Posttinstall scriptlets failing ?

Stephen Smalley sds at tycho.nsa.gov
Fri Feb 23 14:40:22 UTC 2007 

On Fri, 2007-02-23 at 15:33 +0100, Davide Bolcioni wrote:
> On Friday 23 February 2007 13:50:21 you wrote:
> > On Thu, 2007-02-22 at 13:56 -0500, Daniel J Walsh wrote:
> > > Davide Bolcioni wrote:
> > > > Greeetings,
> > > > I just tried the following:
> > > >
> > > >   yum install kernel-devel.x86_64
> > > >
> > > > and got
> > > >
> > > >   Installing: kernel-devel                 #########################
> > > > [1/1] error: %post(kernel-devel-2.6.19-1.2911.fc6.x86_64) scriptlet
> > > > failed, exit status 255
> > > >
> > > > the failure seems to be related to the following in the audit log:
> > > >
> > > > type=AVC msg=audit(1172166288.763:92): avc:  denied  { transition } for
> > > > pid=7023 comm="yum" name="bash" dev=dm-1 ino=409636
> > > > scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023
> > > > tcontext=system_u:system_r:rpm_script_t:s0-s0:c0.c1023 tclass=process
> > > > type=SYSCALL msg=audit(1172166288.763:92): arch=c000003e syscall=59
> > > > success=no exit=-13 a0=3b5afef a1=7fff58604730 a2=4112960 a3=5f74c70
> > > > items=0 ppid=6779 pid=7023 auid=503 uid=0 gid=0 euid=0 suid=0 fsuid=0
> > > > egid=0 sgid=0 fsgid=0 tty=pts0 comm="yum" exe="/usr/bin/python"
> > > > subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)
> > > > type=AVC_PATH msg=audit(1172166288.763:92):  path="/bin/bash"
> > > >
> > > > which I understand being a failure to exec() bash, correct ?
> > > >
> > > > Apparently, yum is running as system_u:system_r:xdm_t, which I find
> > > > somewhat surprising, but still.
> > > >
> > > > Thank you for your consideration,
> > > > Davide Bolcioni
> > >
> > > There is a problem in the latest version of pam_selinux that is causing
> > > this problem.
> > >
> > > You can either revert to the previous version of pam or wait for the
> > > next update.
> >
> > gdm at least doesn't use pam_selinux AFAICS, so it wouldn't be affected
> > by the pam_selinux bug.
> >
> > If you log out and log back in, is your session still running in xdm_t?
> > That is definitely wrong.
> 
> I am using kdm, which definitely includes pam_selinux.so in /etc/pam.d/kdm. 
> Why doesn't gdm use pam_selinux ? IIRC the point of PAM was to separate 
> authentication, was it ?

gdm has direct selinux support integrated into it.  IIRC, we tried using
pam_selinux with it but it performs the pam_open_session() from a
different process than the one that ultimately exec's the user shell, so
it didn't work.  pam_selinux isn't authentication; it is setting the
security context for the user shell.  Whether or not it belongs in pam
is open to debate, e.g. setting of the uid for the shell doesn't happen
in pam either.

-- 
Stephen Smalley
National Security Agency

More information about the fedora-selinux-list mailing list