Bug 596360 - SELinux is preventing /sbin/setfiles access to a leaked /var/log/xdm.log file descriptor.
SELinux is preventing /sbin/setfiles access to a leaked /var/log/xdm.log file...
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: lxdm (Show other bugs)
15
i386 Linux
low Severity medium
: ---
: ---
Assigned To: Christoph Wickert
Fedora Extras Quality Assurance
setroubleshoot_trace_hash:bff6e2c4d9a...
: Reopened
: 710776 (view as bug list)
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2010-05-26 12:23 EDT by scumbag
Modified: 2012-04-03 15:55 EDT (History)
5 users (show)

See Also:
Fixed In Version: lxdm-0.4.1-1.fc16
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-03-23 13:42:21 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description scumbag 2010-05-26 12:23:22 EDT
Summary:

SELinux is preventing /sbin/setfiles access to a leaked /var/log/xdm.log file
descriptor.

Detailed Description:

[restorecon has a permissive type (setfiles_t). This access was not denied.]

SELinux denied access requested by the restorecon command. It looks like this is
either a leaked descriptor or restorecon output was redirected to a file it is
not allowed to access. Leaks usually can be ignored since SELinux is just
closing the leak and reporting the error. The application does not use the
descriptor, so it will run properly. If this is a redirection, you will not get
output in the /var/log/xdm.log. You should generate a bugzilla on
selinux-policy, and it will get routed to the appropriate package. You can
safely ignore this avc.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385)

Additional Information:

Source Context                unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c102
                              3
Target Context                system_u:object_r:var_log_t:s0
Target Objects                /var/log/xdm.log [ file ]
Source                        restorecon
Source Path                   /sbin/setfiles
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           policycoreutils-2.0.82-18.fc13
Target RPM Packages           
Policy RPM                    selinux-policy-3.7.19-15.fc13
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Plugin Name                   leaks
Host Name                     (removed)
Platform                      Linux (removed) 2.6.33.4-95.fc13.i686 #1 SMP
                              Thu May 13 05:55:24 UTC 2010 i686 i686
Alert Count                   2
First Seen                    Wed 26 May 2010 11:19:09 AM CDT
Last Seen                     Wed 26 May 2010 11:19:09 AM CDT
Local ID                      7c8dcd0a-8488-4073-ac0b-23bc231abd97
Line Numbers                  

Raw Audit Messages            

node=(removed) type=AVC msg=audit(1274890749.222:18489): avc:  denied  { write } for  pid=8971 comm="restorecon" path="/var/log/xdm.log" dev=sda1 ino=430437 scontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_log_t:s0 tclass=file

node=(removed) type=AVC msg=audit(1274890749.222:18489): avc:  denied  { write } for  pid=8971 comm="restorecon" path="/var/log/xdm.log" dev=sda1 ino=430437 scontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_log_t:s0 tclass=file

node=(removed) type=SYSCALL msg=audit(1274890749.222:18489): arch=40000003 syscall=11 success=yes exit=0 a0=9446920 a1=94463b0 a2=9443fa8 a3=94463b0 items=0 ppid=8967 pid=8971 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=7 comm="restorecon" exe="/sbin/setfiles" subj=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 key=(null)



Hash String generated from  leaks,restorecon,setfiles_t,var_log_t,file,write
audit2allow suggests:

#============= setfiles_t ==============
allow setfiles_t var_log_t:file write;
Comment 1 Miroslav Grepl 2010-05-27 03:42:54 EDT
Did you redirect output of restorecon to /var/log/xdm.log?
Comment 2 scumbag 2010-05-27 16:00:09 EDT
Nop, After install XDM and restart, XDM loads then GDM init, and this problem appear.

The first time, I used

#restorecon /var/log/xdm.log

Like suggest sertoubleshoot, but this happen again.
Comment 3 Daniel Walsh 2010-05-27 16:18:56 EDT
What are you running as your login program?

Check to make sure it is running as xdm_t.

ps -eZ |grep LOGINPROGRAM
Comment 4 scumbag 2010-05-27 16:54:09 EDT
Ups, I misstype.

It's "XDM loads then Gnome init, and this problem appear"

I'm using XDM, sorry, my bad.

There is the output:

$ps -eZ | grep xdm
system_u:system_r:xdm_t:s0-s0:c0.c1023 4629 ?  00:00:00 xdm
system_u:system_r:xdm_t:s0-s0:c0.c1023 4642 ?  00:00:00 xdm
Comment 5 Daniel Walsh 2010-05-27 17:21:01 EDT
Looks like there might be something wrong with the xdm startup script which  must be creating /var/log/xdm.log with the wrong label.

How do you turn on xdm?
Comment 6 scumbag 2010-05-27 17:36:37 EDT
1.- #yum install XDM
2.- #echo 'DISPLAYMANAGER="XDM"' > /etc/sysconfig/desktop
3.- #telinit 3
4.- #telinit 5

PS.
I think that the /etc/sysconfig/desktop should exist, even if only one Login program is present; or a "easy-switch" tool to change beetwen Desktop Manager.

PS1.
#echo 'DISPLAYMANAGER="GDM"' > /etc/sysconfig/desktop
or
#rm /etc/sysconfig/desktop

To switch-back to GDM
Comment 7 Daniel Walsh 2010-07-29 13:01:35 EDT
Are you still having this problem?  I am revisiting old bugs.
Comment 8 scumbag 2010-07-29 15:35:54 EDT
No, I can't remmember in wich SELinux policy update was be fixed.
Comment 9 Daniel Walsh 2010-07-30 14:52:02 EDT
None.  I was hoping it Magically went away.

I think the problem is some init script is creating the log file rather then xdm itself.
Comment 10 scumbag 2010-07-31 00:27:27 EDT
Let me set my system to reproduce the bug, and I come back with a certain answer, because I remember that the problem was gone.
Comment 11 scumbag 2010-08-03 22:59:33 EDT
Nop, sorry, the problem still happen, I'm attaching the complete error message.

The steps to reproduce the bug are the same.

-----

Summary:

SELinux is preventing /usr/bin/xdm "write" access on /var/log/xdm.log.

Detailed Description:

SELinux denied access requested by xdm. It is not expected that this access is
required by xdm and this access may signal an intrusion attempt. It is also
possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug
report.

Additional Information:

Source Context                system_u:system_r:xdm_t:s0-s0:c0.c1023
Target Context                system_u:object_r:var_log_t:s0
Target Objects                /var/log/xdm.log [ file ]
Source                        xdm
Source Path                   /usr/bin/xdm
Port                          <Unknown>
Host                          bodysnatcher
Source RPM Packages           xorg-x11-xdm-1.1.6-18.fc13
Target RPM Packages           
Policy RPM                    selinux-policy-3.7.19-39.fc13
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     bodysnatcher
Platform                      Linux bodysnatcher 2.6.33.6-147.fc13.i686 #1 SMP
                              Tue Jul 6 22:30:55 UTC 2010 i686 i686
Alert Count                   2
First Seen                    Tue 03 Aug 2010 09:49:42 PM CDT
Last Seen                     Tue 03 Aug 2010 09:52:41 PM CDT
Local ID                      b183ae09-1645-4aa7-a380-beb6a1fa715e
Line Numbers                  

Raw Audit Messages            

node=bodysnatcher type=AVC msg=audit(1280890361.578:16056): avc:  denied  { write } for  pid=2888 comm="xdm" name="xdm.log" dev=sda1 ino=430437 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_log_t:s0 tclass=file

node=bodysnatcher type=SYSCALL msg=audit(1280890361.578:16056): arch=40000003 syscall=8 success=no exit=-13 a0=8a4fbc0 a1=1b6 a2=bf8513f0 a3=bf851914 items=0 ppid=1 pid=2888 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="xdm" exe="/usr/bin/xdm" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)
Comment 12 Fedora Admin XMLRPC Client 2010-11-08 16:48:33 EST
This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.
Comment 13 Fedora Admin XMLRPC Client 2010-11-08 16:50:05 EST
This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.
Comment 14 Fedora Admin XMLRPC Client 2010-11-08 16:51:20 EST
This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.
Comment 15 Miroslav Grepl 2010-12-22 08:12:00 EST
scumbag,
are you still seeing this problem?
Comment 16 scumbag 2010-12-26 11:33:50 EST
Actually, i don't have anymore an environment to try it. Sorry
Comment 17 Peter Lemenkov 2011-04-20 07:20:03 EDT
I'm still having this issue.

[   41.346556] type=1400 audit(1303297992.706:4): avc:  denied  { write } for  pid=1085 comm="restorecon" path="/var/log/xdm.log" dev=sda3 ino=146267 scontext=unconfined_u:unconfined_r:setfiles_t:s0 tcontext=system_u:object_r:xdm_log_t:s0 tclass=file
[   41.346608] type=1400 audit(1303297992.706:5): avc:  denied  { write } for  pid=1085 comm="restorecon" path="/var/log/xdm.log" dev=sda3 ino=146267 scontext=unconfined_u:unconfined_r:setfiles_t:s0 tcontext=system_u:object_r:xdm_log_t:s0 tclass=file
Comment 18 Daniel Walsh 2011-04-20 11:09:16 EDT
lxdm should open its log file for append if it is going to pass it as stdout to its children.

Write will allow any app that inherits the file descriptor to truncate the log.
Comment 19 Miroslav Grepl 2011-06-05 04:19:36 EDT
*** Bug 710776 has been marked as a duplicate of this bug. ***
Comment 20 Fedora Update System 2012-03-21 16:49:41 EDT
lxdm-0.4.1-1.fc17 has been submitted as an update for Fedora 17.
https://admin.fedoraproject.org/updates/lxdm-0.4.1-1.fc17
Comment 21 Fedora Update System 2012-03-21 16:52:23 EDT
lxdm-0.4.1-1.fc16 has been submitted as an update for Fedora 16.
https://admin.fedoraproject.org/updates/lxdm-0.4.1-1.fc16
Comment 22 Fedora Update System 2012-03-21 16:59:10 EDT
lxdm-0.4.1-1.fc15 has been submitted as an update for Fedora 15.
https://admin.fedoraproject.org/updates/lxdm-0.4.1-1.fc15
Comment 23 Fedora Update System 2012-03-21 21:55:05 EDT
Package lxdm-0.4.1-1.fc16:
* should fix your issue,
* was pushed to the Fedora 16 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing lxdm-0.4.1-1.fc16'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-4399/lxdm-0.4.1-1.fc16
then log in and leave karma (feedback).
Comment 24 Fedora Update System 2012-03-23 13:42:21 EDT
lxdm-0.4.1-1.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 25 Fedora Update System 2012-04-03 15:53:10 EDT
lxdm-0.4.1-1.fc15 has been pushed to the Fedora 15 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 26 Fedora Update System 2012-04-03 15:55:09 EDT
lxdm-0.4.1-1.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.