Bug 832840 - /usr/bin/kdm is mislabeled
Summary: /usr/bin/kdm is mislabeled
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: 17
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Ben Levenson
URL:
Whiteboard:
: 832806 832860 833184 833219 833383 833627 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2012-06-17 22:15 UTC by bodhi.zazen
Modified: 2013-08-03 11:55 UTC (History)
12 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2012-06-20 00:30:12 UTC


Attachments (Terms of Use)
raw avc denials (202.56 KB, application/octet-stream)
2012-06-17 22:15 UTC, bodhi.zazen
no flags Details

Description bodhi.zazen 2012-06-17 22:15:44 UTC
Created attachment 592480 [details]
raw avc denials

Description of problem:

 /usr/bin/kdm is mislabeled in the policy, prevents user_u from logging into kde.

Version-Release number of selected component (if applicable):


How reproducible:

Try to log into kde

Steps to Reproduce:
1. Log into kde as a user_u
2.
3.
  
Actual results:

kde does not allow log in

Expected results:

Able to log in

Additional info:

Fix

/usr/bin/kde is mislabeled as bin_t ,

/usr/bin/kdm should be type xdm_exec_t

Comment 1 Miroslav Grepl 2012-06-18 08:46:32 UTC
*** Bug 832860 has been marked as a duplicate of this bug. ***

Comment 2 Miroslav Grepl 2012-06-18 08:46:37 UTC
*** Bug 832806 has been marked as a duplicate of this bug. ***

Comment 3 Miroslav Grepl 2012-06-18 09:23:51 UTC
Yes,

# chcon -t xdm_exec_t /usr/bin/kdm

will fix it for now.

Comment 4 bodhi.zazen 2012-06-18 12:19:36 UTC
sorry for the duplicates, I was having problems connecting to bugzilla.

Comment 5 Miroslav Grepl 2012-06-18 12:30:35 UTC
No problem.

I have finally found a bug. 

Fixed in selinux-policy-3.10.0-132.fc17

Comment 6 Orion Poplawski 2012-06-18 19:35:59 UTC
For me it actually allows you to login, but only after a delay of 20-30 seconds.  Denial message is:

type=USER_AVC msg=audit(1340046369.740:212): pid=0 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=error error_name=net.reactivated.Fprint.Error.NoSuchDevice dest=:1.193 spid=6245 tpid=6222 scontext=system_u:system_r:fprintd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:initrc_t:s0 tclass=dbus  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'

Comment 7 Daniel Walsh 2012-06-18 20:35:30 UTC
That looks like you still have a process running as initrc_t?

Comment 8 Rex Dieter 2012-06-18 20:37:04 UTC
*** Bug 833184 has been marked as a duplicate of this bug. ***

Comment 9 Orion Poplawski 2012-06-18 20:37:20 UTC
Yeah, because kdm is labeled bin_t instead of kdm_exec_t.  Changing that fixes it.  But -130 wants it labeled bin_t.

Comment 10 Miroslav Grepl 2012-06-18 20:38:15 UTC
Yes and a new build/update is on the way.

Comment 11 Rex Dieter 2012-06-18 22:05:28 UTC
*** Bug 833219 has been marked as a duplicate of this bug. ***

Comment 12 Fedora Update System 2012-06-19 07:59:56 UTC
selinux-policy-3.10.0-132.fc17 has been submitted as an update for Fedora 17.
https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-132.fc17

Comment 13 Rex Dieter 2012-06-19 13:19:25 UTC
*** Bug 833383 has been marked as a duplicate of this bug. ***

Comment 14 Fedora Update System 2012-06-20 00:30:12 UTC
selinux-policy-3.10.0-132.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 15 Kevin Kofler 2012-06-20 09:02:36 UTC
*** Bug 833627 has been marked as a duplicate of this bug. ***

Comment 16 Fedora Update System 2012-07-19 09:18:17 UTC
selinux-policy-3.10.0-132.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 17 Ruben Guerra Marin 2013-08-02 04:02:03 UTC
I don't know if this is the same bug, but I have the same problems on f19. I write my user and password on kdm, and when I hit enter, it lasts like 10 seconds to start the splash screen, unless I wait the 10 seconds before hitting enter.

Writing "chcon -t xdm_exec_t /usr/bin/kdm" just returns:

chcon: can't apply partial context to unlabeled file ‘/usr/bin/kdm’

any ideas if this is the same? thanks!

Comment 18 Orion Poplawski 2013-08-02 04:38:16 UTC
It's clearly mislabled, but it is completely unlabelled.  SELinx labels have several components, not just the "type" (what you are setting with -t).

e.g.:
# ls -lZ /usr/bin/kdm
-rwxr-xr-x. root root system_u:object_r:xdm_exec_t:s0  /usr/bin/kdm

Try "restorecon -v /usr/bin/kdm" to set the proper label.

Comment 19 Ruben Guerra Marin 2013-08-02 04:51:08 UTC
Thanks for answering so quickly, I tried that but I still have the problem. I even have selinux disabled and I still have the problem, so I guess it is something else than selinux?

thanks!

Comment 20 Orion Poplawski 2013-08-02 05:00:05 UTC
Don't disable SELinux - that's going to lead to a lot on unlabeled files causing problems if you re-enable.  Set permissive mode (enforcing=0) instead.

If you want to try to get back to a working selinux system do:

touch /.autorelabel

and reboot.  This will take a while to relabel everything on system.

Comment 21 Ruben Guerra Marin 2013-08-02 05:02:50 UTC
I tried that command, and yes it took a while to relabel everything, but I'm still having the delay after I hit enter =/

Comment 22 Daniel Walsh 2013-08-02 14:49:24 UTC
Try with the force command

restorecon -F /usr/sbin/gdm

Comment 23 Kevin Kofler 2013-08-03 11:55:16 UTC
This bug is about SELinux, if you're having the issue even with SELinux disabled (as you said in comment #19), you're experiencing a DIFFERENT bug with the same symptoms.


Note You need to log in before you can comment on or make changes to this bug.