[DSE-Dev] Bug#683756: selinux in permissive mode breaks gdm and X

Ron Murray rjmx at rjmx.net
Wed Sep 5 00:32:19 UTC 2012 

Package: selinux-policy-default
Version: 2:2.20110726-9
Followup-For: Bug #683756

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I did some work on the remaining machine today. First I enabled
debugging on the gdm3 daemon, set up an strace, and started gdm. As
before, gdm3 respawned multiple times in short order before I stopped
it.

Only serious thing I could find was this, in one of the Xorg logs:

 ----------------------------------------------------
[   498.407] Backtrace:
[   498.407] 0: /usr/bin/Xorg (xorg_backtrace+0x36) [0x7feccd3b7ae6]
[   498.407] 1: /usr/bin/Xorg (0x7feccd239000+0x182609) [0x7feccd3bb609]
[   498.407] 2: /lib/x86_64-linux-gnu/libpthread.so.0 (0x7feccc561000+0xf030) [0x7feccc570030]
[   498.407] 3: /usr/lib/xorg/modules/extensions/libextmod.so (0x7fecca361000+0x18cda) [0x7fecca379cda]
[   498.407] 4: /usr/lib/xorg/modules/extensions/libextmod.so (0x7fecca361000+0x19b90) [0x7fecca37ab90]
[   498.407] 5: /usr/bin/Xorg (_CallCallbacks+0x34) [0x7feccd290594]
[   498.407] 6: /usr/bin/Xorg (XaceHook+0xe8) [0x7feccd329a28]
[   498.408] 7: /usr/bin/Xorg (0x7feccd239000+0x1175c0) [0x7feccd3505c0]
[   498.408] 8: /usr/bin/Xorg (0x7feccd239000+0x12082c) [0x7feccd35982c]
[   498.408] 9: /usr/bin/Xorg (0x7feccd239000+0x52e41) [0x7feccd28be41]
[   498.408] 10: /usr/bin/Xorg (0x7feccd239000+0x41ed5) [0x7feccd27aed5]
[   498.408] 11: /lib/x86_64-linux-gnu/libc.so.6 (__libc_start_main+0xfd) [0x7feccb28bead]
[   498.408] 12: /usr/bin/Xorg (0x7feccd239000+0x421ad) [0x7feccd27b1ad]
[   498.408] 
[   498.408] Segmentation fault at address (nil)
[   498.408] 
Fatal server error:
[   498.408] Caught signal 11 (Segmentation fault). Server aborting
[   498.408] 
[   498.408] 

 ----------------------------------------------------

   Other logs seemed to reflect this ("Couldn't connect to X server",
etc). As an experiment, and in the absence of anything else to try, I
moved /usr/lib/xorg/modules/extensions/libextmod.so temporarily out of
the way and started gdm3, and this time it worked -- login screen
appeared, and I was able to log in and use the machine normally.

   Clearly some things won't work on the box now, but I can live with
that for now. I think we have a pointer to the problem: it seems
there's a bug in libextmod. A 'strings' command on libextmod.so gives
lots of selinux references, which probably don't come into play with
selinux turned off, but may do so even in permissive mode.

   It's odd, though, that it only happens on some boxes and not
others. This particular box has an nVidia video card and I'm using the
proprietary drivers, but I have another box with roughly the same
setup and it worked after I did the context change on /usr/sbin/gdm3.

   I don't really want to start delving into the X sources at my stage
in life. Should we pass this on to the X maintainers? Or start a new
bug?

 .....Ron


- -- System Information:
Debian Release: wheezy/sid
  APT prefers testing
  APT policy: (500, 'testing'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.5.3-khufu-0 (SMP w/2 CPU cores; PREEMPT)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/dash

Versions of packages selinux-policy-default depends on:
ii  libpam-modules   1.1.3-7.1
ii  libselinux1      2.1.9-5
ii  libsepol1        2.1.4-3
ii  policycoreutils  2.1.10-9
ii  python           2.7.3~rc2-1

Versions of packages selinux-policy-default recommends:
ii  checkpolicy  2.1.8-2
ii  setools      3.3.7-3

Versions of packages selinux-policy-default suggests:
ii  logcheck        1.3.15
pn  syslog-summary  <none>

- -- Configuration Files:
/etc/selinux/default/modules/active/file_contexts.local [Errno 13] Permission denied: u'/etc/selinux/default/modules/active/file_contexts.local'

- -- no debconf information

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBAgAGBQJQRp2FAAoJEDHYrtWvbQ1Kf6IP/iJKrX3KzwNy0Ftw9B1kIAAK
IvV+aygCCxqbi8+SGvL+2bwXGcU8dgvFOLA5SI9tzuepwz/azkYzZ1UfcHhnM4o/
1TsU2/AdXZUEuMSzkJ2i0iW+TnlQd7KLYAdiRUYCNn4wtNeEsN7dQycx3go7Gk1E
PpeqW1p4yvJvpOyDGYmCq/1/faJMcUk8l6oq21S7YtEiANHckJNC4Q9o09gEVV4W
u1q/vsPYjwRsYaOGSTC4apmwNP1wL9kqkzRKmn/PwXBAGrdatx+uZ8Y4z5g+yIVa
x7G+88C+hKSrP/7C6nDiipjaqTs4/FAkjmjDU74KEu8xMEv1e9DuaWEIw2kx30Df
+WRiXJ5e9aR6Qtj14STQt1a8pJTnrx1pCe0qmTevr40YrHa7MBhJiSknBFqgG2Ta
Jx1yxAxNmql9HgmyYRkvQfB4I6i8heojmPam/T9Ln38VbpUn22GXK2h3JR5HbDe4
odm5J1R/PYYVY3PhWfnDMgRpEmRDKStpt5MyvRJcZLrMHkw1yq3Zt0Ho/OJSQOeU
Yv0re9OSDAjfmXLK/YnmLY3ARksghQEdwPVpano64IGsXToiD7Tb9ZntUTo5yy/K
4nOX8fAOUOAkGEDhI651RCW+Rhk8Wzrebar4NNbXVJIfqOomDncVwNaKSDCrdFnd
G5RGy/F+XCppwt7PO3D5
=CZNI
-----END PGP SIGNATURE-----

More information about the SELinux-devel mailing list