512264 – SELinux blocks SLiM

Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.

Bug 512264 - SELinux blocks SLiM

Summary: SELinux blocks SLiM

Keywords:
Status:	CLOSED DUPLICATE of bug 518068
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	slim
Sub Component:
Version:	11
Hardware:	All
OS:	Linux
Priority:	low
Severity:	medium
Target Milestone:	---
Assignee:	Lorenzo Villani
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	LXDE
TreeView+	depends on / blocked

Reported:	2009-07-16 21:44 UTC by Christoph Wickert
Modified:	2013-01-10 05:17 UTC (History)
CC List:	6 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2009-10-10 12:37:43 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
sealert error message (2.60 KB, text/plain) 2009-07-16 21:44 UTC, Christoph Wickert	no flags	Details
View All

Description Christoph Wickert 2009-07-16 21:44:50 UTC

Created attachment 354051 [details]
sealert error message

Description of problem:
SELinux is preventing slim (xdm_t) "open","getattr","read" and "unlink" var_run_t.

Version-Release number of selected component (if applicable):
selinux-policy-targeted-3.6.12-62.fc11.noarch

How reproducible:
always

Steps to Reproduce:
1. Make a livecd from http://cwickert.fedorapeople.org/kickstarts/fedora-livecd-lxde.ks
2. Boot it
  
Actual results:
No login manager but a lot of Selinux denials:

node=localhost.localdomain type=AVC msg=audit(1245789461.884:10): avc:  denied  { open } for  pid=2554 comm="slim" name="slim.auth" dev=dm-0 ino=136384 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_run_t:s0 tclass=file

node=localhost.localdomain type=SYSCALL msg=audit(1245789461.884:10): arch=40000003 syscall=5 success=yes exit=5 a0=88828c3 a1=0 a2=1b6 a3=0 items=0 ppid=1 pid=2554 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="slim" exe="/usr/bin/slim" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)


node=localhost.localdomain type=AVC msg=audit(1245789461.884:11): avc:  denied  { getattr } for  pid=2554 comm="slim" path="/var/run/slim.auth" dev=dm-0 ino=136384 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_run_t:s0 tclass=file

node=localhost.localdomain type=SYSCALL msg=audit(1245789461.884:11): arch=40000003 syscall=197 success=yes exit=0 a0=5 a1=bfa65a50 a2=4d2ff4 a3=888b988 items=0 ppid=1 pid=2554 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="slim" exe="/usr/bin/slim" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)


node=localhost.localdomain type=AVC msg=audit(1245789461.883:9): avc:  denied  { read } for  pid=2554 comm="slim" name="slim.auth" dev=dm-0 ino=136384 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_run_t:s0 tclass=file

node=localhost.localdomain type=SYSCALL msg=audit(1245789461.883:9): arch=40000003 syscall=33 success=yes exit=0 a0=88828c3 a1=4 a2=6d0a60 a3=88828c3 items=0 ppid=1 pid=2554 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="slim" exe="/usr/bin/slim" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)

node=localhost.localdomain type=AVC msg=audit(1245789280.741:40775): avc:  denied  { unlink } for  pid=4043 comm="slim" name="slim.auth" dev=dm-0 ino=136376 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_run_t:s0 tclass=file

node=localhost.localdomain type=SYSCALL msg=audit(1245789280.741:40775): arch=40000003 syscall=10 success=yes exit=0 a0=92af044 a1=a90388 a2=a8eff4 a3=92af044 items=0 ppid=1 pid=4043 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="slim" exe="/usr/bin/slim" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)


Expected results:
SLiM showing up

Additional info:
This is needed for the LXDE Spin and possibly also for the Xfce Spin, if we decide to switch to SLiM.

Comment 1 Christoph Wickert 2009-07-16 21:45:48 UTC

Comment on attachment 354051 [details]
sealert error message

This is the alert for getattr, I have similar errors for open, read and unlink.

Comment 2 Daniel Walsh 2009-07-19 16:06:35 UTC

If you 

chcon -t xdm_var_run_t /var/run/slim\*

Does everything work?

Comment 3 Christoph Wickert 2009-07-23 21:04:20 UTC

semanage -a -t xdm_var_run_t /var/run/slim.auth 
did the trick, slim.run already gets created xdm_var_run_t. Would be nice to have this in the policy, so I don't need no hack on the livecd.

Comment 4 Daniel Walsh 2009-07-27 17:51:20 UTC

Miroslav can you add this labeling?

/var/run/slim\.auth	--	gen_context(system_u:object_r:xdm_var_run_t,s0)

Comment 5 Miroslav Grepl 2009-07-27 18:01:31 UTC

I will push out a new selinux-policy release with this change tomorrow.

Comment 6 Miroslav Grepl 2009-07-28 13:20:54 UTC

Fixed in selinux-policy-3.6.12-70.fc11

Comment 7 Christoph Wickert 2009-08-06 00:28:01 UTC

Works fine, thanks!

Comment 8 Christoph Wickert 2009-08-18 21:33:52 UTC

Sorry, I was too fast. It's still not working. The strange thing is: It works fine when installed, but not from the livecd.

Try yourself with the latest LXDE livecd from 
http://alt.fedoraproject.org/pub/alt/nightly-composes/lxde/

Let me know If I can help you testing, debugging or whatever.

Comment 9 Daniel Walsh 2009-08-18 22:34:43 UTC

Then this is a bug in the livecd program.

Comment 10 Jeremy Katz 2009-08-19 19:12:54 UTC

There's not anything the livecd creation can do about it -- the file is created at runtime by slim in /var/run.  Since slim isn't explicitly trying to set any contexts before creating the file, it follows the directory default (var_run_t)

The easiest way to fix this is probably to have slim move its files to be in a subdir of /var/run -- then the directory can be labeled as it's put down by rpm and then the new files within it will get the right context.

Comment 11 Daniel Walsh 2009-08-20 11:55:59 UTC

But if slim is running as xdm_t then it should have transitioned to the correct label when it created the file.

ls -lZ /usr/bin/slim
-rwxr-xr-x. root root system_u:object_r:xdm_exec_t:s0  /usr/bin/slim

And we have this line in policy

files_pid_filetrans(xdm_t, xdm_var_run_t, { dir file fifo_file sock_file })

WHich says if a process running as xdm_t creates a dir,file. fifo_file or sock_file in var_run_t it will label it xdm_var_run_t

So something else is creating this file or the /usr/bin/slim is not labeled correctly.

Comment 12 Huub Schaeks 2009-08-30 11:59:42 UTC

/var/log/slim.log says /usr/bin/xauth creates the /var/run/slim.auth file.

The solution you suggested here:

https://bugzilla.redhat.com/show_bug.cgi?id=518068

works.

Comment 13 Lorenzo Villani 2009-10-10 12:37:43 UTC

Using #518068 to track this issue.

*** This bug has been marked as a duplicate of bug 518068 ***

Note You need to log in before you can comment on or make changes to this bug.