gdm has problems with selinux or vice versa
Antonio Olivares
olivares14031 at yahoo.com
Mon Nov 12 23:39:22 UTC 2007
--- Daniel J Walsh <dwalsh at redhat.com> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Antonio Olivares wrote:
> > Dear all,
> >
> > after updating and getting the INIT: error that I
> had posted before, I can login by pressing enter and
> get X, however, when starting up I am greeted by
> setroubleshooter with some messages
> >
> > [olivares at localhost ~]$ cat /etc/fedora-release
> > Fedora release 8.90 (Rawhide)
> > [olivares at localhost ~]$ date
> > Sun Nov 11 10:40:25 CST 2007
> > [olivares at localhost ~]$
> >
> > I try to apply the fix suggested, but it does not
> seem to be working :(
> >
> > Summary
> > SELinux is preventing gdm (xdm_t) "execute" to
> <Unknown> (rpm_exec_t).
> >
> > Detailed Description
> > SELinux denied access requested by gdm. It is
> not expected that this access
> > is required by gdm and this access may signal
> an intrusion attempt. It is
> > also possible that the specific version or
> configuration of the application
> > is causing it to require additional access.
> >
> > Allowing Access
> > Sometimes labeling problems can cause SELinux
> denials. You could try to
> > restore the default system file context for
> <Unknown>, restorecon -v
> > <Unknown> If this does not work, there is
> currently no automatic way to
> > allow this access. Instead, you can generate
> a local policy module to allow
> > this access - see
>
http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385
> > Or you can disable SELinux protection
> altogether. Disabling SELinux
> > protection is not recommended. Please file a
> >
> http://bugzilla.redhat.com/bugzilla/enter_bug.cgi
> against this package.
> >
> > Additional Information
> >
> > Source Context
> system_u:system_r:xdm_t:SystemLow-SystemHigh
> > Target Context
> system_u:object_r:rpm_exec_t
> > Target Objects None [ file ]
> > Affected RPM Packages
> > Policy RPM
> selinux-policy-3.0.8-44.fc8
> > Selinux Enabled True
> > Policy Type targeted
> > MLS Enabled True
> > Enforcing Mode Enforcing
> > Plugin Name
> plugins.catchall_file
> > Host Name localhost
> > Platform Linux localhost
> 2.6.23.1-42.fc8 #1 SMP Tue Oct 30
> > 13:55:12 EDT 2007
> i686 athlon
> > Alert Count 162
> > First Seen Sun 11 Nov 2007
> 09:11:06 AM CST
> > Last Seen Sun 11 Nov 2007
> 10:36:27 AM CST
> > Local ID
> f3168196-46ac-4951-ab61-b3b218534bb2
> > Line Numbers
> >
> > Raw Audit Messages
> >
> > avc: denied { execute } for comm=gdm dev=dm-0
> name=rpm pid=8443
> > scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023
> tclass=file
> > tcontext=system_u:object_r:rpm_exec_t:s0
> >
> >
> >
> >
> >
> > Summary
> > SELinux is preventing gdm (xdm_t) "getattr" to
> /bin/rpm (rpm_exec_t).
> >
> > Detailed Description
> > SELinux denied access requested by gdm. It is
> not expected that this access
> > is required by gdm and this access may signal
> an intrusion attempt. It is
> > also possible that the specific version or
> configuration of the application
> > is causing it to require additional access.
> >
> > Allowing Access
> > Sometimes labeling problems can cause SELinux
> denials. You could try to
> > restore the default system file context for
> /bin/rpm, restorecon -v /bin/rpm
> > If this does not work, there is currently no
> automatic way to allow this
> > access. Instead, you can generate a local
> policy module to allow this
> > access - see
>
http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385
> Or you
> > can disable SELinux protection altogether.
> Disabling SELinux protection is
> > not recommended. Please file a
> >
> http://bugzilla.redhat.com/bugzilla/enter_bug.cgi
> against this package.
> >
> > Additional Information
> >
> > Source Context
> system_u:system_r:xdm_t:SystemLow-SystemHigh
> > Target Context
> system_u:object_r:rpm_exec_t
> > Target Objects /bin/rpm [ file ]
> > Affected RPM Packages rpm-4.4.2.2-7.fc9
> [target]
> > Policy RPM
> selinux-policy-3.0.8-44.fc8
> > Selinux Enabled True
> > Policy Type targeted
> > MLS Enabled True
> > Enforcing Mode Enforcing
> > Plugin Name
> plugins.catchall_file
> > Host Name localhost
> > Platform Linux localhost
> 2.6.23.1-42.fc8 #1 SMP Tue Oct 30
> > 13:55:12 EDT 2007
> i686 athlon
> > Alert Count 180
> > First Seen Sun 11 Nov 2007
> 09:11:06 AM CST
> > Last Seen Sun 11 Nov 2007
> 10:36:27 AM CST
> > Local ID
> e1676a84-c6d0-45b8-97d7-c7cae2d755c1
> > Line Numbers
> >
> > Raw Audit Messages
> >
> > avc: denied { getattr } for comm=gdm dev=dm-0
> egid=0 euid=0 exe=/bin/bash
> > exit=-13 fsgid=0 fsuid=0 gid=0 items=0
> path=/bin/rpm pid=8443
> > scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023
> sgid=0
> > subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 suid=0
> tclass=file
> > tcontext=system_u:object_r:rpm_exec_t:s0
> tty=(none) uid=0
> >
> >
> > Thanks,
> >
> > Antonio
> >
> >
> >
> > __________________________________________________
> > Do You Yahoo!?
> > Tired of spam? Yahoo! Mail has the best spam
> protection around
> > http://mail.yahoo.com
> >
> This looks like you are not logging in with the
> correct context. IE You
> are staying in the xdm_t context.
>
> id -Z
>
> Will show you what context you are logging in as.
> You should be
> unconfined_t.
>
> If this is true, I would guess you have a badly
> labeled system and you
> probably need to relabel
>
> touch /.autorelabel; reboot
>
> will fix the labeling.
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.7 (GNU/Linux)
>
=== message truncated ===
[olivares at localhost ~]$ su -
Password:
[root at localhost ~]# id -Z
system_u:system_r:unconfined_t
[root at localhost ~]#
will do
# touch /.autorelabel; reboot
and report back if successful/failure.
Regards,
Antonio
____________________________________________________________________________________
Be a better sports nut! Let your teams follow you
with Yahoo Mobile. Try it now. http://mobile.yahoo.com/sports;_ylt=At9_qDKvtAbMuh1G1SQtBI7ntAcJ
More information about the fedora-selinux-list
mailing list