Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 1065560 - Selinux prevents /usr/bin/kdm from spawning a bash or systemctl process
Summary: Selinux prevents /usr/bin/kdm from spawning a bash or systemctl process
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: 20
Hardware: x86_64
OS: Linux
unspecified
medium
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Ben Levenson
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-02-14 23:22 UTC by Matthew Cline
Modified: 2014-02-17 19:56 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2014-02-17 19:56:48 UTC


Attachments (Terms of Use)

Description Matthew Cline 2014-02-14 23:22:51 UTC
After upgrading from Fedora 19 to Fedora 20, SELinux prevents kdm from starting a bash process or a systemctl process.

The output of "ls -Z" for the three files:

-rwxr-xr-x. root root system_u:object_r:shell_exec_t:s0 /usr/bin/bash*
-rwxr-xr-x. root root system_u:object_r:xdm_exec_t:s0  /usr/bin/kdm*
-rwxr-xr-x. root root system_u:object_r:systemd_systemctl_exec_t:s0 /usr/bin/systemctl*

The raw audit message for bash:

type=AVC msg=audit(1385024319.892:796): avc:  denied  { entrypoint } for  pid=24615 comm="kdm" path="/usr/bin/bash" dev="dm-1" ino=1858267 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file


type=SYSCALL msg=audit(1385024319.892:796): arch=x86_64 syscall=execve success=no exit=EACCES a0=7f4ee2ecff60 a1=7f4ee2ecfec0 a2=0 a3=7f4ee2ecfe30 items=0 ppid=532 pid=24615 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm=kdm exe=/usr/bin/kdm subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)

Hash: kdm,xdm_t,shell_exec_t,file,entrypoint

===

The raw audit message for systemctl:


type=AVC msg=audit(1385024319.845:795): avc:  denied  { entrypoint } for  pid=24615 comm="kdm" path="/usr/bin/systemctl" dev="dm-1" ino=1839529 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_systemctl_exec_t:s0 tclass=file


type=SYSCALL msg=audit(1385024319.845:795): arch=x86_64 syscall=execve success=no exit=EACCES a0=7f4ee2ecfe30 a1=7f4ee2ecd2f0 a2=0 a3=8 items=0 ppid=532 pid=24615 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm=kdm exe=/usr/bin/kdm subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)

Hash: kdm,xdm_t,systemd_systemctl_exec_t,file,entrypoint

-----------------------
Version-Release number of selected component (if applicable):

selinux-policy-targeted-3.12.1-122.fc20.noarch

Comment 1 Miroslav Grepl 2014-02-17 10:37:36 UTC
Did you reboot?

Comment 2 Matthew Cline 2014-02-17 19:50:13 UTC
I've rebooted multiple times since then, and I only ever got that error once.  I did try the "audit2allow" trick, but was told "there's nothing to do", so I didn't do anything to fix the problem.

Also, the time that I *did* get it, I didn't notice any problems.

Comment 3 Miroslav Grepl 2014-02-17 19:56:48 UTC
You should not get it again. If I am wrong please the bug.


Note You need to log in before you can comment on or make changes to this bug.