Re: gdm has problems with selinux or vice versa

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



--- Daniel J Walsh <dwalsh@xxxxxxxxxx> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Antonio Olivares wrote:
> > Dear all,
> > 
> > after updating and getting the INIT: error that I
> had posted before, I can login by pressing enter and
> get X, however, when starting up I am greeted by
> setroubleshooter with some messages 
> > 
> > [olivares@localhost ~]$ cat /etc/fedora-release 
> > Fedora release 8.90 (Rawhide)
> > [olivares@localhost ~]$ date
> > Sun Nov 11 10:40:25 CST 2007
> > [olivares@localhost ~]$ 
> > 
> > I try to apply the fix suggested, but it does not
> seem to be working :(
> > 
> > Summary
> >     SELinux is preventing gdm (xdm_t) "execute" to
> <Unknown> (rpm_exec_t).
> > 
> > Detailed Description
> >     SELinux denied access requested by gdm. It is
> not expected that this access
> >     is required by gdm and this access may signal
> an intrusion attempt. It is
> >     also possible that the specific version or
> configuration of the application
> >     is causing it to require additional access.
> > 
> > Allowing Access
> >     Sometimes labeling problems can cause SELinux
> denials.  You could try to
> >     restore the default system file context for
> <Unknown>, restorecon -v
> >     <Unknown> If this does not work, there is
> currently no automatic way to
> >     allow this access. Instead,  you can generate
> a local policy module to allow
> >     this access - see
>
http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385
> >     Or you can disable SELinux protection
> altogether. Disabling SELinux
> >     protection is not recommended. Please file a
> >    
> http://bugzilla.redhat.com/bugzilla/enter_bug.cgi
> against this package.
> > 
> > Additional Information        
> > 
> > Source Context               
> system_u:system_r:xdm_t:SystemLow-SystemHigh
> > Target Context               
> system_u:object_r:rpm_exec_t
> > Target Objects                None [ file ]
> > Affected RPM Packages         
> > Policy RPM                   
> selinux-policy-3.0.8-44.fc8
> > Selinux Enabled               True
> > Policy Type                   targeted
> > MLS Enabled                   True
> > Enforcing Mode                Enforcing
> > Plugin Name                  
> plugins.catchall_file
> > Host Name                     localhost
> > Platform                      Linux localhost
> 2.6.23.1-42.fc8 #1 SMP Tue Oct 30
> >                               13:55:12 EDT 2007
> i686 athlon
> > Alert Count                   162
> > First Seen                    Sun 11 Nov 2007
> 09:11:06 AM CST
> > Last Seen                     Sun 11 Nov 2007
> 10:36:27 AM CST
> > Local ID                     
> f3168196-46ac-4951-ab61-b3b218534bb2
> > Line Numbers                  
> > 
> > Raw Audit Messages            
> > 
> > avc: denied { execute } for comm=gdm dev=dm-0
> name=rpm pid=8443
> > scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023
> tclass=file
> > tcontext=system_u:object_r:rpm_exec_t:s0
> > 
> > 
> > 
> > 
> > 
> > Summary
> >     SELinux is preventing gdm (xdm_t) "getattr" to
> /bin/rpm (rpm_exec_t).
> > 
> > Detailed Description
> >     SELinux denied access requested by gdm. It is
> not expected that this access
> >     is required by gdm and this access may signal
> an intrusion attempt. It is
> >     also possible that the specific version or
> configuration of the application
> >     is causing it to require additional access.
> > 
> > Allowing Access
> >     Sometimes labeling problems can cause SELinux
> denials.  You could try to
> >     restore the default system file context for
> /bin/rpm, restorecon -v /bin/rpm
> >     If this does not work, there is currently no
> automatic way to allow this
> >     access. Instead,  you can generate a local
> policy module to allow this
> >     access - see
>
http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385
> Or you
> >     can disable SELinux protection altogether.
> Disabling SELinux protection is
> >     not recommended. Please file a
> >    
> http://bugzilla.redhat.com/bugzilla/enter_bug.cgi
> against this package.
> > 
> > Additional Information        
> > 
> > Source Context               
> system_u:system_r:xdm_t:SystemLow-SystemHigh
> > Target Context               
> system_u:object_r:rpm_exec_t
> > Target Objects                /bin/rpm [ file ]
> > Affected RPM Packages         rpm-4.4.2.2-7.fc9
> [target]
> > Policy RPM                   
> selinux-policy-3.0.8-44.fc8
> > Selinux Enabled               True
> > Policy Type                   targeted
> > MLS Enabled                   True
> > Enforcing Mode                Enforcing
> > Plugin Name                  
> plugins.catchall_file
> > Host Name                     localhost
> > Platform                      Linux localhost
> 2.6.23.1-42.fc8 #1 SMP Tue Oct 30
> >                               13:55:12 EDT 2007
> i686 athlon
> > Alert Count                   180
> > First Seen                    Sun 11 Nov 2007
> 09:11:06 AM CST
> > Last Seen                     Sun 11 Nov 2007
> 10:36:27 AM CST
> > Local ID                     
> e1676a84-c6d0-45b8-97d7-c7cae2d755c1
> > Line Numbers                  
> > 
> > Raw Audit Messages            
> > 
> > avc: denied { getattr } for comm=gdm dev=dm-0
> egid=0 euid=0 exe=/bin/bash
> > exit=-13 fsgid=0 fsuid=0 gid=0 items=0
> path=/bin/rpm pid=8443
> > scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023
> sgid=0
> > subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 suid=0
> tclass=file
> > tcontext=system_u:object_r:rpm_exec_t:s0
> tty=(none) uid=0
> > 
> > 
> > Thanks,
> > 
> > Antonio 
> > 
> > 
> > 
> > __________________________________________________
> > Do You Yahoo!?
> > Tired of spam?  Yahoo! Mail has the best spam
> protection around 
> > http://mail.yahoo.com 
> > 
> This looks like you are not logging in with the
> correct context.  IE You
> are staying in the xdm_t context.
> 
> id -Z
> 
> Will show you what context you are logging in as. 
> You should be
> unconfined_t.
> 
> If this is true, I would guess you have a badly
> labeled system and you
> probably need to relabel
> 
> touch /.autorelabel; reboot
> 
> will fix the labeling.
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.7 (GNU/Linux)
> 
=== message truncated ===

[olivares@localhost ~]$ su -
Password: 
[root@localhost ~]# id -Z
system_u:system_r:unconfined_t
[root@localhost ~]# 

will do
# touch /.autorelabel; reboot
and report back if successful/failure.

Regards,

Antonio 



      ____________________________________________________________________________________
Be a better sports nut!  Let your teams follow you 
with Yahoo Mobile. Try it now.  http://mobile.yahoo.com/sports;_ylt=At9_qDKvtAbMuh1G1SQtBI7ntAcJ

--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux