| Summary: | SELinux is preventing /usr/sbin/gdm from 'entrypoint' accesses on the file /usr/libexec/gdm-session-worker. | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Michal Nowak <mnowak> |
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
| Status: | CLOSED CANTFIX | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 19 | CC: | dominick.grift, dwalsh, lvrabec, mgrepl, przemek |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Unspecified | ||
| Whiteboard: | abrt_hash:ae42d00c75697efcc8865710cafa320bf01025e7cbdd807db6920aacae99c2a9 | ||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2013-11-27 13:58:31 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
If you log out and back in this bug will not happen again. We had an update that caused the problem. Sadly we can not fix it, but it is not really a problem. I got hit by this bug but I couldn't even log out: the screen lock password widget was disabled and I couldn't find a way to log out from the graphic screen. On one system I logged in on a text console (Ctrl-Alt-F2) and 'killall gnome-session', but even then I had to reboot once, whereas the first login failed, so I had to log in for the second time, which was successful. On another system, I did 'setenforce permissive' which allowed me to enter the password for screen lock but then the session died. I did 'setenforce enforcing' and logged in which worked as per Daniel's comment. |
Description of problem: SELinux is preventing /usr/sbin/gdm from 'entrypoint' accesses on the file /usr/libexec/gdm-session-worker. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that gdm should be allowed entrypoint access on the gdm-session-worker file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep gdm /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:xdm_t:s0-s0:c0.c1023 Target Context system_u:object_r:bin_t:s0 Target Objects /usr/libexec/gdm-session-worker [ file ] Source gdm Source Path /usr/sbin/gdm Port <Unknown> Host (removed) Source RPM Packages gdm-3.8.4-2.fc19.x86_64 Target RPM Packages gdm-3.8.4-2.fc19.x86_64 Policy RPM selinux-policy-3.12.1-74.13.fc19.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 3.11.8-200.fc19.x86_64 #1 SMP Wed Nov 13 16:29:59 UTC 2013 x86_64 x86_64 Alert Count 8 First Seen 2013-11-21 22:31:56 CET Last Seen 2013-11-21 22:39:40 CET Local ID 8ce0dbd0-b849-4730-b41c-bdebad2c472e Raw Audit Messages type=AVC msg=audit(1385069980.296:541): avc: denied { entrypoint } for pid=3263 comm="gdm-session-wor" path="/usr/libexec/gdm-session-worker" dev="dm-2" ino=159957 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:bin_t:s0 tclass=file type=SYSCALL msg=audit(1385069980.296:541): arch=x86_64 syscall=execve success=no exit=EACCES a0=7f34e667c840 a1=7f34e667c8c8 a2=7f34e667d620 a3=7fff3b771000 items=0 ppid=1227 pid=3263 auid=1000 uid=0 gid=1000 euid=0 suid=0 fsuid=0 egid=1000 sgid=1000 fsgid=1000 ses=1 tty=(none) comm=gdm-session-wor exe=/usr/libexec/gdm-session-worker subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null) Hash: gdm,xdm_t,bin_t,file,entrypoint Additional info: reporter: libreport-2.1.9 hashmarkername: setroubleshoot kernel: 3.11.9-200.fc19.x86_64 type: libreport