gdm has problems with selinux or vice versa

Mon Nov 12 19:23:58 UTC 2007

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Antonio Olivares wrote:
> Dear all,
> 
> after updating and getting the INIT: error that I had posted before, I can login by pressing enter and get X, however, when starting up I am greeted by setroubleshooter with some messages 
> 
> [olivares at localhost ~]$ cat /etc/fedora-release 
> Fedora release 8.90 (Rawhide)
> [olivares at localhost ~]$ date
> Sun Nov 11 10:40:25 CST 2007
> [olivares at localhost ~]$ 
> 
> I try to apply the fix suggested, but it does not seem to be working :(
> 
> Summary
>     SELinux is preventing gdm (xdm_t) "execute" to <Unknown> (rpm_exec_t).
> 
> Detailed Description
>     SELinux denied access requested by gdm. It is not expected that this access
>     is required by gdm and this access may signal an intrusion attempt. It is
>     also possible that the specific version or configuration of the application
>     is causing it to require additional access.
> 
> Allowing Access
>     Sometimes labeling problems can cause SELinux denials.  You could try to
>     restore the default system file context for <Unknown>, restorecon -v
>     <Unknown> If this does not work, there is currently no automatic way to
>     allow this access. Instead,  you can generate a local policy module to allow
>     this access - see http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385
>     Or you can disable SELinux protection altogether. Disabling SELinux
>     protection is not recommended. Please file a
>     http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package.
> 
> Additional Information        
> 
> Source Context                system_u:system_r:xdm_t:SystemLow-SystemHigh
> Target Context                system_u:object_r:rpm_exec_t
> Target Objects                None [ file ]
> Affected RPM Packages         
> Policy RPM                    selinux-policy-3.0.8-44.fc8
> Selinux Enabled               True
> Policy Type                   targeted
> MLS Enabled                   True
> Enforcing Mode                Enforcing
> Plugin Name                   plugins.catchall_file
> Host Name                     localhost
> Platform                      Linux localhost 2.6.23.1-42.fc8 #1 SMP Tue Oct 30
>                               13:55:12 EDT 2007 i686 athlon
> Alert Count                   162
> First Seen                    Sun 11 Nov 2007 09:11:06 AM CST
> Last Seen                     Sun 11 Nov 2007 10:36:27 AM CST
> Local ID                      f3168196-46ac-4951-ab61-b3b218534bb2
> Line Numbers                  
> 
> Raw Audit Messages            
> 
> avc: denied { execute } for comm=gdm dev=dm-0 name=rpm pid=8443
> scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tclass=file
> tcontext=system_u:object_r:rpm_exec_t:s0
> 
> 
> 
> 
> 
> Summary
>     SELinux is preventing gdm (xdm_t) "getattr" to /bin/rpm (rpm_exec_t).
> 
> Detailed Description
>     SELinux denied access requested by gdm. It is not expected that this access
>     is required by gdm and this access may signal an intrusion attempt. It is
>     also possible that the specific version or configuration of the application
>     is causing it to require additional access.
> 
> Allowing Access
>     Sometimes labeling problems can cause SELinux denials.  You could try to
>     restore the default system file context for /bin/rpm, restorecon -v /bin/rpm
>     If this does not work, there is currently no automatic way to allow this
>     access. Instead,  you can generate a local policy module to allow this
>     access - see http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you
>     can disable SELinux protection altogether. Disabling SELinux protection is
>     not recommended. Please file a
>     http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package.
> 
> Additional Information        
> 
> Source Context                system_u:system_r:xdm_t:SystemLow-SystemHigh
> Target Context                system_u:object_r:rpm_exec_t
> Target Objects                /bin/rpm [ file ]
> Affected RPM Packages         rpm-4.4.2.2-7.fc9 [target]
> Policy RPM                    selinux-policy-3.0.8-44.fc8
> Selinux Enabled               True
> Policy Type                   targeted
> MLS Enabled                   True
> Enforcing Mode                Enforcing
> Plugin Name                   plugins.catchall_file
> Host Name                     localhost
> Platform                      Linux localhost 2.6.23.1-42.fc8 #1 SMP Tue Oct 30
>                               13:55:12 EDT 2007 i686 athlon
> Alert Count                   180
> First Seen                    Sun 11 Nov 2007 09:11:06 AM CST
> Last Seen                     Sun 11 Nov 2007 10:36:27 AM CST
> Local ID                      e1676a84-c6d0-45b8-97d7-c7cae2d755c1
> Line Numbers                  
> 
> Raw Audit Messages            
> 
> avc: denied { getattr } for comm=gdm dev=dm-0 egid=0 euid=0 exe=/bin/bash
> exit=-13 fsgid=0 fsuid=0 gid=0 items=0 path=/bin/rpm pid=8443
> scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 sgid=0
> subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 suid=0 tclass=file
> tcontext=system_u:object_r:rpm_exec_t:s0 tty=(none) uid=0
> 
> 
> Thanks,
> 
> Antonio 
> 
> 
> 
> __________________________________________________
> Do You Yahoo!?
> Tired of spam?  Yahoo! Mail has the best spam protection around 
> http://mail.yahoo.com 
> 
This looks like you are not logging in with the correct context.  IE You
are staying in the xdm_t context.

id -Z

Will show you what context you are logging in as.  You should be
unconfined_t.

If this is true, I would guess you have a badly labeled system and you
probably need to relabel

touch /.autorelabel; reboot

will fix the labeling.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iD8DBQFHOKhOrlYvE4MpobMRAuTvAKCFLJLVmRKSGwe61gXDvMXUbxrgtgCgg8A0
CIoG4YHFOd45YF4deKAOE8I=
=gHid
-----END PGP SIGNATURE-----