Bug 657727 - SELinux impedisce l'accesso /usr/libexec/gdm-session-worker "create" .
Summary: SELinux impedisce l'accesso /usr/libexec/gdm-session-worker "create" .
Keywords:
Status: CLOSED WORKSFORME
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 14
Hardware: i386
OS: Linux
low
medium
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: setroubleshoot_trace_hash:7c401150f0b...
: 657717 657728 657729 657730 657731 657732 657733 657734 657735 657736 657737 657738 657740 657741 657742 657743 657751 657886 657888 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-11-27 16:34 UTC by antonio montagnani
Modified: 2010-11-29 21:18 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2010-11-29 21:03:21 UTC
Type: ---


Attachments (Terms of Use)

Description antonio montagnani 2010-11-27 16:34:38 UTC
Sommario:

SELinux impedisce l'accesso /usr/libexec/gdm-session-worker "create" .

Descrizione dettagliata:

[SELinux è in modalità permissiva. Questo accesso non è stato negato.]

SELinux ha negato l'accesso richiesto da gdm-session-wor. Non è previsto che
questo accesso venga richiesto da gdm-session-wor, e tale accesso può segnalare
un tentativo di intrusione. È anche possibile che questo sia provocato dalla
specifica versione o dalla configurazione dell'applicazione per richiedere un
ulteriore accesso.

Abilitazione accesso in corso:

E' possibile generare un modulo di politica locale per consentire questo accesso
- consultare le FAQ (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385)
Inviare un bug report.

Informazioni aggiuntive:

Contesto della sorgente       system_u:system_r:xdm_t:s0-s0:c0.c1023
Contesto target               system_u:system_r:pam_console_t:s0
Oggetti target                None [ key ]
Sorgente                      gdm-session-wor
Percorso della sorgente       /usr/libexec/gdm-session-worker
Porta                         <Sconosciuto>
Host                          (rimosso)
Sorgente Pacchetti RPM        gdm-2.32.0-1.fc14
Pacchetti RPM target          
RPM della policy              selinux-policy-3.9.7-12.fc14
Selinux abilitato             True
Tipo di policy                targeted
Modalità Enforcing            Permissive
Nome plugin                   catchall
Host Name                     (rimosso)
Piattaforma                   Linux (rimosso) 2.6.35.6-48.fc14.i686.PAE #1 SMP Fri
                              Oct 22 15:27:53 UTC 2010 i686 i686
Conteggio avvisi              2
Primo visto                   sab 27 nov 2010 16:47:09 CET
Ultimo visto                  sab 27 nov 2010 17:29:10 CET
ID locale                     ba308396-50ef-4e4e-bbdb-6c1a0484719a
Numeri di linea               

Messaggi Raw Audit            

node=(rimosso) type=AVC msg=audit(1290875350.221:10): avc:  denied  { create } for  pid=2411 comm="gdm-session-wor" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:pam_console_t:s0 tclass=key

node=(rimosso) type=SYSCALL msg=audit(1290875350.221:10): arch=40000003 syscall=4 success=yes exit=35 a0=a a1=852c130 a2=23 a3=852c130 items=0 ppid=2229 pid=2411 auid=500 uid=0 gid=500 euid=0 suid=0 fsuid=0 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="gdm-session-wor" exe="/usr/libexec/gdm-session-worker" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)



Hash String generated from  catchall,gdm-session-wor,xdm_t,pam_console_t,key,create
audit2allow suggests:

#============= xdm_t ==============
allow xdm_t pam_console_t:key create;

Comment 1 antonio montagnani 2010-11-27 17:06:56 UTC
suddenly I could not login on my graphical console.

Disabling Selinux or setting to Permissive makes it work fine

Comment 2 antonio montagnani 2010-11-27 20:32:29 UTC
I restarted in mode 3 (text) and at password input I get Authentication failure...

Comment 3 antonio montagnani 2010-11-27 21:47:56 UTC
before these updates, system was working

Nov 27 15:07:12 Updated: libselinux-2.0.96-6.fc14.1.i686
Nov 27 15:07:16 Updated: pulseaudio-libs-0.9.21-7.fc14.i686
Nov 27 15:07:16 Updated: libudev-161-7.fc14.i686
Nov 27 15:07:20 Updated: udev-161-7.fc14.i686
Nov 27 15:07:22 Updated: openssh-5.5p1-24.fc14.2.i686
Nov 27 15:07:23 Updated: alsa-lib-1.0.23-2.fc14.i686
Nov 27 15:07:26 Updated: pulseaudio-0.9.21-7.fc14.i686
Nov 27 15:07:27 Updated: pulseaudio-utils-0.9.21-7.fc14.i686
Nov 27 15:07:28 Updated: pulseaudio-libs-zeroconf-0.9.21-7.fc14.i686
Nov 27 15:07:29 Updated: pulseaudio-libs-glib2-0.9.21-7.fc14.i686
Nov 27 15:07:30 Updated: libselinux-utils-2.0.96-6.fc14.1.i686
Nov 27 15:07:32 Updated: policycoreutils-2.0.83-33.2.fc14.i686
Nov 27 15:07:34 Updated: libselinux-python-2.0.96-6.fc14.1.i686
Nov 27 15:07:36 Updated: policycoreutils-python-2.0.83-33.2.fc14.i686
Nov 27 15:07:37 Updated: evince-libs-2.32.0-2.fc14.i686
Nov 27 15:07:38 Updated: 1:telepathy-mission-control-5.6.1-1.fc14.i686
Nov 27 15:08:01 Updated: empathy-2.32.2-1.fc14.i686
Nov 27 15:08:08 Updated: evince-2.32.0-2.fc14.i686
Nov 27 15:08:08 Updated: pulseaudio-module-zeroconf-0.9.21-7.fc14.i686
Nov 27 15:08:08 Updated: pulseaudio-module-bluetooth-0.9.21-7.fc14.i686
Nov 27 15:08:09 Updated: pulseaudio-module-gconf-0.9.21-7.fc14.i686
Nov 27 15:08:09 Updated: pulseaudio-module-jack-0.9.21-7.fc14.i686
Nov 27 15:08:10 Updated: openssh-askpass-5.5p1-24.fc14.2.i686
Nov 27 15:08:11 Updated: openssh-server-5.5p1-24.fc14.2.i686
Nov 27 15:08:12 Updated: openssh-clients-5.5p1-24.fc14.2.i686
Nov 27 15:08:13 Updated: libgudev1-161-7.fc14.i686
Nov 27 15:08:15 Updated: man-db-2.5.7-6.fc14.i686
Nov 27 15:08:17 Updated: openjpeg-libs-1.3-10.fc14.i686
Nov 27 15:08:17 Updated: xorg-x11-server-common-1.9.1-3.fc14.i686
Nov 27 15:08:19 Updated: policycoreutils-gui-2.0.83-33.2.fc14.i686
Nov 27 15:08:21 Updated: pulseaudio-libs-devel-0.9.21-7.fc14.i686
Nov 27 15:08:21 Updated: pulseaudio-esound-compat-0.9.21-7.fc14.i686
Nov 27 15:08:27 Updated: alsa-lib-devel-1.0.23-2.fc14.i686
Nov 27 15:08:29 Updated: libudev-devel-161-7.fc14.i686
Nov 27 15:08:30 Updated: dracut-006-5.fc14.noarch
Nov 27 15:08:32 Updated: libselinux-devel-2.0.96-6.fc14.1.i686
Nov 27 15:08:32 Updated: pulseaudio-gdm-hooks-0.9.21-7.fc14.i686
Nov 27 15:08:33 Updated: xorg-x11-server-Xorg-1.9.1-3.fc14.i686
Nov 27 15:47:28 Updated: openldap-2.4.23-4.fc14.i686
Nov 27 15:47:29 Updated: samba-winbind-clients-3.5.6-71.fc14.i686
Nov 27 15:47:30 Updated: libuuid-2.18-4.6.fc14.i686
Nov 27 15:47:35 Updated: 1:qt-4.7.1-3.fc14.i686
Nov 27 15:47:50 Updated: samba-common-3.5.6-71.fc14.i686
Nov 27 15:47:51 Updated: libblkid-2.18-4.6.fc14.i686
Nov 27 15:47:52 Updated: libcurl-7.21.0-6.fc14.i686
Nov 27 15:47:52 Updated: libudev-161-8.fc14.i686
Nov 27 15:47:54 Updated: elfutils-libelf-0.150-1.fc14.i686
Nov 27 15:47:55 Updated: elfutils-libs-0.150-1.fc14.i686
Nov 27 15:47:56 Updated: libmount-2.18-4.6.fc14.i686
Nov 27 15:48:02 Updated: util-linux-ng-2.18-4.6.fc14.i686
Nov 27 15:48:07 Updated: udev-161-8.fc14.i686
Nov 27 15:48:08 Updated: sane-backends-libs-gphoto2-1.0.21-5.fc14.i686
Nov 27 15:48:13 Updated: sane-backends-libs-1.0.21-5.fc14.i686
Nov 27 15:48:20 Updated: sane-backends-1.0.21-5.fc14.i686
Nov 27 15:48:30 Updated: samba-3.5.6-71.fc14.i686
Nov 27 15:48:30 Updated: 1:qt-sqlite-4.7.1-3.fc14.i686
Nov 27 15:48:36 Updated: 1:qt-webkit-4.7.1-3.fc14.i686
Nov 27 15:48:46 Updated: 1:qt-x11-4.7.1-3.fc14.i686
Nov 27 15:48:49 Updated: ntpdate-4.2.6p3-0.1.rc10.fc14.i686
Nov 27 15:48:51 Updated: ntp-4.2.6p3-0.1.rc10.fc14.i686
Nov 27 15:49:02 Updated: wireshark-1.4.2-1.fc14.i686
Nov 27 15:49:03 Updated: foomatic-db-filesystem-4.0-22.20101123.fc14.noarch
Nov 27 15:49:20 Updated: foomatic-db-ppds-4.0-22.20101123.fc14.noarch
Nov 27 15:49:22 Updated: xsane-common-0.998-1.fc14.i686
Nov 27 15:49:25 Updated: bluefish-shared-data-2.0.2-4.fc14.noarch
Nov 27 15:49:28 Updated: 6:kdelibs-common-4.5.3-3.fc14.i686
Nov 27 15:49:35 Updated: bluefish-2.0.2-4.fc14.i686
Nov 27 15:49:45 Updated: foomatic-db-4.0-22.20101123.fc14.noarch
Nov 27 15:49:46 Updated: ntp-perl-4.2.6p3-0.1.rc10.fc14.i686
Nov 27 15:49:48 Updated: libudev-devel-161-8.fc14.i686
Nov 27 15:49:49 Updated: libcurl-devel-7.21.0-6.fc14.i686
Nov 27 15:49:52 Installed: paktype-naqsh-fonts-3.0-4.fc14.noarch
Nov 27 15:49:57 Updated: xkeyboard-config-1.9-7.fc14.noarch
Nov 27 15:50:04 Updated: xorg-x11-proto-devel-7.4-39.fc14.noarch
Nov 27 15:50:05 Updated: pyserial-2.5-1.fc14.noarch
Nov 27 15:50:10 Updated: perl-Image-ExifTool-8.40-1.fc14.noarch
Nov 27 15:50:12 Updated: lohit-devanagari-fonts-2.4.3-8.fc14.noarch
Nov 27 15:50:14 Updated: lohit-kannada-fonts-2.4.5-4.fc14.noarch
Nov 27 15:50:16 Updated: logwatch-7.3.6-58.fc14.noarch
Nov 27 15:50:18 Installed: paktype-tehreer-fonts-2.0-10.fc14.noarch
Nov 27 15:50:39 Updated: 6:kdelibs-4.5.3-3.fc14.i686
Nov 27 15:50:41 Updated: xsane-0.998-1.fc14.i686
Nov 27 15:50:50 Updated: wireshark-gnome-1.4.2-1.fc14.i686
Nov 27 15:50:59 Updated: samba-swat-3.5.6-71.fc14.i686
Nov 27 15:51:04 Updated: crda-1.1.1_2010.11.22-1.fc14.i686
Nov 27 15:51:05 Updated: elfutils-0.150-1.fc14.i686
Nov 27 15:51:06 Updated: libgudev1-161-8.fc14.i686
Nov 27 15:51:09 Updated: gpredict-1.2-1.fc14.i686
Nov 27 15:51:10 Updated: curl-7.21.0-6.fc14.i686
Nov 27 15:51:13 Updated: parted-2.3-4.fc14.i686
Nov 27 15:51:26 Updated: samba-client-3.5.6-71.fc14.i686
Nov 27 15:51:32 Updated: samba-winbind-3.5.6-71.fc14.i686
Nov 27 15:51:36 Updated: 1:qt-mysql-4.7.1-3.fc14.i686
Nov 27 15:51:37 Updated: libsmbclient-3.5.6-71.fc14.i686
Nov 27 15:51:40 Updated: 1:quota-3.17-14.fc14.i686
Nov 27 15:51:41 Updated: libvpx-0.9.5-2.fc14.i686
Nov 27 15:51:42 Updated: schroedinger-1.0.10-1.fc14.i686
Nov 27 15:51:47 Updated: evolution-data-server-2.32.1-2.fc14.i686
Nov 27 15:51:50 Updated: lshw-B.02.15-1.fc14.i686
Nov 27 15:51:53 Updated: libicu-4.4.1-5.fc14.i686
Nov 27 15:51:56 Updated: xorg-x11-xkb-utils-7.5-1.fc14.i686
Nov 27 15:51:57 Updated: yp-tools-2.11-2.fc14.i686
Nov 27 15:51:58 Updated: libnetfilter_conntrack-0.9.0-1.fc14.i686
Nov 27 15:52:03 Updated: planner-0.14.4-27.fc14.i686
Nov 27 15:52:30 Erased: paktype-fonts-common
Nov 27 21:57:18 Installed: selinux-policy-targeted-3.9.7-12.fc14.noarch
Nov 27 22:20:37 Installed: selinux-policy-3.9.7-12.fc14.noarch

Comment 4 Miroslav Grepl 2010-11-28 22:15:21 UTC
What does the following command say 

# id -Z


Also did you do relabel after SELinux disabling? But I have feeling the policy was not installed properly. Does 

# yum reinstall selinux-policy-targeted 

complete successfully?

Comment 5 Miroslav Grepl 2010-11-28 22:17:58 UTC
*** Bug 657717 has been marked as a duplicate of this bug. ***

Comment 6 Miroslav Grepl 2010-11-28 22:18:25 UTC
*** Bug 657728 has been marked as a duplicate of this bug. ***

Comment 7 Miroslav Grepl 2010-11-28 22:19:07 UTC
*** Bug 657729 has been marked as a duplicate of this bug. ***

Comment 8 Miroslav Grepl 2010-11-28 22:19:49 UTC
*** Bug 657730 has been marked as a duplicate of this bug. ***

Comment 9 Miroslav Grepl 2010-11-28 22:20:26 UTC
*** Bug 657731 has been marked as a duplicate of this bug. ***

Comment 10 Miroslav Grepl 2010-11-28 22:21:04 UTC
*** Bug 657733 has been marked as a duplicate of this bug. ***

Comment 11 Miroslav Grepl 2010-11-28 22:22:10 UTC
*** Bug 657732 has been marked as a duplicate of this bug. ***

Comment 12 Miroslav Grepl 2010-11-28 22:23:02 UTC
*** Bug 657734 has been marked as a duplicate of this bug. ***

Comment 13 Miroslav Grepl 2010-11-28 22:23:48 UTC
*** Bug 657735 has been marked as a duplicate of this bug. ***

Comment 14 Miroslav Grepl 2010-11-28 22:24:28 UTC
*** Bug 657736 has been marked as a duplicate of this bug. ***

Comment 15 Miroslav Grepl 2010-11-28 22:25:29 UTC
*** Bug 657737 has been marked as a duplicate of this bug. ***

Comment 16 Miroslav Grepl 2010-11-28 22:26:02 UTC
*** Bug 657738 has been marked as a duplicate of this bug. ***

Comment 17 Miroslav Grepl 2010-11-28 22:26:32 UTC
*** Bug 657740 has been marked as a duplicate of this bug. ***

Comment 18 Miroslav Grepl 2010-11-28 22:27:01 UTC
*** Bug 657741 has been marked as a duplicate of this bug. ***

Comment 19 Miroslav Grepl 2010-11-28 22:27:44 UTC
*** Bug 657742 has been marked as a duplicate of this bug. ***

Comment 20 Miroslav Grepl 2010-11-28 22:28:18 UTC
*** Bug 657743 has been marked as a duplicate of this bug. ***

Comment 21 Miroslav Grepl 2010-11-28 22:28:53 UTC
*** Bug 657751 has been marked as a duplicate of this bug. ***

Comment 22 Miroslav Grepl 2010-11-28 22:29:59 UTC
*** Bug 657888 has been marked as a duplicate of this bug. ***

Comment 23 Miroslav Grepl 2010-11-28 23:24:31 UTC
*** Bug 657886 has been marked as a duplicate of this bug. ***

Comment 24 antonio montagnani 2010-11-29 06:19:39 UTC
id -Z
system_u:system_r:pam_console_t:s0


System was working with Seinux targeted, then after some updates, I could not access my system, I disabled it t boot time with Selinux=0, then I re-enabled as permissive and at boot time it should have relabeled it as I saw working and rebooting

I didn't get warnin/error during
 # yum reinstall selinux-policy-targeted 

but I got a bunch of AVC denials

Comment 25 antonio montagnani 2010-11-29 06:21:21 UTC
# yum reinstall selinux-policy-targeted 
Plugin abilitati:allowdowngrade, presto, refresh-packagekit, remove-with-leaves,
               : show-leaves, upgrade-helper
Impostazione processo di reinstallazione
adobe-linux-i386                                         |  951 B     00:00     
rpmfusion-free-updates                                   | 3.3 kB     00:00     
rpmfusion-nonfree-updates                                | 3.3 kB     00:00     
updates                                                  | 4.7 kB     00:00     
updates/primary_db                                       | 1.9 MB     00:08     
Risoluzione dipendenze
--> Esecuzione del controllo di transazione
---> Pacchetto selinux-policy-targeted.noarch 0:3.9.7-12.fc14 settato per essere reinstalled
--> Risoluzione delle dipendenze completata

Dipendenze risolte

================================================================================
 Pacchetto                    Arch        Versione           Repository    Dim.
================================================================================
Reinstallazione:
 selinux-policy-targeted      noarch      3.9.7-12.fc14      updates      2.4 M

Riepilogo della transazione
================================================================================
Reinstall     1 Package(s)

Dimensione totale del download: 2.4 M
Dimensione installata: 2.8 M
Procedere [s/N]: s
Procedere [s/N]: y
Download dei pacchetti:
Setting up and reading Presto delta metadata
updates/prestodelta                                      | 286 kB     00:01     
Processing delta metadata
Package(s) data still to download: 2.4 M
selinux-policy-targeted-3.9.7-12.fc14.noarch.rpm         | 2.4 MB     00:10     
Esecuzione rpm_check_debug
Test di transazione in corso
Test di transazione eseguito con successo
Transazione in corso
  Installazione  : selinux-policy-targeted-3.9.7-12.fc14.noarch             1/1 
Can't stat exclude path "/var/lib/BackupPC", No such file or directory - ignoring.
*

Installato:
  selinux-policy-targeted.noarch 0:3.9.7-12.fc14                                                      

Completo!

Comment 26 antonio montagnani 2010-11-29 06:47:29 UTC
(In reply to comment #24)
> id -Z
> system_u:system_r:pam_console_t:s0
> 
> 
> System was working with Seinux targeted, then after some updates, I could not
> access my system, I disabled it t boot time with Selinux=0, then I re-enabled
> as permissive and at boot time it should have relabeled it as I saw working and
> rebooting
> 
> I didn't get warnin/error during
>  # yum reinstall selinux-policy-targeted 
> 
> but I got a bunch of AVC denials

# yum reinstall selinux-policy-targeted 


Please note this warning
_______________________________________________________________________
Transazione in corso
  Installazione  : selinux-policy-targeted-3.9.7-12.fc14.noarch             1/1 
Can't stat exclude path "/var/lib/BackupPC", No such file or directory - ignoring.
*

Installato:
  selinux-policy-targeted.noarch 0:3.9.7-12.fc14                                                      

Completo!
_______________________________________________________________________

Comment 27 Miroslav Grepl 2010-11-29 08:41:19 UTC
Ok and I guess the problem still persists. If so, could you now try to execute

# touch /.autorelabel; reboot

and then after login in permissive mode add outputs of

# semanage login -l

# semanage user -l

Comment 28 antonio montagnani 2010-11-29 17:21:58 UTC
[root@Casa antonio]# semanage login -l

Nome di registrazione     Utente di SELinux         Gamma MLS/MCS            

__default__               system_u                  s0                       
root                      system_u                  s0-s0:c0.c1023           
system_u                  system_u                  s0-s0:c0.c1023 

semanage user -l

                Etichettare MLS/       MLS/                          
Utente di SELinux Prefisso   Livello MCS Gamma MCS                      Ruoli SELinux

git_shell_u     user       s0         s0                             git_shell_r
guest_u         guest      s0         s0                             guest_r
root            user       s0         s0-s0:c0.c1023                 staff_r sysadm_r system_r unconfined_r
staff_u         user       s0         s0-s0:c0.c1023                 staff_r sysadm_r system_r unconfined_r
sysadm_u        user       s0         s0-s0:c0.c1023                 sysadm_r
system_u        user       s0         s0-s0:c0.c1023                 system_r unconfined_r
unconfined_u    unconfined s0         s0-s0:c0.c1023                 system_r unconfined_r
user_u          user       s0         s0                             user_r
xguest_u        xguest     s0         s0                             xguest_r

Comment 29 Miroslav Grepl 2010-11-29 17:52:01 UTC
Try to execute

# semanage login -m -s unconfined_u -r s0-s0:c0.c1023  __default__
# semanage login -m -s unconfined_u root

Comment 30 antonio montagnani 2010-11-29 17:55:59 UTC
semanage login -m -s unconfined_u -r s0-s0:c0.c1023  __default__
libsemanage.semanage_get_lock: Could not get direct transaction lock at /etc/selinux/targeted/modules/semanage.trans.LOCK. (Resource temporarily unavailable).

Comment 31 antonio montagnani 2010-11-29 17:59:44 UTC
su
Password: 
[root@Casa antonio]# semanage login -m -s unconfined_u -r s0-s0:c0.c1023  __default__

[root@Casa antonio]# 
[root@Casa antonio]# semanage login -m -s unconfined_u root
[root@Casa antonio]# semanage login -l

Nome di registrazione     Utente di SELinux         Gamma MLS/MCS            

__default__               unconfined_u              s0-s0:c0.c1023           
root                      unconfined_u              s0-s0:c0.c1023           
system_u                  system_u                  s0-s0:c0.c1023

Comment 32 Miroslav Grepl 2010-11-29 18:03:35 UTC
OK, now try to reboot and log in. It should work.

Comment 33 antonio montagnani 2010-11-29 18:11:38 UTC
It works fine!!!

Tnx a lot:

A final question: how could it happen???

Tnx again

Comment 34 Daniel Walsh 2010-11-29 20:13:14 UTC
Did you update from a very old version of fedora?

Comment 35 antonio montagnani 2010-11-29 20:20:49 UTC
I went very smoothly from maybe Fedora Core 1 to Fedora 14 upgrading each release.

Selinux was set to targeted in Fedora 14 (but also in Fedora 12), it worked fine for at least two weeks, then I got this problem.

Comment 36 Daniel Walsh 2010-11-29 21:03:21 UTC
Very strange.  Some how you SELinux users file got screwed up.  Since we have fixed this, I will close and watch for others having similar problems.

Comment 38 Daniel Walsh 2010-11-29 21:18:47 UTC
Yes I knew this was a problem around Fedora 9/10 time, when we were working heavily on confined users.  We had some upgrade problems, but I have not heard of any problems in the last few releases.


Note You need to log in before you can comment on or make changes to this bug.