[DSE-Dev] Bug#850116: SEGV is always a bug in app or library

Russell Coker russell at coker.com.au
Fri Jan 13 15:43:29 UTC 2017 

reassign 850116 gdm3
thanks

I find it difficult to think of situations where a SEGV in a program is anything 
other than a bug in the program or a library it uses.  If the program is 
prevented from doing something it wants to do (by SE Linux, Unix permissions, 
a filesystem error, lack of disk space, etc) it should log an error so that the 
sysadmin can fix the problem.

The are some situations in which an out of memory error can legitimately 
excuse a SEGV due to the need to allocate memory to log an error.  But even 
that isn't a desirable situation and if it's repeatable it becomes a bug.

The current SE Linux policy for XDM type programs works well for kdm (even 
though it's obsolete it still works), xdm, and sddm.  When I was developing 
the policy for those programs (when the policy didn't permit everything they 
wanted to do) they didn't SEGV, and I think it's reasonable to expect that 
gdm3 not SEGV if it is in similar situations (which it isn't).

When gdm3 SEGVs it is not giving an AVC error.  So the things that it is 
asking to do SE Linux is permitting.  The issue is most likely something 
related to interactions with PAM module SE Linux checks.

It is plausible that further investigation will determine that this bug should 
be reassigned to pam or something else.  But I can't imagine any way in which 
refpolicy could be a reasonable assignment for this bug.

When working on this I ran "semodule -DB" and iteratively installed rules 
allowing everything that gdm3 tried to do, but it still gave a SEGV.

Below is an extract from the SE Linux policy for XDM type programs.  These are 
all programs that have worked in the past.  Previous versions of GDM worked, 
gpe-dm worked, slim worked, lightdm worked, and wdm worked.  Once this SEGV 
issue is solved I'll make it work.

/opt/kde3/bin/kdm       --      gen_context(system_u:object_r:xdm_exec_t,s0)
/usr/s?bin/gdm(3)?      --      gen_context(system_u:object_r:xdm_exec_t,s0)
/usr/s?bin/gdm-binary   --      gen_context(system_u:object_r:xdm_exec_t,s0)
/usr/s?bin/lxdm(-binary)? --    gen_context(system_u:object_r:xdm_exec_t,s0)
/usr/s?bin/[xkw]dm      --      gen_context(system_u:object_r:xdm_exec_t,s0)
/usr/bin/sddm           --      gen_context(system_u:object_r:xdm_exec_t,s0)
/usr/bin/gpe-dm         --      gen_context(system_u:object_r:xdm_exec_t,s0)
/usr/bin/slim           --      gen_context(system_u:object_r:xdm_exec_t,s0)
/usr/sbin/lightdm       --      gen_context(system_u:object_r:xdm_exec_t,s0)
/usr/X11R6/bin/[xgkw]dm --      gen_context(system_u:object_r:xdm_exec_t,s0)

-- 
My Main Blog         http://etbe.coker.com.au/
My Documents Blog    http://doc.coker.com.au/

More information about the SELinux-devel mailing list