Summary: SELinux is preventing /usr/sbin/lxdm-binary "execute" access on xauth. Detailed Description: SELinux denied access requested by lxdm-binary. It is not expected that this access is required by lxdm-binary and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug report. Additional Information: Source Context system_u:system_r:xdm_t:s0-s0:c0.c1023 Target Context system_u:object_r:xauth_exec_t:s0 Target Objects xauth [ file ] Source lxdm-binary Source Path /usr/sbin/lxdm-binary Port <Unknown> Host (removed) Source RPM Packages lxdm-0.3.0-0.1.20100921gitcf9b2cbb.fc15 Target RPM Packages Policy RPM selinux-policy-3.9.3-1.fc14 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Plugin Name catchall Host Name (removed) Platform Linux (removed) 2.6.35.4-12.fc14.x86_64 #1 SMP Fri Aug 27 07:45:05 UTC 2010 x86_64 x86_64 Alert Count 2 First Seen Mon 20 Sep 2010 11:46:45 PM EDT Last Seen Mon 20 Sep 2010 11:46:51 PM EDT Local ID 9f6caa62-3c74-4c8f-91a4-10266c357c6d Line Numbers Raw Audit Messages node=(removed) type=AVC msg=audit(1285040811.374:15): avc: denied { execute } for pid=1479 comm="lxdm-binary" name="xauth" dev=dm-0 ino=21734 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xauth_exec_t:s0 tclass=file node=(removed) type=SYSCALL msg=audit(1285040811.374:15): arch=c000003e syscall=59 success=no exit=-13 a0=12cb715 a1=12d1950 a2=12cef70 a3=7fffd9cfa870 items=0 ppid=1 pid=1479 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="lxdm-binary" exe="/usr/sbin/lxdm-binary" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null) Hash String generated from catchall,lxdm-binary,xdm_t,xauth_exec_t,file,execute audit2allow suggests: #============= xdm_t ============== allow xdm_t xauth_exec_t:file execute;
This looks like you don't have pam_selinux setup correctly in your pam files.
I don't think so. We had this already and you said it was fine. This is /etc/pam.d/lxdm from the package: #%PAM-1.0 auth [success=done ignore=ignore default=bad] pam_selinux_permit.so auth required pam_succeed_if.so user != root quiet auth required pam_env.so auth substack system-auth auth optional pam_gnome_keyring.so account required pam_nologin.so account include system-auth password include system-auth session required pam_selinux.so close session required pam_loginuid.so session optional pam_console.so session required pam_selinux.so open session optional pam_keyinit.so force revoke session required pam_namespace.so session optional pam_gnome_keyring.so auto_start session include system-auth What's wrong with it?
Why is it running xauth before calling pam_selinux.so open?
Dgod, can you give us some insight here?
lxdm use xauth to create xauth file of xserver. the xserver is started by lxdm before pam session. slim likely do the samething. I don't think it's a security problem, if neccesary, I can rewrite this part.
As long as I understand this is normal. I do not have a problem adding the access. You can add these rules for now using # grep avc /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Fixed in selinux-policy-3.9.5-7.fc14
lxdm-0.4.1-1.fc17 has been submitted as an update for Fedora 17. https://admin.fedoraproject.org/updates/lxdm-0.4.1-1.fc17
lxdm-0.4.1-1.fc16 has been submitted as an update for Fedora 16. https://admin.fedoraproject.org/updates/lxdm-0.4.1-1.fc16
lxdm-0.4.1-1.fc15 has been submitted as an update for Fedora 15. https://admin.fedoraproject.org/updates/lxdm-0.4.1-1.fc15
Package lxdm-0.4.1-1.fc16: * should fix your issue, * was pushed to the Fedora 16 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing lxdm-0.4.1-1.fc16' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2012-4399/lxdm-0.4.1-1.fc16 then log in and leave karma (feedback).
lxdm-0.4.1-1.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report.
lxdm-0.4.1-1.fc15 has been pushed to the Fedora 15 stable repository. If problems still persist, please make note of it in this bug report.
lxdm-0.4.1-1.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report.