Centos End Session Behavior the same as RHEL?

[rharker]

This is the aureport -a and the timestamp is from the last normal user login.

526. 03/28/2018 11:58:51 gnome-shell system_u:system_r:xdm_t:s0-s0:c0.c1023 42 unix_dgram_socket sendto system_u:system_r:xserver_t:s0-s0:c0.c1023 denied 169
527. 03/28/2018 11:58:51 gnome-shell system_u:system_r:xdm_t:s0-s0:c0.c1023 9 file execute system_u:object_r:xdm_var_lib_t:s0 denied 170
528. 03/28/2018 12:13:09 Web Content unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 2 file read system_u:object_r:admin_home_t:s0 denied 213
529. 03/28/2018 12:14:51 gnome-session-c system_u:system_r:xdm_t:s0-s0:c0.c1023 42 unix_dgram_socket sendto system_u:system_r:xserver_t:s0-s0:c0.c1023 denied 218
530. 03/28/2018 12:14:51 gnome-shell system_u:system_r:xdm_t:s0-s0:c0.c1023 42 unix_dgram_socket sendto system_u:system_r:xserver_t:s0-s0:c0.c1023 denied 219
531. 03/28/2018 12:14:51 gnome-shell system_u:system_r:xdm_t:s0-s0:c0.c1023 9 file execute system_u:object_r:xdm_var_lib_t:s0 denied 220

[TrevorH]

527. 03/28/2018 11:58:51 gnome-shell system_u:system_r:xdm_t:s0-s0:c0.c1023 9 file execute system_u:object_r:xdm_var_lib_t:s0 denied 170
528. 03/28/2018 12:13:09 Web Content unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 2 file read system_u:object_r:admin_home_t:s0 denied 213
531. 03/28/2018 12:14:51 gnome-shell system_u:system_r:xdm_t:s0-s0:c0.c1023 9 file execute system_u:object_r:xdm_var_lib_t:s0 denied 220

Those look like the suspicious ones there though the one about socket sendto probably also wants investigating. I would suspect that your files are mislabeled somewhere. Next step is to find out which ones and why. For each of those entries in aureport -a, take the number off the right hand end of the line and feed that into ausearch -a nnnn - so for example, for the last one, run ausearch -a 220 and post the output from that if it doesn't let you fix it yourself.

If you mv files around then it preserves the initial selinux context of the original location and the file ends up in the right place but with the wrong label on it. A prime example of that is the 2nd one in that list which is complaining that the target file has a context of admin_home_t which looks to me like someone took a file from /root and mv'ed it to the end location and it's still got the incorrect label on it. Use restorecon -RFv to reset it to the correct label based on its current location. Use mv -Z to avoid the problem altogether as that tells it to assign the correct label to the file based on its target location or use cp which always does that.

Some avc's for files will have a field in them with "ino=nnnn" and that is the inode number of the file causing the problem and can be fed into find /mountpoint -inum nnnn to discover which file it is. The dev="dm-0" type field tells you which filesystem that was on so look in /dev/mapper to find the right LV to work out what dm-0 is then check where that is mounted and substitute that for /mountpoint in the find.

[rharker]

This is the gdmposses.sog=====================
SHELL=/bin/bash
USER=rharker
USERNAME=rharker
PATH=/usr/local/bin:/usr/local/sbin:/usr/bin:/usr/sbin:/bin:/sbin
PWD=/
SHLVL=1
HOME=/home/rharker
LOGNAME=rharker
DISPLAY=:1
RUNNING_UNDER_GDM=true
XAUTHORITY=/run/gdm/auth-for-gdm-GFC3Sg/database
_=/bin/env

[rharker]

My system doesn't seem to have the $RUNNING_UNDER_GDM environment variable. Could this be it?

[rharker]

Meaning if I use $ Tab Tab I only list the following:

Code: Select all

[root@b400 ~]# $
Display all 134 possibilities? (y or n)
$_                                    $DIRSTACK                             $__GLX_VENDOR_LIBRARY_NAME            $KONSOLE_DBUS_SESSION                 $PS1                                  $TMPPATH
$ABRT_DEBUG_LOG                       $DISPLAY                              $GROUPS                               $KONSOLE_DBUS_WINDOW                  $PS2                                  $UID
$_backup_glob                         $DYNAMICS_CENTER                      $GS_LIB                               $KONSOLE_PROFILE_NAME                 $PS4                                  $USER
$BASH                                 $EUID                                 $GTK2_RC_FILES                        $LANG                                 $PWD                                  $USERNAME
$BASH_ALIASES                         $GDM_LANG                             $GTK_IM_MODULE                        $LANGUAGE                             $QTDIR                                $WINDOWID
$BASH_ARGC                            $GDMSESSION                           $HISTCMD                              $LESSOPEN                             $QT_GRAPHICSSYSTEM_CHECKED            $WINDOWPATH
$BASH_ARGV                            $__git_all_commands                   $HISTCONTROL                          $LINENO                               $QT_IM_MODULE                         $XAUTHORITY
$BASH_CMDS                            $__git_diff_algorithms                $HISTFILE                             $LINES                                $QTINC                                $XCURSOR_THEME
$BASH_COMMAND                         $__git_diff_common_options            $HISTFILESIZE                         $LOGNAME                              $QTLIB                                $XDG_CURRENT_DESKTOP
$BASH_COMPLETION_COMPAT_DIR           $__git_fetch_options                  $HISTSIZE                             $LPATHDIR                             $QT_PLUGIN_PATH                       $XDG_DATA_DIRS
$BASH_LINENO                          $__git_format_patch_options           $HOME                                 $LS_COLORS                            $RANDOM                               $XDG_MENU_PREFIX
$BASHOPTS                             $__git_log_common_options             $HOSTNAME                             $MACHTYPE                             $SECONDS                              $XDG_RUNTIME_DIR
$BASHPID                              $__git_log_date_formats               $HOSTTYPE                             $MAIL                                 $SESSION_MANAGER                      $XDG_SEAT
$BASH_SOURCE                          $__git_log_gitk_options               $ID                                   $MAILCHECK                            $SHELL                                $XDG_SESSION_DESKTOP
$BASH_SUBSHELL                        $__git_log_pretty_formats             $IFS                                  $MICS_HOME                            $SHELLOPTS                            $XDG_SESSION_ID
$BASH_VERSINFO                        $__git_log_shortlog_options           $IMSETTINGS_INTEGRATE_DESKTOP         $OPTERR                               $SHELL_SESSION_ID                     $XDG_SESSION_TYPE
$BASH_VERSION                         $__git_merge_options                  $IMSETTINGS_MODULE                    $OPTIND                               $SHLVL                                $XDG_VTNR
$COLORFGBG                            $__git_merge_strategies               $KDEDIRS                              $OSTYPE                               $SINCE                                $XMODIFIERS
$colors                               $__git_mergetools_common              $KDE_FULL_SESSION                     $PATH                                 $SINCEFILE                            $_xspecs
$COLUMNS                              $__git_porcelain_commands             $KDE_MULTIHEAD                        $PIPESTATUS                           $SSH_AGENT_PID                        
$COMP_WORDBREAKS                      $__git_send_email_confirm_options     $KDE_SESSION_UID                      $PPID                                 $SSH_ASKPASS                          
$DBUS_SESSION_BUS_ADDRESS             $__git_send_email_suppresscc_options  $KDE_SESSION_VERSION                  $PROFILEHOME                          $SSH_AUTH_SOCK                        
$DESKTOP_SESSION                      $__git_whitespacelist                 $KONSOLE_DBUS_SERVICE                 $PROMPT_COMMAND                       $TERM                                 
[root@b400 ~]# $
bash: $: command not found
[root@b400 ~]# 

[rharker]

Is it possible that I am hitting this bug?

https://bugzilla.redhat.com/show_bug.cgi?id=851769

[TrevorH]

I think that if it was that then it wouldn't work for me and it does.

Did you fix all your selinux denials yet?

[rharker]

I still have these 3 and I get upon login an SELinux Security Alert AVC Denial:

Code: Select all

594. 03/29/2018 10:10:20 gnome-session-c system_u:system_r:xdm_t:s0-s0:c0.c1023 42 unix_dgram_socket sendto system_u:system_r:xserver_t:s0-s0:c0.c1023 denied 271
595. 03/29/2018 10:10:20 gnome-shell system_u:system_r:xdm_t:s0-s0:c0.c1023 42 unix_dgram_socket sendto system_u:system_r:xserver_t:s0-s0:c0.c1023 denied 272
596. 03/29/2018 10:10:20 gnome-shell system_u:system_r:xdm_t:s0-s0:c0.c1023 9 file execute system_u:object_r:xdm_var_lib_t:s0 denied 273
[root@b400 ~]# 

I feel we're close to the answer.

[TrevorH]

Post the output from the following three commands:

Code: Select all

ausearch -a 271
ausearch -a 272
ausearch -a 273

[rharker]

Code: Select all

time->Thu Mar 29 10:10:20 2018
type=PROCTITLE msg=audit(1522332620.536:271): proctitle=2F7573722F6C6962657865632F676E6F6D652D73657373696F6E2D636865636B2D616363656C6572617465642D676C2D68656C706572002D2D7072696E742D72656E6465726572
type=SYSCALL msg=audit(1522332620.536:271): arch=c000003e syscall=42 success=no exit=-13 a0=8 a1=7fffee1fbc80 a2=42 a3=7fffee1fb6e0 items=0 ppid=4741 pid=4752 auid=4294967295 uid=42 gid=42 euid=42 suid=42 fsuid=42 egid=42 sgid=42 fsgid=42 tty=(none) ses=4294967295 comm="gnome-session-c" exe="/usr/libexec/gnome-session-check-accelerated-gl-helper" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1522332620.536:271): avc:  denied  { sendto } for  pid=4752 comm="gnome-session-c" path=006E7669646961646431373233653200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:xserver_t:s0-s0:c0.c1023 tclass=unix_dgram_socket
----
time->Thu Mar 29 11:40:01 2018
type=USER_START msg=audit(1522338001.841:271): pid=4528 uid=0 auid=0 ses=9 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:session_open grantors=pam_loginuid,pam_keyinit,pam_limits,pam_systemd acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
[root@b400 ~]# 

Code: Select all

time->Thu Mar 29 10:10:20 2018
type=PROCTITLE msg=audit(1522332620.536:271): proctitle=2F7573722F6C6962657865632F676E6F6D652D73657373696F6E2D636865636B2D616363656C6572617465642D676C2D68656C706572002D2D7072696E742D72656E6465726572
type=SYSCALL msg=audit(1522332620.536:271): arch=c000003e syscall=42 success=no exit=-13 a0=8 a1=7fffee1fbc80 a2=42 a3=7fffee1fb6e0 items=0 ppid=4741 pid=4752 auid=4294967295 uid=42 gid=42 euid=42 suid=42 fsuid=42 egid=42 sgid=42 fsgid=42 tty=(none) ses=4294967295 comm="gnome-session-c" exe="/usr/libexec/gnome-session-check-accelerated-gl-helper" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1522332620.536:271): avc:  denied  { sendto } for  pid=4752 comm="gnome-session-c" path=006E7669646961646431373233653200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:xserver_t:s0-s0:c0.c1023 tclass=unix_dgram_socket
----
time->Thu Mar 29 11:40:01 2018
type=USER_START msg=audit(1522338001.841:271): pid=4528 uid=0 auid=0 ses=9 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:session_open grantors=pam_loginuid,pam_keyinit,pam_limits,pam_systemd acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
[root@b400 ~]# 

Code: Select all

----
---
time->Thu Mar 29 10:10:20 2018
type=PROCTITLE msg=audit(1522332620.662:273): proctitle="/usr/bin/gnome-shell"
type=SYSCALL msg=audit(1522332620.662:273): arch=c000003e syscall=9 success=no exit=-13 a0=0 a1=40000 a2=5 a3=1 items=0 ppid=4732 pid=4761 auid=4294967295 uid=42 gid=42 euid=42 suid=42 fsuid=42 egid=42 sgid=42 fsgid=42 tty=(none) ses=4294967295 comm="gnome-shell" exe="/usr/bin/gnome-shell" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1522332620.662:273): avc:  denied  { execute } for  pid=4761 comm="gnome-shell" path=2F7661722F6C69622F67646D2F2E676C766E64665533314847202864656C6574656429 dev="sda4" ino=1311689 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xdm_var_lib_t:s0 tclass=file
----
time->Thu Mar 29 11:40:01 2018
type=CRED_DISP msg=audit(1522338001.860:273): pid=4528 uid=0 auid=0 ses=9 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_env,pam_localuser,pam_unix acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'