert /usr/libexec/lxdm-greeter-gtk "remove_name" Zugriff on
lxdm.conf.PEGHCV.

Zusätzliche Informationen:

Quellkontext                  system_u:system_r:xdm_t:s0-s0:c0.c1023
Zielkontext                   system_u:object_r:etc_t:s0
Zielobjekte                   lxdm.conf.PEGHCV [ dir ]
Quelle                        lxdm-greeter-gt
Quellpfad                     /usr/libexec/lxdm-greeter-gtk
Port                          <Unbekannt>
Host                          wicktop.localdomain
RPM-Pakete der Quelle         lxdm-0.2.0-1.fc13
RPM-Pakete des Ziels          
Richtlinien-RPM               selinux-policy-3.7.19-10.fc13
SELinux aktiviert             True
Richtlinientyp                targeted
Enforcing-Modus               Permissive
Plugin-Name                   catchall
Rechnername                   wicktop.localdomain
Plattform                     Linux wicktop.localdomain 2.6.33.3-72.fc13.x86_64
                              #1 SMP Wed Apr 28 15:48:01 UTC 2010 x86_64 x86_64
Anzahl der Alarme             6
Zuerst gesehen                Do 06 Mai 2010 00:18:58 CEST
Zuletzt gesehen               Do 06 Mai 2010 00:22:18 CEST
Lokale ID                     60c06c0d-87c3-4d8d-92f2-46ee4c9f3e3a
Zeilennummern                 

Raw-Audit-Meldungen           

node=wicktop.localdomain type=AVC msg=audit(1273098138.451:25855): avc:  denied  { remove_name } for  pid=3653 comm="lxdm-greeter-gt" name="lxdm.conf.PEGHCV" dev=dm-0 ino=524486 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=dir

node=wicktop.localdomain type=AVC msg=audit(1273098138.451:25855): avc:  denied  { rename } for  pid=3653 comm="lxdm-greeter-gt" name="lxdm.conf.PEGHCV" dev=dm-0 ino=524486 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=file

node=wicktop.localdomain type=AVC msg=audit(1273098138.451:25855): avc:  denied  { unlink } for  pid=3653 comm="lxdm-greeter-gt" name="lxdm.conf" dev=dm-0 ino=524482 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=file

node=wicktop.localdomain type=SYSCALL msg=audit(1273098138.451:25855): arch=c000003e syscall=82 success=yes exit=0 a0=1899fa0 a1=407c10 a2=19e6590 a3=7fff67087b40 items=0 ppid=3625 pid=3653 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="lxdm-greeter-gt" exe="/usr/libexec/lxdm-greeter-gtk" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)



Zusammenfassung:

SELinux verhindert /usr/libexec/lxdm-greeter-gtk "unlink" Zugriff on lxdm.conf.

Zusätzliche Informationen:

Quellkontext                  system_u:system_r:xdm_t:s0-s0:c0.c1023
Zielkontext                   system_u:object_r:var_lib_t:s0
Zielobjekte                   lxdm.conf [ file ]
Quelle                        lxdm-greeter-gt
Quellpfad                     /usr/libexec/lxdm-greeter-gtk
Port                          <Unbekannt>
Host                          wicktop.localdomain
RPM-Pakete der Quelle         lxdm-0.2.0-2.fc13
RPM-Pakete des Ziels          
Richtlinien-RPM               selinux-policy-3.7.19-13.fc13
SELinux aktiviert             True
Richtlinientyp                targeted
Enforcing-Modus               Permissive
Plugin-Name                   catchall
Rechnername                   wicktop.localdomain
Plattform                     Linux wicktop.localdomain 2.6.33.3-85.fc13.x86_64
                              #1 SMP Thu May 6 18:09:49 UTC 2010 x86_64 x86_64
Anzahl der Alarme             1
Zuerst gesehen                Di 11 Mai 2010 09:41:20 CEST
Zuletzt gesehen               Di 11 Mai 2010 09:41:20 CEST
Lokale ID                     52f6a72e-cd26-4a79-afa8-37f8235d203f
Zeilennummern                 

Raw-Audit-Meldungen           

node=wicktop.localdomain type=AVC msg=audit(1273563680.90:24): avc:  denied  { unlink } for  pid=3697 comm="lxdm-greeter-gt" name="lxdm.conf" dev=dm-0 ino=924759 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=file

node=wicktop.localdomain type=SYSCALL msg=audit(1273563680.90:24): arch=c000003e syscall=82 success=yes exit=0 a0=22e3e20 a1=407c24 a2=22e3e80 a3=1 items=0 ppid=3653 pid=3697 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="lxdm-greeter-gt" exe="/usr/libexec/lxdm-greeter-gtk" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)
Comment 63 dgod.osa 2010-05-11 05:54:35 EDT
node=wicktop.localdomain type=AVC msg=audit(1273563680.90:24): avc:  denied  {
unlink } for  pid=3697 comm="lxdm-greeter-gt" name="lxdm.conf" dev=dm-0
ino=924759 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023
tcontext=system_u:object_r:var_lib_t:s0 tclass=file

looks like the patch is right, I write things to /var/lib now, but selinux refuse it. the question is, ' where should I to save some runtime config?  '

if you don't select the language or session, you will not have this selinux problem, can it work?

I'll debug the 0.2.0-2 package on my system, but that will wait several hours.
Comment 64 dgod.osa 2010-05-11 09:07:15 EDT
with the lxdm-0.2.0-2, I can login to the desktop, write to /var/lib/lxdm is refuse, and sealert report 

Opps, sealert hit an error!

Traceback (most recent call last):
  File "/usr/bin/sealert", line 978, in <module>
    run_as_dbus_service(username)
  File "/usr/bin/sealert", line 99, in run_as_dbus_service
    app = SEAlert(user, dbus_service.presentation_manager, watch_setroubleshootd=True)
  File "/usr/bin/sealert", line 620, in __init__
    self.browser = BrowserApplet(self.username, self.alert_client, domain=domain)
  File "/usr/lib/python2.6/site-packages/setroubleshoot/browser.py", line 249, in __init__
    self.check_policy()
  File "/usr/lib/python2.6/site-packages/setroubleshoot/browser.py", line 314, in check_policy
    self.report_button.get_label(_("Update Policy"))
TypeError: get_label() takes no arguments (1 given)

selinux config is 
[dgod@dgod ~]$ cat /etc/sysconfig/selinux 
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#	enforcing - SELinux security policy is enforced.
#	permissive - SELinux prints warnings instead of enforcing.
#	disabled - SELinux is fully disabled.
SELINUX=enforcing
# SELINUXTYPE= type of policy in use. Possible values are:
#	targeted - Only targeted network daemons are protected.
#	strict - Full SELinux protection.
SELINUXTYPE=targeted
Comment 65 dgod.osa 2010-05-11 09:15:22 EDT
wickert, the write to /etc/lxdm shown is under the lxdm-0.2.0-1, you take an old log.
Comment 66 Daniel Walsh 2010-05-11 10:21:10 EDT
Chris where can I download the latest lxdm spin?

chcon -t xdm_var_lib_t -R /var/lib/lxdm

Should fix.

Fixed in selinux-policy-3.7.19-15.fc13.noarch
Comment 67 dgod.osa 2010-05-11 10:43:10 EDT
here is the latest lxde spin
http://alt.fedoraproject.org/pub/alt/nightly-composes/lxde/

latest lxdm is at updates-testing repo
Comment 68 Daniel Walsh 2010-05-13 09:32:55 EDT
dgod, does selinux-policy-3.7.19-15.fc13.noarch     work?  Should this be a blocker?
Comment 69 dgod.osa 2010-05-13 11:09:45 EDT
On my machine, it can work correctly.
Even if lxdm can't work on other machine, this bug should not be a blocker, the bug should be in lxdm with the pam stack.
Comment 70 Christoph Wickert 2010-05-14 09:30:07 EDT
I guess there is a misunderstanding about the word 'blocker' here. A blocker is something that delays a release. By Fedora's release criteria [1] this cannot be a blocker as it is not in the default install (basically only the desktop spin can have blockers), but i consider this severe enough for the LXDE spin. Using SLIM there is only the last resort, because LXDM is one of the main improvements from the F12 LXDE spin. So I really like to get this fixed for F13 and I offer any help I can give.

[1] https://fedoraproject.org/wiki/Fedora_13_Final_Release_Criteria
Comment 71 Daniel Walsh 2010-05-14 10:17:48 EDT
Jesse and Bill 

What is the chance of getting this policy into final release?
Comment 72 Christoph Wickert 2010-05-14 10:24:43 EDT
Not only the policy bug also 
http://admin.fedoraproject.org/updates/lxdm-0.2.0-2.fc13  

lxdm should be easier as it is not part of the "Fedora" repo but in "Everything".
Comment 73 Bill Nottingham 2010-05-17 11:04:38 EDT
My understanding is that it's too late to take more changes in without forcing another slip. Jesse can confirm or deny this.
Comment 74 Jesse Keating 2010-05-17 14:02:30 EDT
If you can manage to change only the lxdm package, perhaps by adding the necessary policy bits to it, then we could get it in without slipping.  However if we have to change selinux-policy, that package is on every other produced image, including the DVD set, which would mean a full respin, and a slip of the release.  Again.
Comment 75 Daniel Walsh 2010-05-17 16:40:50 EDT
Not worth it.
Comment 76 Christoph Wickert 2010-05-18 16:01:39 EDT
OK, the selinux-policy update is not necessary. I have verified that it works with the current selinux-policy-3.7.19-10.fc13.noarch in F13 final.

All we need is http://koji.fedoraproject.org/koji/taskinfo?taskID=2194485

Please give feedback at
https://admin.fedoraproject.org/updates/lxdm-0.2.0-4.fc13

I have tested both live and installed versions of the spin, both automatic and normal logins. No denials.
Comment 77 Jesse Keating 2010-05-18 19:35:26 EDT
To get it into the spins, i've removed the bodhi update and tagged it directly for F13.
Comment 78 Fedora Update System 2010-06-01 14:10:54 EDT
lxdm-0.2.0-4.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 79 Fedora Update System 2010-06-01 14:21:45 EDT
lxdm-0.2.0-4.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.