Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 497938

Summary: selinux rules needed for xauth are dontaudited
Product: Gentoo Linux Reporter: Jason Zaman <perfinion>
Component: SELinuxAssignee: SE Linux Bugs <selinux>
Status: RESOLVED NEEDINFO    
Severity: normal    
Priority: Normal    
Version: unspecified   
Hardware: AMD64   
OS: Linux   
Whiteboard:
Package list:
Runtime testing required: ---

Description Jason Zaman gentoo-dev 2014-01-12 21:04:38 UTC 
I turned on Enforcing mode and tried to login to Xfce through slim and it failed.
after some stracing i found that /usr/bin/xauth was failing (it is supposed to read in the magic cookie from stdin but gets nothing).

there were no entries in avc.log or audit.log. i had to disable dontaudits to see the xauth denials.

to make it work I had to add the following rules, I am not sure if they are all required since audit2allow is overeager. I will test more later to find the minimum needed.

allow xauth_t xdm_t:process sigchld;
allow xauth_t xserver_log_t:file append;
allow xauth_t default_t:dir search;
allow xauth_t xdm_t:fd use;
allow xauth_t xdm_t:fifo_file { read getattr };



Reproducible: Always

Steps to Reproduce:
1. install slim and xfce
2. make SELinux Enforce
3. try and login through slim
Actual Results:  
login fails and returns to login screen

Expected Results:  
login should show desktop
Comment 1 Jason Zaman gentoo-dev 2014-01-12 21:38:30 UTC 
only these are required to make it work:
allow xauth_t xdm_t:fd use;
allow xauth_t xdm_t:fifo_file { read getattr };

this one shows up in the logs but it appears to work anyway even without this rule:
allow xauth_t xdm_t:process sigchld;

the other rules are not needed to login.
Comment 2 Sven Vermeulen (RETIRED) gentoo-dev 2014-02-17 20:45:08 UTC 
Can you check the context you're in after logon?

I would expect xauth_t to act on the user domains (user_t, staff_t, sysadm_t or even unconfined_t) and not the XDM domain (xdm_t).

Did you update the PAM configuration file(s) for slim (or whatever PAM service it uses)? See the end of http://www.gentoo.org/proj/en/hardened/selinux/selinux-handbook.xml?part=2&chap=2
Comment 3 Sven Vermeulen (RETIRED) gentoo-dev 2014-04-10 19:55:11 UTC 
I can't do much without additional feedback.

Don't hesitate to reopen the moment you can!