Bug 963238 - SELinux is preventing lightdm from 'create', 'write', and 'rename' accesses on the file .dmrc.RANDOM
SELinux is preventing lightdm from 'create', 'write', and 'rename' accesses o...
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: lightdm (Show other bugs)
19
x86_64 Linux
medium Severity low
: ---
: ---
Assigned To: Rex Dieter
Fedora Extras Quality Assurance
abrt_hash:96c74229ae13b9f7a89d2e0c976...
: Reopened
: 922958 (view as bug list)
Depends On:
Blocks: F19Beta-accepted/F19BetaFreezeException
  Show dependency treegraph
 
Reported: 2013-05-15 09:13 EDT by Jeff Bastian
Modified: 2013-06-09 23:22 EDT (History)
19 users (show)

See Also:
Fixed In Version: lightdm-1.6.0-9.fc19
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-06-09 23:22:56 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Jeff Bastian 2013-05-15 09:13:39 EDT
Description of problem:
I just logged in and setroubleshoot reported this problem.
SELinux is preventing lightdm from 'rename' accesses on the file .dmrc.OB17WW.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that lightdm should be allowed rename access on the .dmrc.OB17WW file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep lightdm /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:xdm_t:s0-s0:c0.c1023
Target Context                system_u:object_r:user_home_t:s0
Target Objects                .dmrc.OB17WW [ file ]
Source                        lightdm
Source Path                   lightdm
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.12.1-44.fc19.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     (removed)
Platform                      Linux (removed) 3.9.1-301.fc19.x86_64 #1 SMP Wed
                              May 8 18:02:34 UTC 2013 x86_64 x86_64
Alert Count                   1
First Seen                    2013-05-15 08:09:40 CDT
Last Seen                     2013-05-15 08:09:40 CDT
Local ID                      c233f446-c018-4f42-af32-bd45b8a26072

Raw Audit Messages
type=AVC msg=audit(1368623380.426:482): avc:  denied  { rename } for  pid=276 comm="lightdm" name=".dmrc.OB17WW" dev="sda3" ino=1308754 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:user_home_t:s0 tclass=file


Hash: lightdm,xdm_t,user_home_t,file,rename

audit2allow

#============= xdm_t ==============
allow xdm_t user_home_t:file rename;

audit2allow -RYou must regenerate interface info by running /usr/bin/sepolgen-ifgen


Additional info:
reporter:       libreport-2.1.4
hashmarkername: setroubleshoot
kernel:         3.9.1-301.fc19.x86_64
type:           libreport
Comment 1 Jeff Bastian 2013-05-15 09:17:58 EDT
It also wants 'create' and 'write' access on the same ~/.dmrc* file.


[root@firefly ~]# grep dmrc /var/log/audit/audit.log | audit2allow -M dmrc
...


[root@firefly ~]# cat dmrc.te

module dmrc 1.0;

require {
	type user_home_t;
	type xdm_t;
	class file { write rename create };
}

#============= xdm_t ==============
allow xdm_t user_home_t:file { write rename create };
Comment 2 Jeff Bastian 2013-05-15 09:19:20 EDT
This is with lightdm-1.6.0-4.fc19.x86_64
Comment 3 Jeff Bastian 2013-05-15 09:21:12 EDT
This is strange...  I thought lightdm was using accountsservice now instead of managing .dmrc files.

# rpm -q --requires lightdm | grep acc
accountsservice
Comment 4 Miroslav Grepl 2013-05-15 09:21:39 EDT
setsebool -P xdm_write_home 1
Comment 5 Jeff Bastian 2013-05-15 12:44:21 EDT
setroubleshoot usually gives you a helpful message if there's a Boolean you can toggle, but in this case, it just told me to create a local policy and/or open a bug.  I wonder why it didn't tell me about the xdm_write_home Boolean.

Should this be a bug against setroubleshoot instead?
Comment 6 Jeff Bastian 2013-05-15 13:20:14 EDT
Re-opening as a bug against lightdm: it should be using accountsservice instead of ~/.dmrc files.
Comment 7 Rex Dieter 2013-05-15 13:59:09 EDT
lightdm supports both (for compatibility)
Comment 8 Rex Dieter 2013-05-15 14:17:56 EDT
mgrepl, you mean this won't work out of the box?  What about kdm?  (it writes to ~/.dmrc too)
Comment 9 Rex Dieter 2013-05-15 14:23:10 EDT
Or... should I toggle

setsebool -P xdm_write_home 1

in lightdm's %post scriptlet?
Comment 10 Jeff Bastian 2013-05-15 14:49:53 EDT
I just tried kdm and I didn't get any errors from SELinux Troubleshooter.  Only lightdm has a problem.  Both are running as xdm_t though.
Comment 11 Rex Dieter 2013-05-15 14:56:53 EDT
Oh, it occurs to me that lightdm is running as unprivledged 'lightdm' user, so may expect writing to ~/.dmrc to ever work.
Comment 12 Miroslav Grepl 2013-05-15 16:29:02 EDT
*** Bug 922958 has been marked as a duplicate of this bug. ***
Comment 13 Miroslav Grepl 2013-05-16 01:33:51 EDT
(In reply to comment #9)
> Or... should I toggle
> 
> setsebool -P xdm_write_home 1
> 
> in lightdm's %post scriptlet?

Yes, I would turn on the boolean this way.

 The problem is this allows xdm_t to create whatever with xdm_home_t in the /home directory. But it could mask some bugs and we have filename transitions for another cases.
Comment 14 Rex Dieter 2013-05-16 10:43:09 EDT
Interestingly, I cannot seem to reproduce this problem, maybe because it's saving to accountsservice (for me).  I may have to dig into the code to see what's going on.

Though, as I mentioned in comment #11, since lightdm is unprivileged, expecting writes to ~/.dmrc may not ever work.
Comment 15 Rex Dieter 2013-05-16 10:46:56 EDT
I take it back, I looked closer in audit.log and found the denial (seapplet failed to show it).
Comment 16 Rex Dieter 2013-05-16 10:51:55 EDT
OK, sorry for the spam, but after looking at the code closer, I've confirmed lightdm saves to org.freedesktop.Accounts service first, then to ~/.dmrc

So, an alternative fix here is to simply drop the second step of writing to ~/.dmrc (since it would appear no one else but kdm supports that anymore).

Any comments/objections to implementing that?
Comment 17 Fedora Update System 2013-05-16 10:55:26 EDT
lightdm-1.6.0-5.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/lightdm-1.6.0-5.fc19
Comment 18 Fedora Update System 2013-05-17 18:17:06 EDT
Package lightdm-1.6.0-5.fc19:
* should fix your issue,
* was pushed to the Fedora 19 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing lightdm-1.6.0-5.fc19'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-8422/lightdm-1.6.0-5.fc19
then log in and leave karma (feedback).
Comment 19 Adam Williamson 2013-05-20 14:18:54 EDT
Discussed at 2013-05-20 freeze exception review meeting: http://meetbot.fedoraproject.org/fedora-blocker-review/2013-05-20/f19beta-blocker-review-7.2013-05-20-16.07.log.txt . Accepted as an FE issue: lightdm is only used for non-blocking desktops so this carries little risk of causing a blocker bug, and the fix seems sensible and safe for the non-blocking desktops. The bug is superficial but very visible for users of the spins that use lightdm, which is at least LXDE, Xfce and MATE that I know of, so fixing it seems worthwhile.
Comment 20 Dan Mashal 2013-05-20 16:15:18 EDT
Description of problem:
login to MATE DE

Additional info:
reporter:       libreport-2.1.4
hashmarkername: setroubleshoot
kernel:         3.9.2-301.fc19.x86_64
type:           libreport
Comment 21 Dan Mashal 2013-05-20 16:23:12 EDT
lightdm 1.6.0-5 does not solve the issue..

[dan@localhost ~]$ getsebool xdm_write_home
xdm_write_home --> off

[root@localhost dan]# rpm -qa |grep lightdm
lightdm-gtk-1.5.1-3.fc19.x86_64
lightdm-1.6.0-5.fc19.x86_64
lightdm-gobject-1.6.0-5.fc19.x86_64
Comment 22 Rex Dieter 2013-05-20 16:48:04 EDT
Hrm, is the scriptlet I used doesn't work reliably:

%post
# tweak selinux to work out-of-the-box
# see also: http://bugzilla.redhat.com/963238
if [ "`getsebool xdm_write_home 2>/dev/null`" == 'xdm_write_home --> off' ] ; then
  setsebool -P xdm_write_home on &> /dev/null ||:
fi
...

then I might just resort to patching out the code that touches ~/.dmrc per comment #16
Comment 23 Adam Williamson 2013-05-20 22:41:19 EDT
rex: that seems like a much better option to me. Actually, I thought that was what -5.fc19 did already.
Comment 24 Fedora Update System 2013-05-21 13:18:05 EDT
Package lightdm-1.6.0-6.fc19:
* should fix your issue,
* was pushed to the Fedora 19 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing lightdm-1.6.0-6.fc19'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-8422/lightdm-1.6.0-6.fc19
then log in and leave karma (feedback).
Comment 25 Fedora Update System 2013-05-22 18:38:25 EDT
Package lightdm-1.6.0-8.fc19:
* should fix your issue,
* was pushed to the Fedora 19 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing lightdm-1.6.0-8.fc19'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-8422/lightdm-1.6.0-8.fc19
then log in and leave karma (feedback).
Comment 26 Markus Haybach 2013-05-23 05:37:12 EDT
Description of problem:
SELinux blocked lightdm write process in home folder

Additional info:
reporter:       libreport-2.1.4
hashmarkername: setroubleshoot
kernel:         3.9.3-301.fc19.x86_64
type:           libreport
Comment 27 Adam Williamson 2013-05-23 12:07:27 EDT
this is still happening with -8 in beta rc4. did the build somehow get messed up and not actually include the fix to stop writing/reading/caring about .dmrc?
Comment 28 Rex Dieter 2013-05-23 12:27:47 EDT
Not my best week.  confirmed -8 botched not including the quick-n-dirty patch I made. :(

http://pkgs.fedoraproject.org/cgit/lightdm.git/tree/lightdm-1.6.0-no_dmrc_save.patch?h=f19



-9 on the way.
Comment 29 Fedora Update System 2013-05-23 16:00:54 EDT
Package lightdm-1.6.0-9.fc19:
* should fix your issue,
* was pushed to the Fedora 19 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing lightdm-1.6.0-9.fc19'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-8422/lightdm-1.6.0-9.fc19
then log in and leave karma (feedback).
Comment 30 Mukundan Ragavan 2013-05-24 00:30:46 EDT
I am getting selinux alerts even with -9. I can post the sealert messages if needed.
Comment 31 Miroslav Grepl 2013-05-24 01:45:50 EDT
What does

# getsebool xdm_write_home
Comment 32 Adam Williamson 2013-05-24 03:41:46 EDT
mgrepl: it doesn't really matter, because what -9 is supposed to do is not write .dmrc files at all. It's not meant to flip the boolean.

nonamedotc: are you sure the alerts are from after updating to -9, not just stale alerts from before you updated? Do they still reference the .dmrc files?
Comment 33 Mukundan Ragavan 2013-05-24 12:06:35 EDT
mgrepl: My F19 computer is at home. I will post the output later today.

adamw: Yes. I verified the lightdm version and also timestamp before posting my comment here. So, I am confident that the version is right. I also rebooted twice and {looged out/logged in} twice to make sure I am infact using the correct version. But yeah, I can definitely check again.

What weird (for me) though, is I just did a new F19 netinstall on VM. No sealert notification on the VM. So, I do not know what's going on.
Comment 34 Fedora Update System 2013-05-24 16:50:48 EDT
lightdm-1.6.0-8.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 35 Mukundan Ragavan 2013-05-24 19:40:02 EDT
OK. Sorry folks.  -9 does fix the issue. It was a mistake as adamw pointed out. I rebooted multiple times alright and got multiple alerts. But, all of them were just before updating. I checked the timestamps on yum history, sealert and using last now, it turns out, I was wrong my two minutes (22:59 vs 23:01)! 

Sorry again people!
Comment 36 Karel Volný 2013-06-03 03:38:57 EDT
sorry for bothering your circles, but lightdm-1.6.0-8.fc19 does not fix this

and while the Bodhi url has ...-9.fc19 the latest build available is -8

here are my details, just after fresh start, note the dates:

SELinux is preventing /usr/sbin/lightdm from create access on the file /home/kvolny/.

*****  Plugin restorecon (99.5 confidence) suggests  *************************

If you want to fix the label. 
/home/kvolny/ default label should be default_t.
Then you can run restorecon.
Do
# /sbin/restorecon -v /home/kvolny/

*****  Plugin catchall (1.49 confidence) suggests  ***************************

If you believe that lightdm should be allowed create access on the  file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep lightdm /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:xdm_t:s0-s0:c0.c1023
Target Context                system_u:object_r:user_home_t:s0
Target Objects                /home/kvolny/ [ file ]
Source                        lightdm
Source Path                   /usr/sbin/lightdm
Port                          <Neznámé>
Host                          (removed)
Source RPM Packages           lightdm-1.6.0-8.fc19.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.12.1-47.fc19.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux kvolny.usersys.redhat.com
                              3.9.4-300.fc19.x86_64 #1 SMP Fri May 24 22:17:06
                              UTC 2013 x86_64 x86_64
Alert Count                   1
First Seen                    2013-06-03 09:19:40 CEST
Last Seen                     2013-06-03 09:19:40 CEST
Local ID                      f166db46-ef57-44c6-a0ec-4e2178de6708

Raw Audit Messages
type=AVC msg=audit(1370243980.47:509): avc:  denied  { create } for  pid=675 comm="lightdm" name=".dmrc.PAE4XW" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:user_home_t:s0 tclass=file


type=SYSCALL msg=audit(1370243980.47:509): arch=x86_64 syscall=open success=no exit=EACCES a0=2558e30 a1=c2 a2=1b6 a3=1 items=1 ppid=1 pid=675 auid=4294967295 uid=1000 gid=1000 euid=1000 suid=0 fsuid=1000 egid=1000 sgid=0 fsgid=1000 ses=4294967295 tty=(none) comm=lightdm exe=/usr/sbin/lightdm subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)

type=CWD msg=audit(1370243980.47:509): cwd=/

type=PATH msg=audit(1370243980.47:509): item=0 name=/home/kvolny/ inode=28835842 dev=fd:00 mode=040700 ouid=1000 ogid=1000 rdev=00:00 obj=unconfined_u:object_r:user_home_dir_t:s0

Hash: lightdm,xdm_t,user_home_t,file,create
Comment 37 Fedora Update System 2013-06-03 08:54:27 EDT
lightdm-1.6.0-9.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/lightdm-1.6.0-9.fc19
Comment 38 alexa6moon 2013-06-03 09:13:54 EDT
Description of problem:
may be this happend after visiting site porevo.info

Additional info:
reporter:       libreport-2.1.4
hashmarkername: setroubleshoot
kernel:         3.9.4-300.fc19.i686.PAE
type:           libreport
Comment 39 Martin Bříza 2013-06-05 06:02:27 EDT
Description of problem:
Logged in with two users, don't know which one caused this.

Additional info:
reporter:       libreport-2.1.4
hashmarkername: setroubleshoot
kernel:         3.9.4-300.fc19.x86_64
type:           libreport
Comment 40 Robert Lightfoot 2013-06-06 21:48:41 EDT
Description of problem:
Fresh Install of F19 i386 xfce Final - TC1

Additional info:
reporter:       libreport-2.1.4
hashmarkername: setroubleshoot
kernel:         3.9.4-300.fc19.i686.PAE
type:           libreport
Comment 41 Fedora Update System 2013-06-09 23:22:56 EDT
lightdm-1.6.0-9.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.