On Fri, 2007-02-23 at 15:33 +0100, Davide Bolcioni wrote:
On Friday 23 February 2007 13:50:21 you wrote:
On Thu, 2007-02-22 at 13:56 -0500, Daniel J Walsh wrote:
Davide Bolcioni wrote:
Greeetings, I just tried the following:
yum install kernel-devel.x86_64
and got
Installing: kernel-devel ######################### [1/1] error: %post(kernel-devel-2.6.19-1.2911.fc6.x86_64) scriptlet failed, exit status 255
the failure seems to be related to the following in the audit log:
type=AVC msg=audit(1172166288.763:92): avc: denied { transition } for pid=7023 comm="yum" name="bash" dev=dm-1 ino=409636 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:rpm_script_t:s0-s0:c0.c1023 tclass=process type=SYSCALL msg=audit(1172166288.763:92): arch=c000003e syscall=59 success=no exit=-13 a0=3b5afef a1=7fff58604730 a2=4112960 a3=5f74c70 items=0 ppid=6779 pid=7023 auid=503 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 comm="yum" exe="/usr/bin/python" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null) type=AVC_PATH msg=audit(1172166288.763:92): path="/bin/bash"
which I understand being a failure to exec() bash, correct ?
Apparently, yum is running as system_u:system_r:xdm_t, which I find somewhat surprising, but still.
Thank you for your consideration, Davide Bolcioni
There is a problem in the latest version of pam_selinux that is causing this problem.
You can either revert to the previous version of pam or wait for the next update.
gdm at least doesn't use pam_selinux AFAICS, so it wouldn't be affected by the pam_selinux bug.
If you log out and log back in, is your session still running in xdm_t? That is definitely wrong.
I am using kdm, which definitely includes pam_selinux.so in /etc/pam.d/kdm. Why doesn't gdm use pam_selinux ? IIRC the point of PAM was to separate authentication, was it ?
gdm has direct selinux support integrated into it. IIRC, we tried using pam_selinux with it but it performs the pam_open_session() from a different process than the one that ultimately exec's the user shell, so it didn't work. pam_selinux isn't authentication; it is setting the security context for the user shell. Whether or not it belongs in pam is open to debate, e.g. setting of the uid for the shell doesn't happen in pam either.
selinux@lists.fedoraproject.org