search

joukewitteveen / xlogin

Automatic X login service for systemd
BSD 2-Clause "Simplified" License
72 stars 9 forks source link

SELinux blocks xlogin session #10

Open rapgro opened 8 years ago

rapgro commented 8 years ago 
# journalctl --since today -r |grep xlogin
Feb 06 11:17:16 poldy systemd[1]: xlogin@raphael.service: Failed with result 'exit-code'.
Feb 06 11:17:16 poldy systemd[1]: xlogin@raphael.service: Unit entered failed state.
Feb 06 11:17:16 poldy systemd[1]: xlogin@raphael.service: Main process exited, code=exited, status=203/EXEC
Feb 06 11:17:16 poldy systemd[963]: xlogin@raphael.service: Failed at step EXEC spawning /usr/bin/bash: Permission denied
Feb 06 11:17:16 poldy audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=xlogin@raphael comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed'
Feb 06 11:17:16 poldy audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=xlogin@raphael comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Feb 06 11:16:26 poldy systemd[1]: Stopping system-xlogin.slice.
Feb 06 11:16:26 poldy systemd[1]: Removed slice system-xlogin.slice.
Feb 06 11:14:24 poldy systemd[1]: xlogin@raphael.service: Failed with result 'exit-code'.
Feb 06 11:14:24 poldy systemd[1]: xlogin@raphael.service: Unit entered failed state.
Feb 06 11:14:24 poldy systemd[1]: xlogin@raphael.service: Main process exited, code=exited, status=203/EXEC
Feb 06 11:14:24 poldy systemd[963]: xlogin@raphael.service: Failed at step EXEC spawning /usr/bin/bash: Permission denied
Feb 06 11:14:24 poldy audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=xlogin@raphael comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed'
Feb 06 11:14:24 poldy audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=xlogin@raphael comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Feb 06 11:13:36 poldy systemd[1]: Stopping system-xlogin.slice.
Feb 06 11:13:36 poldy systemd[1]: Removed slice system-xlogin.slice.
# journalctl --since today -r |grep bash
Feb 06 11:17:16 poldy python3[1002]: SELinux is preventing (bash) from using the transition access on a process.
                                     If you believe that (bash) should be allowed transition access on processes labeled unconfined_t by default.
                                     # grep (bash) /var/log/audit/audit.log | audit2allow -M mypol
Feb 06 11:17:16 poldy setroubleshoot[1002]: SELinux is preventing (bash) from using the transition access on a process. For complete SELinux messages. run sealert -l 37be6b0d-fc58-4eb4-81cb-add09f70c136
Feb 06 11:17:16 poldy systemd[963]: xlogin@raphael.service: Failed at step EXEC spawning /usr/bin/bash: Permission denied
Feb 06 11:17:16 poldy audit[963]: AVC avc:  denied  { transition } for  pid=963 comm="(bash)" path="/usr/bin/bash" dev="sda4" ino=1442241 scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=process permissive=0
Feb 06 11:14:24 poldy python3[989]: SELinux is preventing (bash) from using the transition access on a process.
                                    If you believe that (bash) should be allowed transition access on processes labeled unconfined_t by default.
                                    # grep (bash) /var/log/audit/audit.log | audit2allow -M mypol
Feb 06 11:14:24 poldy setroubleshoot[989]: SELinux is preventing (bash) from using the transition access on a process. For complete SELinux messages. run sealert -l 37be6b0d-fc58-4eb4-81cb-add09f70c136
Feb 06 11:14:24 poldy systemd[963]: xlogin@raphael.service: Failed at step EXEC spawning /usr/bin/bash: Permission denied
Feb 06 11:14:24 poldy audit[963]: AVC avc:  denied  { transition } for  pid=963 comm="(bash)" path="/usr/bin/bash" dev="sda4" ino=1442241 scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=process permissive=0
# sealert -l 37be6b0d-fc58-4eb4-81cb-add09f70c136
SELinux is preventing (bash) from using the transition access on a process.

*****  Plugin catchall (100. confidence) suggests   **************************

If sie denken, dass es (bash) standardmäßig erlaubt sein sollte, transition Zugriff auf unconfined_t Prozesse zu erhalten.
Then sie sollten dies als Fehler melden.
Um diesen Zugriff zu erlauben, können Sie ein lokales Richtlinien-Modul erstellen.
Do
zugriff jetzt erlauben, indem Sie die nachfolgenden Befehle ausführen:
# grep (bash) /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:init_t:s0
Target Context                unconfined_u:unconfined_r:unconfined_t:s0
Target Objects                /usr/bin/bash [ process ]
Source                        (bash)
Source Path                   (bash)
Port                          <Unknown>
Host                          poldy
Source RPM Packages           
Target RPM Packages           bash-4.3.42-3.fc23.x86_64
Policy RPM                    selinux-policy-3.13.1-158.2.fc23.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     poldy
Platform                      Linux poldy 4.3.4-300.fc23.x86_64 #1 SMP Mon Jan
                              25 13:39:23 UTC 2016 x86_64 x86_64
Alert Count                   2
First Seen                    2016-02-06 11:14:24 CET
Last Seen                     2016-02-06 11:17:16 CET
Local ID                      37be6b0d-fc58-4eb4-81cb-add09f70c136

Raw Audit Messages
type=AVC msg=audit(1454753836.157:144): avc:  denied  { transition } for  pid=963 comm="(bash)" path="/usr/bin/bash" dev="sda4" ino=1442241 scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=process permissive=0

Hash: (bash),init_t,unconfined_t,process,transition
rapgro commented 8 years ago

Downstream bug: https://bugzilla.redhat.com/show_bug.cgi?id=1305236

joukewitteveen commented 8 years ago

This is interesting. I am not too familiar with SELinux. Does the error go away if you make your .xinitrc executable?

rapgro commented 8 years ago

That's an issue with SELinux policy how the default is in Fedora, so it prevents the bash process, nothing about the .xinitrc file in particular. Till now, I did not get any feedback from the SELinux developers.