573828 – SELinux is preventing /usr/libexec/lxdm-greeter-gtk "remove_name" access on lxdm.conf.8AEG9U.

Bug 573828 - SELinux is preventing /usr/libexec/lxdm-greeter-gtk "remove_name" access on lxdm.conf.8AEG9U.

Summary: SELinux is preventing /usr/libexec/lxdm-greeter-gtk "remove_name" access ...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	12
Hardware:	x86_64
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Miroslav Grepl
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:	setroubleshoot_trace_hash:744a7b8f037...
Duplicates (1):	573761 (view as bug list)
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2010-03-15 20:55 UTC by Christoph Wickert
Modified:	2010-04-06 18:15 UTC (History)
CC List:	4 users (show)
Fixed In Version:	selinux-policy-3.6.32-106.fc12
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2010-03-30 02:11:03 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Christoph Wickert 2010-03-15 20:55:11 UTC

Zusammenfassung:

SELinux is preventing /usr/libexec/lxdm-greeter-gtk "remove_name" access on
lxdm.conf.8AEG9U.

Detaillierte Beschreibung:

[SELinux ist im Permissive-Modus. Dieser Zugriff wurde nicht verweigert.]

SELinux denied access requested by lxdm-greeter-gt. It is not expected that this
access is required by lxdm-greeter-gt and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.

Zugriff erlauben:

You can generate a local policy module to allow this access - see FAQ
(http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug
report.

Zusätzliche Informationen:

Quellkontext                  system_u:system_r:xdm_t:s0-s0:c0.c1023
Zielkontext                   system_u:object_r:etc_t:s0
Zielobjekte                   lxdm.conf.8AEG9U [ dir ]
Quelle                        lxdm-greeter-gt
Quellen-Pfad                  /usr/libexec/lxdm-greeter-gtk
Port                          <Unbekannt>
Host                          (removed)
Quellen-RPM-Pakete            lxdm-0.2.0-0.1.20100223gitdf819fd.fc12
Ziel-RPM-Pakete               
RPM-Richtlinie                selinux-policy-3.6.32-92.fc12
SELinux aktiviert             True
Richtlinienversion            targeted
Enforcing-Modus               Permissive
Plugin-Name                   catchall
Hostname                      (removed)
Plattform                     Linux (removed) 2.6.32.9-70.fc12.x86_64
                              #1 SMP Wed Mar 3 04:40:41 UTC 2010 x86_64 x86_64
Anzahl der Alarme             3
Zuerst gesehen                Sa 13 Mär 2010 10:52:12 CET
Zuletzt gesehen               Sa 13 Mär 2010 10:52:12 CET
Lokale ID                     2c142863-db31-48dd-bfc8-55719177201a
Zeilennummern                 

Raw-Audit-Meldungen           

node=(removed) type=AVC msg=audit(1268473932.147:33): avc:  denied  { remove_name } for  pid=3910 comm="lxdm-greeter-gt" name="lxdm.conf.8AEG9U" dev=dm-0 ino=1048599 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=dir

node=(removed) type=AVC msg=audit(1268473932.147:33): avc:  denied  { rename } for  pid=3910 comm="lxdm-greeter-gt" name="lxdm.conf.8AEG9U" dev=dm-0 ino=1048599 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=file

node=(removed) type=AVC msg=audit(1268473932.147:33): avc:  denied  { unlink } for  pid=3910 comm="lxdm-greeter-gt" name="lxdm.conf" dev=dm-0 ino=1049348 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=file

node=(removed) type=SYSCALL msg=audit(1268473932.147:33): arch=c000003e syscall=82 success=yes exit=0 a0=fa7e00 a1=4072e1 a2=0 a3=7fff9f311930 items=0 ppid=2078 pid=3910 auid=501 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=2 comm="lxdm-greeter-gt" exe="/usr/libexec/lxdm-greeter-gtk" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)



Hash String generated from  catchall,lxdm-greeter-gt,xdm_t,etc_t,dir,remove_name
audit2allow suggests:

#============= xdm_t ==============
allow xdm_t etc_t:dir remove_name;
allow xdm_t etc_t:file { rename unlink };

Comment 1 Christoph Wickert 2010-03-15 20:55:47 UTC

Zusammenfassung:

SELinux is preventing /usr/libexec/lxdm-greeter-gtk "write" access on /etc/lxdm.

Detaillierte Beschreibung:

[SELinux ist im Permissive-Modus. Dieser Zugriff wurde nicht verweigert.]

SELinux denied access requested by lxdm-greeter-gt. It is not expected that this
access is required by lxdm-greeter-gt and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.

Zugriff erlauben:

You can generate a local policy module to allow this access - see FAQ
(http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug
report.

Zusätzliche Informationen:

Quellkontext                  system_u:system_r:xdm_t:s0-s0:c0.c1023
Zielkontext                   system_u:object_r:etc_t:s0
Zielobjekte                   /etc/lxdm [ dir ]
Quelle                        lxdm-greeter-gt
Quellen-Pfad                  /usr/libexec/lxdm-greeter-gtk
Port                          <Unbekannt>
Host                          wicktop.localdomain
Quellen-RPM-Pakete            lxdm-0.2.0-0.1.20100223gitdf819fd.fc12
Ziel-RPM-Pakete               lxdm-0.2.0-0.1.20100223gitdf819fd.fc12
RPM-Richtlinie                selinux-policy-3.6.32-92.fc12
SELinux aktiviert             True
Richtlinienversion            targeted
Enforcing-Modus               Permissive
Plugin-Name                   catchall
Hostname                      wicktop.localdomain
Plattform                     Linux wicktop.localdomain 2.6.32.9-70.fc12.x86_64
                              #1 SMP Wed Mar 3 04:40:41 UTC 2010 x86_64 x86_64
Anzahl der Alarme             23
Zuerst gesehen                Mi 24 Feb 2010 01:14:00 CET
Zuletzt gesehen               Sa 13 Mär 2010 10:52:12 CET
Lokale ID                     a2c7f8e8-2ad6-4b2f-864d-85813088e07a
Zeilennummern                 

Raw-Audit-Meldungen           

node=wicktop.localdomain type=AVC msg=audit(1268473932.84:32): avc:  denied  { write } for  pid=3910 comm="lxdm-greeter-gt" name="lxdm" dev=dm-0 ino=1049362 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=dir

node=wicktop.localdomain type=AVC msg=audit(1268473932.84:32): avc:  denied  { add_name } for  pid=3910 comm="lxdm-greeter-gt" name="lxdm.conf.8AEG9U" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=dir

node=wicktop.localdomain type=AVC msg=audit(1268473932.84:32): avc:  denied  { create } for  pid=3910 comm="lxdm-greeter-gt" name="lxdm.conf.8AEG9U" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=file

node=wicktop.localdomain type=AVC msg=audit(1268473932.84:32): avc:  denied  { write } for  pid=3910 comm="lxdm-greeter-gt" name="lxdm.conf.8AEG9U" dev=dm-0 ino=1048599 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=file

node=wicktop.localdomain type=SYSCALL msg=audit(1268473932.84:32): arch=c000003e syscall=2 success=yes exit=4294967424 a0=7876a0 a1=c2 a2=1b6 a3=1b items=0 ppid=2078 pid=3910 auid=501 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=2 comm="lxdm-greeter-gt" exe="/usr/libexec/lxdm-greeter-gtk" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)

Comment 2 Christoph Wickert 2010-03-15 20:57:48 UTC

Zusammenfassung:

SELinux is preventing /usr/sbin/lxdm-binary "relabelfrom" access on tty1.

Detaillierte Beschreibung:

[SELinux ist im Permissive-Modus. Dieser Zugriff wurde nicht verweigert.]

SELinux denied access requested by lxdm-binary. It is not expected that this
access is required by lxdm-binary and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.

Zugriff erlauben:

You can generate a local policy module to allow this access - see FAQ
(http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug
report.

Zusätzliche Informationen:

Quellkontext                  system_u:system_r:xdm_t:s0-s0:c0.c1023
Zielkontext                   system_u:object_r:tty_device_t:s0
Zielobjekte                   tty1 [ chr_file ]
Quelle                        lxdm-binary
Quellen-Pfad                  /usr/sbin/lxdm-binary
Port                          <Unbekannt>
Host                          wicktop.localdomain
Quellen-RPM-Pakete            lxdm-0.2.0-0.1.20100223gitdf819fd.fc12
Ziel-RPM-Pakete               
RPM-Richtlinie                selinux-policy-3.6.32-92.fc12
SELinux aktiviert             True
Richtlinienversion            targeted
Enforcing-Modus               Permissive
Plugin-Name                   catchall
Hostname                      wicktop.localdomain
Plattform                     Linux wicktop.localdomain 2.6.32.9-70.fc12.x86_64
                              #1 SMP Wed Mar 3 04:40:41 UTC 2010 x86_64 x86_64
Anzahl der Alarme             30
Zuerst gesehen                Di 09 Mär 2010 09:46:56 CET
Zuletzt gesehen               So 14 Mär 2010 13:35:02 CET
Lokale ID                     f8b336b4-3260-4aff-89d7-ad2220395c15
Zeilennummern                 

Raw-Audit-Meldungen           

node=wicktop.localdomain type=AVC msg=audit(1268570102.10:10): avc:  denied  { relabelfrom } for  pid=2095 comm="lxdm-binary" name="tty1" dev=devtmpfs ino=4994 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tty_device_t:s0 tclass=chr_file

node=wicktop.localdomain type=SYSCALL msg=audit(1268570102.10:10): arch=c000003e syscall=188 success=yes exit=0 a0=7fffe4d0de30 a1=3e6a615669 a2=6cf420 a3=2b items=0 ppid=1 pid=2095 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="lxdm-binary" exe="/usr/sbin/lxdm-binary" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)

Comment 3 Christoph Wickert 2010-03-15 20:58:02 UTC

Zusammenfassung:

SELinux is preventing /usr/sbin/lxdm-binary "relabelto" access on tty1.

Detaillierte Beschreibung:

[SELinux ist im Permissive-Modus. Dieser Zugriff wurde nicht verweigert.]

SELinux denied access requested by lxdm-binary. It is not expected that this
access is required by lxdm-binary and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.

Zugriff erlauben:

You can generate a local policy module to allow this access - see FAQ
(http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug
report.

Zusätzliche Informationen:

Quellkontext                  system_u:system_r:xdm_t:s0-s0:c0.c1023
Zielkontext                   system_u:object_r:tty_device_t:s0
Zielobjekte                   tty1 [ chr_file ]
Quelle                        lxdm-binary
Quellen-Pfad                  /usr/sbin/lxdm-binary
Port                          <Unbekannt>
Host                          wicktop.localdomain
Quellen-RPM-Pakete            lxdm-0.2.0-0.1.20100223gitdf819fd.fc12
Ziel-RPM-Pakete               
RPM-Richtlinie                selinux-policy-3.6.32-92.fc12
SELinux aktiviert             True
Richtlinienversion            targeted
Enforcing-Modus               Permissive
Plugin-Name                   catchall
Hostname                      wicktop.localdomain
Plattform                     Linux wicktop.localdomain 2.6.32.9-70.fc12.x86_64
                              #1 SMP Wed Mar 3 04:40:41 UTC 2010 x86_64 x86_64
Anzahl der Alarme             23
Zuerst gesehen                Di 09 Mär 2010 03:09:11 CET
Zuletzt gesehen               So 14 Mär 2010 15:04:04 CET
Lokale ID                     9c415fd8-0130-4092-9d48-ecb8d77e0538
Zeilennummern                 

Raw-Audit-Meldungen           

node=wicktop.localdomain type=AVC msg=audit(1268575444.87:65): avc:  denied  { relabelto } for  pid=2095 comm="lxdm-binary" name="tty1" dev=devtmpfs ino=4994 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tty_device_t:s0 tclass=chr_file

node=wicktop.localdomain type=SYSCALL msg=audit(1268575444.87:65): arch=c000003e syscall=188 success=yes exit=0 a0=7fffe4d0e0d0 a1=3e6a615669 a2=6bf180 a3=22 items=0 ppid=1 pid=2095 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="lxdm-binary" exe="/usr/sbin/lxdm-binary" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)

Comment 4 Daniel Walsh 2010-03-15 21:16:36 UTC

lxdm should definitely not be writing to its config files under /etc/lxdm
If lxdm has files that need to be modified they should be under /var/run or /var/lib 

I can add term_relabel_unallocated_ttys(xdm_t)
But isn't lxdm using pseudo terms?

Comment 5 Christoph Wickert 2010-03-15 22:01:02 UTC

(In reply to comment #4)

> lxdm should definitely not be writing to its config files under /etc/lxdm

agreed.

> I can add term_relabel_unallocated_ttys(xdm_t)
> But isn't lxdm using pseudo terms?    

No it's not, we already discussed this in bug 564320 and after your comment 18 I thought this was supposed to be fixed with term_relabel_all_ttys(xdm_t).

Comment 6 Daniel Walsh 2010-03-16 14:15:38 UTC

Yes I remember.

term_relabel_all_ttys does not include unallocated ones.

Miroslav,

Add
term_relabel_unallocated_ttys(xdm_t)

Comment 7 Daniel Walsh 2010-03-16 14:17:47 UTC

*** Bug 573761 has been marked as a duplicate of this bug. ***

Comment 8 Daniel Walsh 2010-03-16 14:21:18 UTC

Christoph, if you change lxdm to not write to /etc/lxdm

add a custom policy module

# echo > myxdm.te << _EOF
policy_module(myxdm, 1.0)
gen_require(`
    type xdm_t;
')
term_relabel_unallocated_ttys(xdm_t)    
_EOF
# make -f /usr/share/selinux/devel/Makefile
# semodule -i myxdm.pp

Can you login and run 

id -Z 

To make sure you have the right context unconfined_t.

ls -lZ `tty`  

Should have a context with something like user_tty_device_t or user_devpts_t

Comment 9 d. johnson 2010-03-16 19:13:33 UTC

After adding myxml.pp, and logging in:

$ id -Z
system_u:system_r:initrc_t:s0

$ ls -lZ `tty`
crw--w----. dj tty system_u:object_r:initrc_devpts_t:s0 /dev/pts/4

$ rpm -q lxdm
lxdm-0.1.1-0.2.20100303gite4f7b39.fc12.i686

$ rpm -q selinux-policy-targeted
selinux-policy-targeted-3.6.32-99.fc12.noarch

# ausearch -m avc -ts 14:04
----
time->Tue Mar 16 14:04:15 2010
type=SYSCALL msg=audit(1268766255.278:57529): arch=40000003 syscall=11 success=yes exit=0 a0=936a460 a1=bfccb670 a2=9370600 a3=bfccb670 items=0 ppid=2079 pid=2233 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="udev-acl.ck" exe="/lib/udev/udev-acl" subj=system_u:system_r:udev_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1268766255.278:57529): avc:  denied  { noatsecure } for  pid=2233 comm="udev-acl.ck" scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tclass=process
type=AVC msg=audit(1268766255.278:57529): avc:  denied  { siginh } for  pid=2233 comm="udev-acl.ck" scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tclass=process
type=AVC msg=audit(1268766255.278:57529): avc:  denied  { rlimitinh } for  pid=2233 comm="udev-acl.ck" scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tclass=process
----
time->Tue Mar 16 14:04:26 2010
type=SYSCALL msg=audit(1268766266.987:57531): arch=40000003 syscall=11 success=yes exit=0 a0=bf878b7c a1=b75a6388 a2=8c137e0 a3=b75a6388 items=0 ppid=2241 pid=2292 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=4294967295 comm="mailx" exe="/bin/mailx" subj=system_u:system_r:sendmail_t:s0 key=(null)
type=AVC msg=audit(1268766266.987:57531): avc:  denied  { write } for  pid=2292 comm="mailx" path="/home/dj/.xsession-errors" dev=sdb3 ino=75 scontext=system_u:system_r:sendmail_t:s0 tcontext=system_u:object_r:xdm_home_t:s0 tclass=file
----
time->Tue Mar 16 14:04:26 2010
type=SYSCALL msg=audit(1268766266.685:57530): arch=40000003 syscall=11 success=yes exit=0 a0=804c710 a1=bff9f34c a2=bffa0714 a3=7 items=0 ppid=2253 pid=2254 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=4294967295 comm="dbus-daemon" exe="/bin/dbus-daemon" subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1268766266.685:57530): avc:  denied  { write } for  pid=2254 comm="dbus-daemon" path="/home/dj/.xsession-errors" dev=sdb3 ino=75 scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xdm_home_t:s0 tclass=file
----
time->Tue Mar 16 14:04:27 2010
type=SYSCALL msg=audit(1268766267.004:57532): arch=40000003 syscall=54 success=no exit=-25 a0=1 a1=5401 a2=bfa09458 a3=bfa09498 items=0 ppid=2241 pid=2292 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=4294967295 comm="mailx" exe="/bin/mailx" subj=system_u:system_r:sendmail_t:s0 key=(null)
type=AVC msg=audit(1268766267.004:57532): avc:  denied  { ioctl } for  pid=2292 comm="mailx" path="/home/dj/.xsession-errors" dev=sdb3 ino=75 scontext=system_u:system_r:sendmail_t:s0 tcontext=system_u:object_r:xdm_home_t:s0 tclass=file
----
time->Tue Mar 16 14:04:27 2010
type=SYSCALL msg=audit(1268766267.005:57533): arch=40000003 syscall=5 success=yes exit=4 a0=8b6ac20 a1=c2 a2=180 a3=14345d9e items=0 ppid=2241 pid=2292 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=4294967295 comm="mailx" exe="/bin/mailx" subj=system_u:system_r:sendmail_t:s0 key=(null)
type=AVC msg=audit(1268766267.005:57533): avc:  denied  { write } for  pid=2292 comm="mailx" name="RxRt9Tyl" dev=tmpfs ino=15689053 scontext=system_u:system_r:sendmail_t:s0 tcontext=system_u:object_r:user_tmp_t:s0 tclass=file
type=AVC msg=audit(1268766267.005:57533): avc:  denied  { create } for  pid=2292 comm="mailx" name="RxRt9Tyl" scontext=system_u:system_r:sendmail_t:s0 tcontext=system_u:object_r:user_tmp_t:s0 tclass=file
type=AVC msg=audit(1268766267.005:57533): avc:  denied  { add_name } for  pid=2292 comm="mailx" name="RxRt9Tyl" scontext=system_u:system_r:sendmail_t:s0 tcontext=system_u:object_r:user_tmp_t:s0 tclass=dir
type=AVC msg=audit(1268766267.005:57533): avc:  denied  { write } for  pid=2292 comm="mailx" name="dj" dev=tmpfs ino=15048453 scontext=system_u:system_r:sendmail_t:s0 tcontext=system_u:object_r:user_tmp_t:s0 tclass=dir
----
time->Tue Mar 16 14:04:27 2010
type=SYSCALL msg=audit(1268766267.006:57534): arch=40000003 syscall=94 success=yes exit=0 a0=4 a1=180 a2=bfa0941c a3=4 items=0 ppid=2241 pid=2292 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=4294967295 comm="mailx" exe="/bin/mailx" subj=system_u:system_r:sendmail_t:s0 key=(null)
type=AVC msg=audit(1268766267.006:57534): avc:  denied  { setattr } for  pid=2292 comm="mailx" name="RxRt9Tyl" dev=tmpfs ino=15689053 scontext=system_u:system_r:sendmail_t:s0 tcontext=system_u:object_r:user_tmp_t:s0 tclass=file
----
time->Tue Mar 16 14:04:27 2010
type=SYSCALL msg=audit(1268766267.006:57535): arch=40000003 syscall=10 success=yes exit=0 a0=8b6ac20 a1=4b9fd63b a2=8b6ac20 a3=8b6a940 items=0 ppid=2241 pid=2292 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=4294967295 comm="mailx" exe="/bin/mailx" subj=system_u:system_r:sendmail_t:s0 key=(null)
type=AVC msg=audit(1268766267.006:57535): avc:  denied  { unlink } for  pid=2292 comm="mailx" name="RxRt9Tyl" dev=tmpfs ino=15689053 scontext=system_u:system_r:sendmail_t:s0 tcontext=system_u:object_r:user_tmp_t:s0 tclass=file
type=AVC msg=audit(1268766267.006:57535): avc:  denied  { remove_name } for  pid=2292 comm="mailx" name="RxRt9Tyl" dev=tmpfs ino=15689053 scontext=system_u:system_r:sendmail_t:s0 tcontext=system_u:object_r:user_tmp_t:s0 tclass=dir
----
time->Tue Mar 16 14:04:27 2010
type=SYSCALL msg=audit(1268766267.006:57536): arch=40000003 syscall=197 success=yes exit=0 a0=1 a1=bfa092c0 a2=9e6ff4 a3=9e74c0 items=0 ppid=2241 pid=2292 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=4294967295 comm="mailx" exe="/bin/mailx" subj=system_u:system_r:sendmail_t:s0 key=(null)
type=AVC msg=audit(1268766267.006:57536): avc:  denied  { getattr } for  pid=2292 comm="mailx" path="/home/dj/.xsession-errors" dev=sdb3 ino=75 scontext=system_u:system_r:sendmail_t:s0 tcontext=system_u:object_r:xdm_home_t:s0 tclass=file
----
time->Tue Mar 16 14:04:27 2010
type=SYSCALL msg=audit(1268766267.071:57537): arch=40000003 syscall=11 success=yes exit=0 a0=82bf770 a1=82bf560 a2=82bb008 a3=82bf560 items=0 ppid=1 pid=2314 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=4294967295 comm="restorecond" exe="/usr/sbin/restorecond" subj=system_u:system_r:restorecond_t:s0 key=(null)
type=AVC msg=audit(1268766267.071:57537): avc:  denied  { write } for  pid=2314 comm="restorecond" path="/home/dj/.xsession-errors" dev=sdb3 ino=75 scontext=system_u:system_r:restorecond_t:s0 tcontext=system_u:object_r:xdm_home_t:s0 tclass=file
----
time->Tue Mar 16 14:04:27 2010
type=SYSCALL msg=audit(1268766267.093:57538): arch=40000003 syscall=11 success=yes exit=0 a0=1133388 a1=1130cc8 a2=11334b0 a3=1133858 items=0 ppid=2325 pid=2326 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=4294967295 comm="im-settings-dae" exe="/usr/libexec/im-settings-daemon" subj=system_u:system_r:initrc_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1268766267.093:57538): avc:  denied  { noatsecure } for  pid=2326 comm="im-settings-dae" scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:initrc_t:s0-s0:c0.c1023 tclass=process
type=AVC msg=audit(1268766267.093:57538): avc:  denied  { siginh } for  pid=2326 comm="im-settings-dae" scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:initrc_t:s0-s0:c0.c1023 tclass=process
type=AVC msg=audit(1268766267.093:57538): avc:  denied  { rlimitinh } for  pid=2326 comm="im-settings-dae" scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:initrc_t:s0-s0:c0.c1023 tclass=process
----
time->Tue Mar 16 14:04:27 2010
type=SYSCALL msg=audit(1268766267.303:57539): arch=40000003 syscall=102 success=yes exit=0 a0=3 a1=bf87de20 a2=4acff4 a3=bf87dfcc items=0 ppid=1 pid=2314 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=4294967295 comm="restorecond" exe="/usr/sbin/restorecond" subj=system_u:system_r:restorecond_t:s0 key=(null)
type=AVC msg=audit(1268766267.303:57539): avc:  denied  { connectto } for  pid=2314 comm="restorecond" path=002F746D702F646275732D5A735142534744325A4D scontext=system_u:system_r:restorecond_t:s0 tcontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tclass=unix_stream_socket
----
time->Tue Mar 16 14:04:33 2010
type=SYSCALL msg=audit(1268766273.217:57540): arch=40000003 syscall=4 success=yes exit=103 a0=2 a1=bf872620 a2=67 a3=67 items=0 ppid=1 pid=2314 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=4294967295 comm="restorecond" exe="/usr/sbin/restorecond" subj=system_u:system_r:restorecond_t:s0 key=(null)
type=AVC msg=audit(1268766273.217:57540): avc:  denied  { write } for  pid=2314 comm="restorecond" path="/home/dj/.xsession-errors" dev=sdb3 ino=75 scontext=system_u:system_r:restorecond_t:s0 tcontext=system_u:object_r:xdm_home_t:s0 tclass=file
----
time->Tue Mar 16 14:05:02 2010
type=SYSCALL msg=audit(1268766302.861:57545): arch=40000003 syscall=268 success=yes exit=0 a0=80c17f0 a1=54 a2=bfeeab3c a3=bfeeb3fc items=0 ppid=2776 pid=2777 auid=4294967295 uid=466 gid=463 euid=466 suid=466 fsuid=466 egid=463 sgid=463 fsgid=463 tty=(none) ses=4294967295 comm="df" exe="/bin/df" subj=system_u:system_r:munin_t:s0 key=(null)
type=AVC msg=audit(1268766302.861:57545): avc:  denied  { search } for  pid=2777 comm="df" name="dj" dev=sdb3 ino=8193 scontext=system_u:system_r:munin_t:s0 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir
type=AVC msg=audit(1268766302.861:57545): avc:  denied  { search } for  pid=2777 comm="df" name="/" dev=sdb3 ino=2 scontext=system_u:system_r:munin_t:s0 tcontext=system_u:object_r:home_root_t:s0 tclass=dir

Comment 10 Daniel Walsh 2010-03-16 19:52:43 UTC

That means lxdm is not labeled correctly you are running with the context of an init process.  lxdm needs to be labeled xdm_exec_t.  Run restorecon on the lxdm executable and see what its context is?  If it is not xdm_exec_t, then what is its path?

Comment 11 d. johnson 2010-03-16 19:55:32 UTC

Restorecon is happy with it:

-rwxr-xr-x. root root system_u:object_r:bin_t:s0       /usr/sbin/lxdm

Comment 12 Daniel Walsh 2010-03-16 20:04:52 UTC

That is because it expects it to bin in /usr/bin/lxdm

 rpm -ql lxdm  | grep bin
/usr/bin/lxdm
/usr/bin/lxdm-binary
/usr/bin/lxdm-greeter-gtk

rpm -q lxdm
lxdm-0.1.0-0.1.fc13.x86_64

Comment 13 Daniel Walsh 2010-03-16 20:07:19 UTC

Miroslav can you change the label to

/usr/(s)?bin/lxdm	--	gen_context(system_u:object_r:xdm_exec_t,s0)
/usr/(s)?bin/lxdm-binary --	gen_context(system_u:object_r:xdm_exec_t,s0)

d.johnson

chcon -t xdm_exec_t /usr/sbin/lxdm

Will fix the label.  Until an update gets pushed.

Christoph, I take it lxdm is moving?

Comment 14 Christoph Wickert 2010-03-17 01:53:21 UTC

Yes, it's moving, as announced in bug 564320 comment 7. In the next comment you told Miroslav to "make the /usr/bin->/usr/sbin changes". Seems like some things from the previous bugs got lost somehow.

Comment 15 Miroslav Grepl 2010-03-18 12:47:49 UTC

(In reply to comment #14)
> Yes, it's moving, as announced in bug 564320 comment 7. In the next comment you
> told Miroslav to "make the /usr/bin->/usr/sbin changes". Seems like some things
> from the previous bugs got lost somehow.    

Yes, my fault I missed it.

Fixed in selinux-policy-3.6.32-104.fc12

Comment 16 Fedora Update System 2010-03-23 18:02:41 UTC

selinux-policy-3.6.32-106.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/selinux-policy-3.6.32-106.fc12

Comment 17 Fedora Update System 2010-03-24 23:29:52 UTC

selinux-policy-3.6.32-106.fc12 has been pushed to the Fedora 12 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update selinux-policy'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/selinux-policy-3.6.32-106.fc12

Comment 18 Fedora Update System 2010-03-30 02:09:25 UTC

selinux-policy-3.6.32-106.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.