Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 518068
Summary: | selinux prevents slim from starting | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | cornel panceac <cpanceac> |
Component: | slim | Assignee: | Lorenzo Villani <lorenzo> |
Status: | CLOSED NEXTRELEASE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | medium | Docs Contact: | |
Priority: | urgent | ||
Version: | rawhide | CC: | afb, cwickert, dwalsh, fry.kun, jkubin, mgrepl, pertusus, schaeksh, yunus.tji.nyan |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2009-10-21 22:08:14 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 505781 |
Description
cornel panceac
2009-08-18 17:21:00 UTC
Why is there a file labeled device_t? Seems to be some problem in initrd which is causing this What does find /dev -name null -type f -printf "%p %Z\n" Show? Where is slim.auth located? /var/run/slim.auth has the wrong context on it. Something went wrong on the livecd creation as this file should have been labeled correctly. (In reply to comment #1) > Why is there a file labeled device_t? Seems to be some problem in initrd which > is causing this > > What does > > find /dev -name null -type f -printf "%p %Z\n" > > Show? > > Where is slim.auth located? yes, i've found slim.auth on /var/run. find /dev -name null -type f -printf "%p %Z\n" returns nothing. right now i'm searching for the one who generated the iso. thank you. the issue is still present on alpha rc2 (lxde live "cd" x86) Can you bring this up single user mode and tell me if the file exists? If yes restorecon it and bring it all the way up and see if you can log in. hmm. i've just checked the sha1sum and is different from the published one: e931b0e43ac123d32a60a7b632fb66087cd5dfdf i've downloaded again and again i got the above sha1sum. so either the computing is different, or the published sha1sum is wrong. i'll check those things and report back asap. sorry but comment #4 was wrong: even if selinux still prevents slim for starting, the error is different: selinux is preventing slim (xdm_t) "read" var_run_t restorecon /usr/bin/slim doesn't help. here's the complete sealert: (after setenforce 0) # sealert -l bc9bad9e-877f-4d71-afd3-d9242adfe773 Summary: SELinux is preventing slim (xdm_t) "read" var_run_t. Detailed Description: [SELinux is in permissive mode, the operation would have been denied but was permitted due to permissive mode.] SELinux denied access requested by slim. It is not expected that this access is required by slim and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context system_u:system_r:xdm_t:s0-s0:c0.c1023 Target Context system_u:object_r:var_run_t:s0 Target Objects slim.auth [ file ] Source slim Source Path /usr/bin/slim Port <Unknown> Host localhost.localdomain Source RPM Packages slim-1.3.1-7.fc12 Target RPM Packages Policy RPM selinux-policy-3.6.26-8.fc12 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Permissive Plugin Name catchall Host Name localhost.localdomain Platform Linux localhost.localdomain 2.6.31-0.125.4.2.rc5.git2.fc12.i686 #1 SMP Tue Aug 11 21:20:05 EDT 2009 i686 athlon Alert Count 349 First Seen Thu Aug 20 16:56:56 2009 Last Seen Thu Aug 20 17:08:42 2009 Local ID bc9bad9e-877f-4d71-afd3-d9242adfe773 Line Numbers Raw Audit Messages node=localhost.localdomain type=AVC msg=audit(1250802522.810:24558): avc: denied { read } for pid=2289 comm="slim" name="slim.auth" dev=dm-0 ino=67650 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_run_t:s0 tclass=file node=localhost.localdomain type=SYSCALL msg=audit(1250802522.810:24558): arch=40000003 syscall=33 success=yes exit=0 a0=99218c3 a1=4 a2=733b18 a3=99218c3 items=0 ppid=1 pid=2289 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="slim" exe="/usr/bin/slim" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null) Sorry, I was not specific enough Bring machine up to single user mode or level 3 and check for the existance of slim.auth? ls -lz /var/run/slim.auth If it is there, delete it and continue to boot to level 5, See if you can login. If you can, then something created the file with the wrong context. If you can not, check what the context of slim is ps -eZ | grep slim in runlevel 1 and 3 there's no /var/run/slim* once i reached runlevel 5, there's an slim.auth there and ls -lZ returns ... system_u:object_u:object_r:var_run_t:s0 /var/run/slim.auth ... ps -eZ returns ... system_u:system_r:xdm_t:s0-s0:c0.c1023 ... ps ax | grep slim shows a process /usr/bin/X -auth /var/run/slim.auth wich is probably the process creating the file. once i kill this process, slim respawns bringing a new X -auth with it.. OK, that is a problem. Can SLIM be changed to use its own directory in /var/run /var/run/slim/slim.auth That way we can label /var/run/slim as xdm_var_run_t and this will just work properly. In /etc/slim.conf you can put authfile /var/run/slim/slim.auth to achieve this. Your solution works on my Leonidas install. If slim will make that the default, I will fix the labeling. Dan, can you please make this change ASAP? I need it for my LXDE spin, so please let rel-eng tag the package for F-12 beta. I will take care of the changes in slim. Labeling is already in F-12 beta. selinux-policy-3.6.32-22.fc12.noarch *** Bug 518771 has been marked as a duplicate of this bug. *** *** Bug 512264 has been marked as a duplicate of this bug. *** slim-1.3.1-8.fc12 has been submitted as an update for Fedora 12. http://admin.fedoraproject.org/updates/slim-1.3.1-8.fc12 (In reply to comment #14) > Dan, can you please make this change ASAP? I need it for my LXDE spin, so > please let rel-eng tag the package for F-12 beta. I will take care of the > changes in slim. f12 beta rc2 x86 lxde live cd still has the selinux+slim issue. What version of selinux-policy is in there? Dan, the policy is fixed, but the liveimage still contains the old slim package. (In reply to comment #19) > Please test: http://koji.fedoraproject.org/koji/buildinfo?buildID=136049 Looks good, so I can remove my workaround from the ks. Tagging slim-1.3.1-8.fc12 requested at https://fedorahosted.org/rel-eng/ticket/2585 slim-1.3.1-8.fc12 was tagged for F12. Lorenzo, please withdraw/delete the pending update from bodhi before you close this bug. Thanks everybody, well done! All pending update requests were tagged for f12-final. Closing. *** Bug 533631 has been marked as a duplicate of this bug. *** |