Bug 1032934

Summary: SELinux is preventing /usr/libexec/gdm-session-worker from 'entrypoint' accesses on the file /usr/libexec/gdm-session-worker.
Product: [Fedora] Fedora Reporter: Ronen Hod <rhod>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED CANTFIX QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 19CC: bvicente, cyrusyzgtt, dcaroest, dominick.grift, dwalsh, holzstock, hugh, knoel, lvrabec, mgrepl, noelduffy, prestontunnellwilson, spetreolle, teupoui
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Unspecified   
Whiteboard: abrt_hash:df8c180c7f16aadeeaf6690d1ebf644cbb1c927073f93da5fd4e2a567c0277dc
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-11-22 19:01:42 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Ronen Hod 2013-11-21 09:27:59 UTC 
Description of problem:
SELinux is preventing /usr/libexec/gdm-session-worker from 'entrypoint' accesses on the file /usr/libexec/gdm-session-worker.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that gdm-session-worker should be allowed entrypoint access on the gdm-session-worker file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep gdm-session-wor /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:xdm_t:s0-s0:c0.c1023
Target Context                system_u:object_r:bin_t:s0
Target Objects                /usr/libexec/gdm-session-worker [ file ]
Source                        gdm-session-wor
Source Path                   /usr/libexec/gdm-session-worker
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           gdm-3.8.4-2.fc19.x86_64
Target RPM Packages           gdm-3.8.4-2.fc19.x86_64
Policy RPM                    selinux-policy-3.12.1-74.13.fc19.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 3.11.8-200.fc19.x86_64 #1 SMP Wed
                              Nov 13 16:29:59 UTC 2013 x86_64 x86_64
Alert Count                   1
First Seen                    2013-11-21 11:25:58 IST
Last Seen                     2013-11-21 11:25:58 IST
Local ID                      98a4ad6c-78fe-48ac-b21d-982bcfb40a67

Raw Audit Messages
type=AVC msg=audit(1385025958.137:9434): avc:  denied  { entrypoint } for  pid=18749 comm="gdm-session-wor" path="/usr/libexec/gdm-session-worker" dev="dm-7" ino=164344 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:bin_t:s0 tclass=file


type=SYSCALL msg=audit(1385025958.137:9434): arch=x86_64 syscall=execve success=no exit=EACCES a0=7fcdc0aa8c90 a1=7fcdc0abd658 a2=7fcdc0a98100 a3=7fff7c63df30 items=0 ppid=2277 pid=18749 auid=16365 uid=0 gid=16365 euid=0 suid=0 fsuid=0 egid=16365 sgid=16365 fsgid=16365 ses=1 tty=(none) comm=gdm-session-wor exe=/usr/libexec/gdm-session-worker subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)

Hash: gdm-session-wor,xdm_t,bin_t,file,entrypoint

Additional info:
reporter:       libreport-2.1.9
hashmarkername: setroubleshoot
kernel:         3.11.8-200.fc19.x86_64
type:           libreport
Comment 1 holzstock 2013-11-22 08:50:59 UTC 
Description of problem:
After reviving the laptop from Stand-by it showed me the lock screen. While I was able to press enter to view the screen where I cna enter my password, I did not react to any further action from me. I was not able to log in as I could not enter my password. I could not click the password field. After a shutdown everything went back to normal.

Additional info:
reporter:       libreport-2.1.9
hashmarkername: setroubleshoot
kernel:         3.11.8-200.fc19.i686.PAE
type:           libreport
Comment 2 David Caro 2013-11-22 14:17:19 UTC 
Description of problem:
Left the laptop installing upgrades, and found that message after the upgrades finished

Additional info:
reporter:       libreport-2.1.9
hashmarkername: setroubleshoot
kernel:         3.11.7-200.fc19.x86_64
type:           libreport
Comment 3 Daniel Walsh 2013-11-22 19:01:42 UTC 
If you reboot the machine you should not see the message again.  It was caused by the upgrade.  If everything is working ok, you can ignore it.
Comment 4 D. Hugh Redelmeier 2013-11-26 01:22:22 UTC 
I got this too.  I had left machine updating and, when I returned, could not get past the password entry screen.

Another symptom, one that should be fixed: gpk-update-view is eating 69.0% of the CPU until I shut the system down.
Comment 5 Noel Duffy 2013-12-07 04:06:12 UTC 
I just got this. 

 $ cat /etc/issue
Fedora release 19 (Schrödinger’s Cat)

/var/log/messages:

Dec  7 16:53:58 pariah setroubleshoot: SELinux is preventing /usr/libexec/gdm-session-worker from entrypoint access on the file /usr/libexec/gdm-session-worker. For complete SELinux messages. run sealert -l c4b012a8-8fb7-469c-9481-341082b02e5c
Dec  7 16:54:00 pariah gdm[1271]: Could not start command '/usr/libexec/gdm-session-worker': Failed to execute child process "/usr/libexec/gdm-session-worker" (Permission denied)
Dec  7 16:54:00 pariah gdm[1271]: Tried to look up non-existent conversation gdm-password
Dec  7 16:54:00 pariah gnome-session[22024]: JS ERROR: !!!   Failed to start verification for user
Dec  7 16:54:00 pariah gnome-session[22024]: JS ERROR: !!!     message = '"GDBus.Error:org.freedesktop.DBus.Error.Spawn.Failed: Could not create authentication helper process"'
Dec  7 16:54:00 pariah gnome-session[22024]: JS ERROR: !!!     fileName = '"/usr/share/gnome-shell/js/gdm/util.js"'
Dec  7 16:54:00 pariah gnome-session[22024]: JS ERROR: !!!     lineNumber = '308'
Dec  7 16:54:00 pariah gnome-session[22024]: JS ERROR: !!!     stack = '"0 anonymous("result" = [object GObject_Object], "obj" = [object GObject_Object])@/usr/share/gnome-shell/js/gdm/util.js:308
Dec  7 16:54:00 pariah gnome-session[22024]: "'
Dec  7 16:54:00 pariah setroubleshoot: SELinux is preventing /usr/libexec/gdm-session-worker from entrypoint access on the file /usr/libexec/gdm-session-worker. For complete SELinux messages. run sealert -l c4b012a8-8fb7-469c-9481-341082b02e5c
Dec  7 16:54:24 pariah fprintd[21347]: ** Message: No devices in use, exit

I left updates running and returned to find my laptop has locked me out.

I find the official response to this stunning. A blithe "just reboot" is absolutely unacceptable. This is precisely the sort of idiotic and stupid breakage that causes people to throw their hands up in despair and return to Windows. Can anyone imagine the howls of outrage if a Windows or Mac update locked people out until they rebooted? There would be demands for sackings and public apologies.
Comment 6 Daniel Walsh 2014-01-02 23:13:14 UTC 
*** Bug 1045768 has been marked as a duplicate of this bug. ***
Comment 7 Sylvain Petreolle 2014-01-05 16:03:37 UTC 
(In reply to Daniel Walsh from comment #3)
> If you reboot the machine you should not see the message again.  It was
> caused by the upgrade.  If everything is working ok, you can ignore it.

Are you sure it won't happen again on the next gdm upgrade ?
Comment 8 Miroslav Grepl 2014-01-06 09:30:49 UTC 
It should be OK with the next gdm upgrade.
Comment 9 Daniel Walsh 2015-01-03 16:38:27 UTC 
*** Bug 1178251 has been marked as a duplicate of this bug. ***