Red Hat Bugzilla – Bug 596360
SELinux is preventing /sbin/setfiles access to a leaked /var/log/xdm.log file descriptor.
Last modified: 2012-04-03 15:55:09 EDT
Summary: SELinux is preventing /sbin/setfiles access to a leaked /var/log/xdm.log file descriptor. Detailed Description: [restorecon has a permissive type (setfiles_t). This access was not denied.] SELinux denied access requested by the restorecon command. It looks like this is either a leaked descriptor or restorecon output was redirected to a file it is not allowed to access. Leaks usually can be ignored since SELinux is just closing the leak and reporting the error. The application does not use the descriptor, so it will run properly. If this is a redirection, you will not get output in the /var/log/xdm.log. You should generate a bugzilla on selinux-policy, and it will get routed to the appropriate package. You can safely ignore this avc. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Additional Information: Source Context unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c102 3 Target Context system_u:object_r:var_log_t:s0 Target Objects /var/log/xdm.log [ file ] Source restorecon Source Path /sbin/setfiles Port <Unknown> Host (removed) Source RPM Packages policycoreutils-2.0.82-18.fc13 Target RPM Packages Policy RPM selinux-policy-3.7.19-15.fc13 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Plugin Name leaks Host Name (removed) Platform Linux (removed) 2.6.33.4-95.fc13.i686 #1 SMP Thu May 13 05:55:24 UTC 2010 i686 i686 Alert Count 2 First Seen Wed 26 May 2010 11:19:09 AM CDT Last Seen Wed 26 May 2010 11:19:09 AM CDT Local ID 7c8dcd0a-8488-4073-ac0b-23bc231abd97 Line Numbers Raw Audit Messages node=(removed) type=AVC msg=audit(1274890749.222:18489): avc: denied { write } for pid=8971 comm="restorecon" path="/var/log/xdm.log" dev=sda1 ino=430437 scontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_log_t:s0 tclass=file node=(removed) type=AVC msg=audit(1274890749.222:18489): avc: denied { write } for pid=8971 comm="restorecon" path="/var/log/xdm.log" dev=sda1 ino=430437 scontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_log_t:s0 tclass=file node=(removed) type=SYSCALL msg=audit(1274890749.222:18489): arch=40000003 syscall=11 success=yes exit=0 a0=9446920 a1=94463b0 a2=9443fa8 a3=94463b0 items=0 ppid=8967 pid=8971 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=7 comm="restorecon" exe="/sbin/setfiles" subj=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 key=(null) Hash String generated from leaks,restorecon,setfiles_t,var_log_t,file,write audit2allow suggests: #============= setfiles_t ============== allow setfiles_t var_log_t:file write;
Did you redirect output of restorecon to /var/log/xdm.log?
Nop, After install XDM and restart, XDM loads then GDM init, and this problem appear. The first time, I used #restorecon /var/log/xdm.log Like suggest sertoubleshoot, but this happen again.
What are you running as your login program? Check to make sure it is running as xdm_t. ps -eZ |grep LOGINPROGRAM
Ups, I misstype. It's "XDM loads then Gnome init, and this problem appear" I'm using XDM, sorry, my bad. There is the output: $ps -eZ | grep xdm system_u:system_r:xdm_t:s0-s0:c0.c1023 4629 ? 00:00:00 xdm system_u:system_r:xdm_t:s0-s0:c0.c1023 4642 ? 00:00:00 xdm
Looks like there might be something wrong with the xdm startup script which must be creating /var/log/xdm.log with the wrong label. How do you turn on xdm?
1.- #yum install XDM 2.- #echo 'DISPLAYMANAGER="XDM"' > /etc/sysconfig/desktop 3.- #telinit 3 4.- #telinit 5 PS. I think that the /etc/sysconfig/desktop should exist, even if only one Login program is present; or a "easy-switch" tool to change beetwen Desktop Manager. PS1. #echo 'DISPLAYMANAGER="GDM"' > /etc/sysconfig/desktop or #rm /etc/sysconfig/desktop To switch-back to GDM
Are you still having this problem? I am revisiting old bugs.
No, I can't remmember in wich SELinux policy update was be fixed.
None. I was hoping it Magically went away. I think the problem is some init script is creating the log file rather then xdm itself.
Let me set my system to reproduce the bug, and I come back with a certain answer, because I remember that the problem was gone.
Nop, sorry, the problem still happen, I'm attaching the complete error message. The steps to reproduce the bug are the same. ----- Summary: SELinux is preventing /usr/bin/xdm "write" access on /var/log/xdm.log. Detailed Description: SELinux denied access requested by xdm. It is not expected that this access is required by xdm and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug report. Additional Information: Source Context system_u:system_r:xdm_t:s0-s0:c0.c1023 Target Context system_u:object_r:var_log_t:s0 Target Objects /var/log/xdm.log [ file ] Source xdm Source Path /usr/bin/xdm Port <Unknown> Host bodysnatcher Source RPM Packages xorg-x11-xdm-1.1.6-18.fc13 Target RPM Packages Policy RPM selinux-policy-3.7.19-39.fc13 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Plugin Name catchall Host Name bodysnatcher Platform Linux bodysnatcher 2.6.33.6-147.fc13.i686 #1 SMP Tue Jul 6 22:30:55 UTC 2010 i686 i686 Alert Count 2 First Seen Tue 03 Aug 2010 09:49:42 PM CDT Last Seen Tue 03 Aug 2010 09:52:41 PM CDT Local ID b183ae09-1645-4aa7-a380-beb6a1fa715e Line Numbers Raw Audit Messages node=bodysnatcher type=AVC msg=audit(1280890361.578:16056): avc: denied { write } for pid=2888 comm="xdm" name="xdm.log" dev=sda1 ino=430437 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_log_t:s0 tclass=file node=bodysnatcher type=SYSCALL msg=audit(1280890361.578:16056): arch=40000003 syscall=8 success=no exit=-13 a0=8a4fbc0 a1=1b6 a2=bf8513f0 a3=bf851914 items=0 ppid=1 pid=2888 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="xdm" exe="/usr/bin/xdm" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)
This package has changed ownership in the Fedora Package Database. Reassigning to the new owner of this component.
scumbag, are you still seeing this problem?
Actually, i don't have anymore an environment to try it. Sorry
I'm still having this issue. [ 41.346556] type=1400 audit(1303297992.706:4): avc: denied { write } for pid=1085 comm="restorecon" path="/var/log/xdm.log" dev=sda3 ino=146267 scontext=unconfined_u:unconfined_r:setfiles_t:s0 tcontext=system_u:object_r:xdm_log_t:s0 tclass=file [ 41.346608] type=1400 audit(1303297992.706:5): avc: denied { write } for pid=1085 comm="restorecon" path="/var/log/xdm.log" dev=sda3 ino=146267 scontext=unconfined_u:unconfined_r:setfiles_t:s0 tcontext=system_u:object_r:xdm_log_t:s0 tclass=file
lxdm should open its log file for append if it is going to pass it as stdout to its children. Write will allow any app that inherits the file descriptor to truncate the log.
*** Bug 710776 has been marked as a duplicate of this bug. ***
lxdm-0.4.1-1.fc17 has been submitted as an update for Fedora 17. https://admin.fedoraproject.org/updates/lxdm-0.4.1-1.fc17
lxdm-0.4.1-1.fc16 has been submitted as an update for Fedora 16. https://admin.fedoraproject.org/updates/lxdm-0.4.1-1.fc16
lxdm-0.4.1-1.fc15 has been submitted as an update for Fedora 15. https://admin.fedoraproject.org/updates/lxdm-0.4.1-1.fc15
Package lxdm-0.4.1-1.fc16: * should fix your issue, * was pushed to the Fedora 16 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing lxdm-0.4.1-1.fc16' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2012-4399/lxdm-0.4.1-1.fc16 then log in and leave karma (feedback).
lxdm-0.4.1-1.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report.
lxdm-0.4.1-1.fc15 has been pushed to the Fedora 15 stable repository. If problems still persist, please make note of it in this bug report.
lxdm-0.4.1-1.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report.