Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 1685537 - nodm is labeled bin_t instead of xdm_exec_t
Summary: nodm is labeled bin_t instead of xdm_exec_t
Keywords:
Status: CLOSED NEXTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: rawhide
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Lukas Vrabec
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-03-05 12:32 UTC by Milos Malik
Modified: 2019-04-05 17:58 UTC (History)
5 users (show)

Fixed In Version: selinux-policy-3.14.4-8.fc31
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-04-05 17:58:51 UTC


Attachments (Terms of Use)

Description Milos Malik 2019-03-05 12:32:09 UTC
Description of problem:
 * nodm is a display manager
 * other display managers are labeled xdm_exec_t
 * why is nodm labeled bin_t ?

Version-Release number of selected component (if applicable):
nodm-0.13-6.fc30.x86_64
selinux-policy-3.14.3-4.fc30.noarch
selinux-policy-targeted-3.14.3-4.fc30.noarch
xorg-x11-xinit-1.4.0-4.fc30.x86_64
xorg-x11-server-common-1.20.3-4.fc30.x86_64
xorg-x11-xauth-1.0.9-14.fc30.x86_64
xorg-x11-xkb-utils-7.7-29.fc30.x86_64
xorg-x11-drv-libinput-0.28.2-1.fc30.x86_64
xorg-x11-server-utils-7.7-28.fc30.x86_64
xorg-x11-server-Xorg-1.20.3-4.fc30.x86_64

How reproducible:
 * always

Steps to Reproduce:
# service nodm start
Redirecting to /bin/systemctl start nodm.service
# service nodm status
Redirecting to /bin/systemctl status nodm.service
● nodm.service - Display manager for automatic session logins
   Loaded: loaded (/usr/lib/systemd/system/nodm.service; disabled; vendor prese>
   Active: active (running) since Tue 2019-03-05 07:28:11 EST; 1s ago
     Docs: man:nodm(8)
           file:/usr/share/doc/nodm/README.md
 Main PID: 2545 (nodm)
    Tasks: 3 (limit: 2331)
   Memory: 7.9M
   CGroup: /system.slice/nodm.service
           ├─2545 /usr/sbin/nodm
           ├─2560 /usr/libexec/Xorg :0 vt7
           └─2572 /usr/bin/xkbcomp -w 1 -R/usr/share/X11/xkb -xkm - -em1 The XK>

Mar 05 07:28:13 host-8-249-221.host.centralci.eng.rdu2.redhat.com nodm[2545]: B>
Mar 05 07:28:13 host-8-249-221.host.centralci.eng.rdu2.redhat.com nodm[2545]: C>
Mar 05 07:28:13 host-8-249-221.host.centralci.eng.rdu2.redhat.com nodm[2545]:  >
Mar 05 07:28:13 host-8-249-221.host.centralci.eng.rdu2.redhat.com nodm[2545]:  >
Mar 05 07:28:13 host-8-249-221.host.centralci.eng.rdu2.redhat.com nodm[2545]: M>
Mar 05 07:28:13 host-8-249-221.host.centralci.eng.rdu2.redhat.com nodm[2545]:  >
Mar 05 07:28:13 host-8-249-221.host.centralci.eng.rdu2.redhat.com nodm[2545]:  >
Mar 05 07:28:13 host-8-249-221.host.centralci.eng.rdu2.redhat.com nodm[2545]: (>
Mar 05 07:28:13 host-8-249-221.host.centralci.eng.rdu2.redhat.com nodm[2545]: (>
Mar 05 07:28:13 host-8-249-221.host.centralci.eng.rdu2.redhat.com nodm[2545]: (>
# ps -efZ | grep nodm
system_u:system_r:unconfined_service_t:s0 root 2545 1  0 07:28 ?       00:00:00 /usr/sbin/nodm
#

Actual results:
/usr/bin/nodm system_u:object_r:bin_t:s0

Expected results:
/usr/bin/nodm system_u:object_r:xdm_exec_t:s0

Additional information:
# semanage fcontext -l | grep xdm_exec_t
/etc/rc\.d/init\.d/x11-common                      regular file       system_u:object_r:xdm_exec_t:s0 
/opt/kde3/bin/kdm                                  regular file       system_u:object_r:xdm_exec_t:s0 
/usr/X11R6/bin/[xgkw]dm                            regular file       system_u:object_r:xdm_exec_t:s0 
/usr/bin/gpe-dm                                    regular file       system_u:object_r:xdm_exec_t:s0 
/usr/bin/razor-lightdm-.*                          regular file       system_u:object_r:xdm_exec_t:s0 
/usr/bin/sddm                                      regular file       system_u:object_r:xdm_exec_t:s0 
/usr/bin/sddm-greeter                              regular file       system_u:object_r:xdm_exec_t:s0 
/usr/bin/slim                                      regular file       system_u:object_r:xdm_exec_t:s0 
/usr/libexec/gdm-disable-wayland                   regular file       system_u:object_r:xdm_exec_t:s0 
/usr/s?bin/[mxgkw]dm                               regular file       system_u:object_r:xdm_exec_t:s0 
/usr/s?bin/gdm(3)?                                 regular file       system_u:object_r:xdm_exec_t:s0 
/usr/s?bin/gdm-binary                              regular file       system_u:object_r:xdm_exec_t:s0 
/usr/s?bin/lightdm*                                regular file       system_u:object_r:xdm_exec_t:s0 
/usr/s?bin/lxdm(-binary)?                          regular file       system_u:object_r:xdm_exec_t:s0 
/usr/sbin/mdm-binary                               regular file       system_u:object_r:xdm_exec_t:s0 
#

Comment 1 Milos Malik 2019-03-05 12:40:46 UTC
Wrong paths were used in comment#0.

Actual results:
/usr/sbin/nodm system_u:object_r:bin_t:s0

Expected results:
/usr/sbin/nodm system_u:object_r:xdm_exec_t:s0

Comment 3 Lukas Vrabec 2019-03-05 13:52:17 UTC
commit 7cfd239416743e4b9b29e10348031798b85dc7bb (HEAD -> rawhide)
Author: Lukas Vrabec <lvrabec@redhat.com>
Date:   Tue Mar 5 14:52:03 2019 +0100

    Label /usr/sbin/nodm as xdm_exec_t same as other display managers


Note You need to log in before you can comment on or make changes to this bug.