Bug 823232 - SELinux violation when running "sudo su -"
SELinux violation when running "sudo su -"
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
16
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Miroslav Grepl
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-05-20 00:33 EDT by Ignacio Vazquez-Abrams
Modified: 2012-06-27 23:27 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-06-27 23:27:07 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Ignacio Vazquez-Abrams 2012-05-20 00:33:52 EDT
SELinux diagnostic tool reporting failed. Here is a transcript of the violation details:

=== TRANSCRIPT BEGINS ===
SELinux is preventing /usr/bin/xauth from write access on the directory auth-for-ignacio-T2O6TC.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that xauth should be allowed write access on the auth-for-ignacio-T2O6TC directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep xauth /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                unconfined_u:unconfined_r:xauth_t:s0
Target Context                system_u:object_r:var_run_t:s0
Target Objects                auth-for-ignacio-T2O6TC [ dir ]
Source                        xauth
Source Path                   /usr/bin/xauth
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           xorg-x11-xauth-1.0.6-1.fc16.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.10.0-86.fc16.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux localhost.localdomain 3.3.5-2.fc16.x86_64 #1
                              SMP Tue May 8 11:24:50 UTC 2012 x86_64 x86_64
Alert Count                   183
First Seen                    Wed 11 Apr 2012 10:51:51 AM EDT
Last Seen                     Sat 19 May 2012 10:42:05 PM EDT
Local ID                      3044fccc-4fac-4b37-98db-61429474639c

Raw Audit Messages
type=AVC msg=audit(1337481725.253:131): avc:  denied  { write } for  pid=3491 comm="xauth" name="auth-for-ignacio-T2O6TC" dev="tmpfs" ino=26721 scontext=unconfined_u:unconfined_r:xauth_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=dir


type=SYSCALL msg=audit(1337481725.253:131): arch=x86_64 syscall=open success=no exit=EACCES a0=7fffb8e13530 a1=c1 a2=180 a3=8 items=0 ppid=3490 pid=3491 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm=xauth exe=/usr/bin/xauth subj=unconfined_u:unconfined_r:xauth_t:s0 key=(null)

Hash: xauth,xauth_t,var_run_t,dir,write

audit2allow

#============= xauth_t ==============
#!!!! The source type 'xauth_t' can write to a 'dir' of the following types:
# nx_server_var_lib_t, user_home_t, xauth_tmp_t, var_lib_t, xdm_var_run_t, admin_home_t, user_home_dir_t, tmp_t, user_tmp_t

allow xauth_t var_run_t:dir write;

audit2allow -R

#============= xauth_t ==============
#!!!! The source type 'xauth_t' can write to a 'dir' of the following types:
# nx_server_var_lib_t, user_home_t, xauth_tmp_t, var_lib_t, xdm_var_run_t, admin_home_t, user_home_dir_t, tmp_t, user_tmp_t

allow xauth_t var_run_t:dir write;

=== TRANSCRIPT ENDS ===
Comment 1 Daniel Walsh 2012-05-21 10:02:07 EDT
What directory is xauth trying to write into?  What were you doing when this happened?
Comment 2 lovyagin 2012-06-06 10:40:36 EDT
Have same bug here. Have fresh install of Fedora 17 + MATE DE. Appears each time I start su.
Comment 3 Dominick Grift 2012-06-06 10:49:56 EDT
probably /run/gdm/.*

i do not see this problem here (its labeled xdm_var_run_t here) but then again i do not use su.
Comment 4 Daniel Walsh 2012-06-07 11:59:44 EDT
ls -ldZ /run/gdm
Comment 5 lovyagin 2012-06-07 12:09:10 EDT
$ ls -ldZ /run/gfm
ls: cannot access /run/gdm: No such file or directory
$ ls -ldZ /run/mdm
drwx--x--x. root mdm system_u:object_r:var_run_t:s0 /run/mdm
$
Comment 6 Daniel Walsh 2012-06-07 12:25:59 EDT
What is mdm?

Fixed in selinux-policy-3.10.0-129.fc17

semanage fcontext -a -t xdm_var_run_t '/var/run/mdm(/.*)?'
restorecon -R -v /run

Will fix for now.
Comment 7 lovyagin 2012-06-07 12:29:23 EDT
mdm is fork of GNOME 2 gdm (aka MATE display manager)
yup, thanks, I see, will check now
Comment 8 lovyagin 2012-06-07 12:40:39 EDT
Daniel, looks like it helps, but context restores to initial after reboot, so fix is not permanent...
Comment 9 Daniel Walsh 2012-06-07 14:43:55 EDT
ps -eZ | grep mdm
Comment 10 Daniel Walsh 2012-06-07 14:46:59 EDT
chcon -t xdm_exec_t /usr/sbin/mdm
Comment 11 lovyagin 2012-06-07 14:54:58 EDT
# ps -eZ | grep mdm
system_u:system_r:initrc_t:s0 497 ? 00:00:00 mdm-binary
system_u:system_r:initrc_t:s0 621 ? 00:00:00 mdm-simple-slav
system_u:system_r:initrc_t:s0 793 ? 00:00:00 mdm-session-wor
unconfined_u:unconfined_r:unconfined_t:s0 1070 ? 00:00:00 mdm-user-switch
#
Comment 12 lovyagin 2012-06-07 15:02:46 EDT
chcon -t xdm_exec_t /usr/sbin/mdm helps in this issue but produce a lot of other SElinux violation, will check
Comment 13 Daniel Walsh 2012-06-07 15:05:03 EDT
chcon -t xdm_exec_t /usr/sbin/mdm-binary

rpm -qlf /usr/sbin/mdm-binary

You probably need to do fixes to /var/lib/mdm and /var/run/mdm and /var/log/mdm to match gdm labels.
Comment 14 Daniel Walsh 2012-06-07 15:08:53 EDT
chcon -Rt xdm_var_run_t /run/mdm
chcon -Rt xserver_log_t /var/log/mdm
chcon -Rt xdm_var_lib_t /var/lib/mdm
Comment 15 lovyagin 2012-06-08 09:02:08 EDT
well, looks like 

chcon -t xdm_exec_t /usr/sbin/mdm
chcon -t xdm_exec_t /usr/sbin/mdm-binary

chcon -Rt xdm_var_lib_t /var/lib/mdm
chcon -Rt xdm_log_t /var/log/mdm
chcon -Rt xdm_var_lib_t /var/cache/mdm
chcon -Rt xdm_etc_t /etc/mdm
chcon -Rt xserver_log_t /var/mdm
chcon -Rt xdm_etc_t /etc/gdm
chcon -Rt xdm_etc_t /etc/gdm/custom.conf
chcon -Rt xdm_unconfined_exec_t /etc/gdm/Init
chcon -Rt xdm_unconfined_exec_t /etc/gdm/PostLogin
chcon -Rt xdm_unconfined_exec_t /etc/gdm/PostSession
chcon -Rt xdm_unconfined_exec_t /etc/gdm/PreSession
chcon -t dbusd_etc_t /etc/dbus-1/system.d/mdm.conf 
chcon -Rt xdm_spool_t /var/spool/mdm

is enough for mdm, looking forward how to semanage fcontext / restorecon it correctly inside LiveCD kickstart script...
Comment 16 Daniel Walsh 2012-06-08 10:37:05 EDT
chcon -Rt xserver_log_t /var/mdm

I have everyone except ^^

This should not  be needed. mdm should not store its log files in this directory.
Comment 17 lovyagin 2012-06-08 11:45:09 EDT
Hm, I examined gdm-2.32.1-2.fc14.x86_64.rpm to find all that, I checked, it provides this (xserver_log_t) context for /var/gdm...
Comment 18 Daniel Walsh 2012-06-11 10:10:29 EDT
Old version, probably should remove that labelling.
Comment 19 Fedora Update System 2012-06-15 06:31:11 EDT
selinux-policy-3.10.0-89.fc16 has been submitted as an update for Fedora 16.
https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-89.fc16
Comment 20 Fedora Update System 2012-06-15 19:52:37 EDT
Package selinux-policy-3.10.0-89.fc16:
* should fix your issue,
* was pushed to the Fedora 16 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-89.fc16'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-9507/selinux-policy-3.10.0-89.fc16
then log in and leave karma (feedback).
Comment 21 Fedora Update System 2012-06-27 23:27:07 EDT
selinux-policy-3.10.0-89.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.