I know GDM is not really approved for use in SELinux, but I tried the
patched version and got the following bizarre problem:
I got everything working, used it for a while and then logged out. When I left my office, the GDM screen was on the monitor (I turned off the monitor for the weekend). When I checked the system from home, it was down.
Now I restarted it and checked the logs:
..................
Jan 18 15:25:28 vorpal gdm(pam_unix)[5736]: session closed for user
jsmith
Jan 18 15:25:28 vorpal gdm[5736]: gdm_slave_xioerror_handler: Fatal X
error - Restarting :0
Jan 18 15:25:28 vorpal gnome-name-server[9333]: input condition is:
0x11, exiting
Jan 18 15:25:31 vorpal modprobe: modprobe: Can't locate module
char-major-81
Jan 18 15:25:36 vorpal gdm[1184]: gdm_child_action: Master halting...
Jan 18 15:25:38 vorpal kernel:
Jan 18 15:25:38 vorpal kernel: avc: denied { write } for pid=1184
exe=/sbin/init path=/dev/initctl dev=03:01 ino=24199
scontext=system_u:system_r:gdm_t tcontext=system_u:object_r:initctl_t
tclass=fifo_file
Jan 18 15:25:39 vorpal Font Server[1136]: terminating
Jan 18 15:25:39 vorpal xfs: xfs shutdown succeeded
Jan 18 15:25:40 vorpal gpm: gpm shutdown succeeded
Jan 18 15:25:41 vorpal kernel:
Jan 18 15:25:41 vorpal kernel: avc: denied { unlink } for pid=995
exe=/usr/sbin/httpd path=/run/httpd.mm.994.sem dev=03:05 ino=304630
scontext=system_u:system_r:httpd_t tcontext=system_u:object_r:var_run_t
tclass=file
Jan 18 15:25:44 vorpal httpd: httpd shutdown succeeded Jan 18 15:25:44 vorpal sshd[869]: Received signal 15; terminating. Jan 18 15:25:44 vorpal sshd: sshd -TERM succeeded Jan 18 15:25:44 vorpal sendmail: sendmail shutdown succeeded
It looks to me as if the system did a normal shut down about 10 seconds after I logged out (?!). Unless some student tip-toed into my office and shut it down from the GDM menu (I was giving both of my classes online exams that were postponed by this outage), somehow GDM shut the system down on its own. At least I'm not going to use GDM with SELinux for a while...
Any ideas?
--
--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
On 21 Jan 2002, Justin Smith wrote:
> I know GDM is not really approved for use in SELinux, but I tried the
> patched version and got the following bizarre problem:
Which version of the modified GDM were you using? What version of SELinux were you using? What is your base platform (RH7.1 or RH7.2)?
I haven't tried the newer version of the modified GDM yet, and I only ran the older version for short periods when I reviewed it and merged the gdm policy into the example policy. As you mention, we don't really support it.
> Jan 18 15:25:28 vorpal gdm(pam_unix)[5736]: session closed for user
> jsmith
> Jan 18 15:25:28 vorpal gdm[5736]: gdm_slave_xioerror_handler: Fatal X
> error - Restarting :0
> Jan 18 15:25:28 vorpal gnome-name-server[9333]: input condition is:
> 0x11, exiting
> Jan 18 15:25:31 vorpal modprobe: modprobe: Can't locate module
> char-major-81
> Jan 18 15:25:36 vorpal gdm[1184]: gdm_child_action: Master halting...
> Jan 18 15:25:38 vorpal kernel:
> Jan 18 15:25:38 vorpal kernel: avc: denied { write } for pid=1184
> exe=/sbin/init path=/dev/initctl dev=03:01 ino=24199
> scontext=system_u:system_r:gdm_t tcontext=system_u:object_r:initctl_t
> tclass=fifo_file
It is interesting that there are no avc denied messages prior to the fatal X error. This would seem to suggest a bug in the modified gdm rather than a policy problem, although it isn't certain. The final avc denied message is presumably just gdm trying to communicate with the init process to perform an emergency shutdown due to the fatal X error. At present, the example policy doesn't authorize this, so it should probably be added.
> It looks to me as if the system did a normal shut down about 10 seconds
> after I logged out (?!). Unless some student tip-toed into my office
> and shut it down from the GDM menu (I was giving both of my classes
> online exams that were postponed by this outage), somehow GDM shut the
> system down on its own. At least I'm not going to use GDM with SELinux
> for a while...
Yes, it looks like the modified GDM shut down your system due to some internal failure from which it could not recover.
-- Stephen D. Smalley, NAI Labs ssmalley@nai.com -- You have received this message because you are subscribed to the selinux list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.From: Justin Smith <jsmith_at_mcs.drexel.edu>
On Tue, 2002-01-22 at 10:21, Westerman, Mark wrote:
> Let me know
>
> Thanks,
> Mark
>
Well, gdm 2.2.3.1 seems to dislike enforcing mode. Whenever I use it in enforcing mode, it goes down within a few minutes (random short lengths of time --- between 5 and 30 seconds). There does not appear to be a problem in permissive mode since I've been able to use it for hours in that mode.
In addition, X windows does not appear to have a problem, by itself. I've been able to use X windows for hours in enforcing mode.
I don't think that it's a question of gdm getting permission denied because using it for hours in permissive mode (and setting the policy to catch all the denied messages) would have caught everything gdm tried to do. It must be some obscure interaction with the kernel...(ugh!)
I'm using Redhat 7.2 (upgraded from 7.1),
An Nvidia GEForce 2 MX card (with Nvidia's drivers recompiled for this system)
lsm-2.4-selinux-2002011718.
-- -- You have received this message because you are subscribed to the selinux list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.
This archive was generated by hypermail 2.2.0 on Wed 11 Jun 2008 - 08:10:54 EDT