Bug 832840 - /usr/bin/kdm is mislabeled
/usr/bin/kdm is mislabeled
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
17
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Miroslav Grepl
Ben Levenson
:
: 832806 832860 833184 833219 833383 833627 (view as bug list)
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-06-17 18:15 EDT by bodhi.zazen
Modified: 2013-08-03 07:55 EDT (History)
12 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-06-19 20:30:12 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)
raw avc denials (202.56 KB, application/octet-stream)
2012-06-17 18:15 EDT, bodhi.zazen
no flags Details

  None (edit)
Description bodhi.zazen 2012-06-17 18:15:44 EDT
Created attachment 592480 [details]
raw avc denials

Description of problem:

 /usr/bin/kdm is mislabeled in the policy, prevents user_u from logging into kde.

Version-Release number of selected component (if applicable):


How reproducible:

Try to log into kde

Steps to Reproduce:
1. Log into kde as a user_u
2.
3.
  
Actual results:

kde does not allow log in

Expected results:

Able to log in

Additional info:

Fix

/usr/bin/kde is mislabeled as bin_t ,

/usr/bin/kdm should be type xdm_exec_t
Comment 1 Miroslav Grepl 2012-06-18 04:46:32 EDT
*** Bug 832860 has been marked as a duplicate of this bug. ***
Comment 2 Miroslav Grepl 2012-06-18 04:46:37 EDT
*** Bug 832806 has been marked as a duplicate of this bug. ***
Comment 3 Miroslav Grepl 2012-06-18 05:23:51 EDT
Yes,

# chcon -t xdm_exec_t /usr/bin/kdm

will fix it for now.
Comment 4 bodhi.zazen 2012-06-18 08:19:36 EDT
sorry for the duplicates, I was having problems connecting to bugzilla.
Comment 5 Miroslav Grepl 2012-06-18 08:30:35 EDT
No problem.

I have finally found a bug. 

Fixed in selinux-policy-3.10.0-132.fc17
Comment 6 Orion Poplawski 2012-06-18 15:35:59 EDT
For me it actually allows you to login, but only after a delay of 20-30 seconds.  Denial message is:

type=USER_AVC msg=audit(1340046369.740:212): pid=0 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=error error_name=net.reactivated.Fprint.Error.NoSuchDevice dest=:1.193 spid=6245 tpid=6222 scontext=system_u:system_r:fprintd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:initrc_t:s0 tclass=dbus  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
Comment 7 Daniel Walsh 2012-06-18 16:35:30 EDT
That looks like you still have a process running as initrc_t?
Comment 8 Rex Dieter 2012-06-18 16:37:04 EDT
*** Bug 833184 has been marked as a duplicate of this bug. ***
Comment 9 Orion Poplawski 2012-06-18 16:37:20 EDT
Yeah, because kdm is labeled bin_t instead of kdm_exec_t.  Changing that fixes it.  But -130 wants it labeled bin_t.
Comment 10 Miroslav Grepl 2012-06-18 16:38:15 EDT
Yes and a new build/update is on the way.
Comment 11 Rex Dieter 2012-06-18 18:05:28 EDT
*** Bug 833219 has been marked as a duplicate of this bug. ***
Comment 12 Fedora Update System 2012-06-19 03:59:56 EDT
selinux-policy-3.10.0-132.fc17 has been submitted as an update for Fedora 17.
https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-132.fc17
Comment 13 Rex Dieter 2012-06-19 09:19:25 EDT
*** Bug 833383 has been marked as a duplicate of this bug. ***
Comment 14 Fedora Update System 2012-06-19 20:30:12 EDT
selinux-policy-3.10.0-132.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 15 Kevin Kofler 2012-06-20 05:02:36 EDT
*** Bug 833627 has been marked as a duplicate of this bug. ***
Comment 16 Fedora Update System 2012-07-19 05:18:17 EDT
selinux-policy-3.10.0-132.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 17 Ruben Guerra Marin 2013-08-02 00:02:03 EDT
I don't know if this is the same bug, but I have the same problems on f19. I write my user and password on kdm, and when I hit enter, it lasts like 10 seconds to start the splash screen, unless I wait the 10 seconds before hitting enter.

Writing "chcon -t xdm_exec_t /usr/bin/kdm" just returns:

chcon: can't apply partial context to unlabeled file ‘/usr/bin/kdm’

any ideas if this is the same? thanks!
Comment 18 Orion Poplawski 2013-08-02 00:38:16 EDT
It's clearly mislabled, but it is completely unlabelled.  SELinx labels have several components, not just the "type" (what you are setting with -t).

e.g.:
# ls -lZ /usr/bin/kdm
-rwxr-xr-x. root root system_u:object_r:xdm_exec_t:s0  /usr/bin/kdm

Try "restorecon -v /usr/bin/kdm" to set the proper label.
Comment 19 Ruben Guerra Marin 2013-08-02 00:51:08 EDT
Thanks for answering so quickly, I tried that but I still have the problem. I even have selinux disabled and I still have the problem, so I guess it is something else than selinux?

thanks!
Comment 20 Orion Poplawski 2013-08-02 01:00:05 EDT
Don't disable SELinux - that's going to lead to a lot on unlabeled files causing problems if you re-enable.  Set permissive mode (enforcing=0) instead.

If you want to try to get back to a working selinux system do:

touch /.autorelabel

and reboot.  This will take a while to relabel everything on system.
Comment 21 Ruben Guerra Marin 2013-08-02 01:02:50 EDT
I tried that command, and yes it took a while to relabel everything, but I'm still having the delay after I hit enter =/
Comment 22 Daniel Walsh 2013-08-02 10:49:24 EDT
Try with the force command

restorecon -F /usr/sbin/gdm
Comment 23 Kevin Kofler 2013-08-03 07:55:16 EDT
This bug is about SELinux, if you're having the issue even with SELinux disabled (as you said in comment #19), you're experiencing a DIFFERENT bug with the same symptoms.

Note You need to log in before you can comment on or make changes to this bug.