Bug 1114192
| Summary: | SELinux is preventing /usr/bin/sddm from 'write' accesses on the file . | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Juan Orti Alcaine <jorti> |
| Component: | sddm | Assignee: | Martin Bříza <mbriza> |
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 20 | CC: | bitlord0xff, dominick.grift, dvratil, dwalsh, jgrulich, jorti, kevin, ltinkl, lvrabec, mbriza, mgrepl, orion, rdieter, sirdeiu |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Unspecified | ||
| Whiteboard: | abrt_hash:998c0f988886d919e1817c6b1639a81e5814289c3a83f34f368bc5dcd0fc2459 | ||
| Fixed In Version: | sddm-0.9.0-2.20141007git6a28c29b.fc21 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2014-10-28 06:46:25 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Why does sddm write to its config FIle? The old version of sddm did that to record LastUser, but I believe the latest version does not do that anymore. Please upgrade to at least, https://admin.fedoraproject.org/updates/FEDORA-2014-7755/sddm-0.2.0-0.31.20140627gitf49c2c79.fc20 and retest please. It has happenend again:
# rpm -q sddm
sddm-0.2.0-0.31.20140627gitf49c2c79.fc20.x86_64
SELinux is preventing /usr/bin/sddm from write access on the file .
***** Plugin catchall_labels (83.8 confidence) suggests *******************
If you want to allow sddm to have write access on the file
Then necesita modificar la etiqueta en $FIX_TARGET_PATH
Do
# semanage fcontext -a -t FILE_TYPE '$FIX_TARGET_PATH'
donde FILE_TYPE es uno de los siguientes: afs_cache_t, anon_inodefs_t, auth_cache_t, auth_home_t, cache_home_t, cgroup_t, config_home_t, data_home_t, dbus_home_t, etc_runtime_t, faillog_t, fonts_cache_t, gconf_home_t, gnome_home_t, gstreamer_home_t, icc_data_home_t, initrc_tmp_t, initrc_var_run_t, krb5_host_rcache_t, lastlog_t, locale_t, mozilla_plugin_tmpfs_t, pam_var_console_t, pam_var_run_t, puppet_tmp_t, security_t, sysfs_t, systemd_passwd_var_run_t, user_cron_spool_t, user_fonts_t, user_tmp_t, user_tmpfs_t, var_auth_t, wtmp_t, xauth_home_t, xdm_home_t, xdm_lock_t, xdm_log_t, xdm_rw_etc_t, xdm_spool_t, xdm_tmp_t, xdm_tmpfs_t, xdm_var_lib_t, xdm_var_run_t, xkb_var_lib_t, xserver_log_t, xserver_tmpfs_t.
Luego ejecute:
restorecon -v '$FIX_TARGET_PATH'
***** Plugin catchall (17.1 confidence) suggests **************************
If cree que de manera predeterminada, sddm debería permitir acceso write sobre file.
Then debería reportar esto como un error.
Puede generar un módulo de política local para permitir este acceso.
Do
permita el acceso momentáneamente executando:
# grep sddm /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
Additional Information:
Source Context system_u:system_r:xdm_t:s0-s0:c0.c1023
Target Context system_u:object_r:etc_t:s0
Target Objects [ file ]
Source sddm
Source Path /usr/bin/sddm
Port <Unknown>
Host <removed>
Source RPM Packages sddm-0.2.0-0.31.20140627gitf49c2c79.fc20.x86_64
Target RPM Packages
Policy RPM selinux-policy-3.12.1-176.fc20.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name <removed>
Platform Linux <removed>
3.15.4-200.1.fc20.1.x86_64 #1 SMP Fri Jul 11
14:02:03 CEST 2014 x86_64 x86_64
Alert Count 1
First Seen 2014-07-15 18:58:50 CEST
Last Seen 2014-07-15 18:58:50 CEST
Local ID 9b88a9a8-9e8a-4a29-a6a5-99c708581b39
Raw Audit Messages
type=AVC msg=audit(1405443530.128:788): avc: denied { write } for pid=1804 comm="sddm" name="sddm.conf" dev="sda2" ino=7793701 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=file
type=SYSCALL msg=audit(1405443530.128:788): arch=x86_64 syscall=open success=no exit=EACCES a0=7f4d5da27e48 a1=80042 a2=1b6 a3=4 items=0 ppid=1 pid=1804 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=sddm exe=/usr/bin/sddm subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)
Hash: sddm,xdm_t,etc_t,file,write
To be sure, did you reboot since upgrading sddm ? (if not, please do... if you did, then nevermind) I have received the same SELinux alert after a reboot. Seeing this on fresh F21 install sddm-0.2.0-0.31.20140627gitf49c2c79.fc21.x86_64 Description of problem: Install sddm from dvratil/plasma-5 copr repo. Start with systemctl start sddm, get a blinking cursor on black tty. After a few seconds sddm shows. Disable SELINUX or set manual policy according to abrt solution fixes this. Also same behavior on Fedora 21 Alpha. Additional info: reporter: libreport-2.2.3 hashmarkername: setroubleshoot kernel: 3.16.3-200.fc20.x86_64 type: libreport sddm-0.9.0-1.20141007git6a28c29b.fc21 has been submitted as an update for Fedora 21. https://admin.fedoraproject.org/updates/sddm-0.9.0-1.20141007git6a28c29b.fc21 sddm-0.9.0-1.20141007git6a28c29b.fc20 has been submitted as an update for Fedora 20. https://admin.fedoraproject.org/updates/sddm-0.9.0-1.20141007git6a28c29b.fc20 sddm-0.9.0-1.20141007git6a28c29b.fc19 has been submitted as an update for Fedora 19. https://admin.fedoraproject.org/updates/sddm-0.9.0-1.20141007git6a28c29b.fc19 Package sddm-0.9.0-1.20141007git6a28c29b.fc20: * should fix your issue, * was pushed to the Fedora 20 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing sddm-0.9.0-1.20141007git6a28c29b.fc20' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2014-12308/sddm-0.9.0-1.20141007git6a28c29b.fc20 then log in and leave karma (feedback). sddm-0.9.0-2.20141007git6a28c29b.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report. sddm-0.9.0-2.20141007git6a28c29b.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report. |
Description of problem: Just starting sddm: systemctl enable --force sddm.service systemctl start sddm.service SELinux is preventing /usr/bin/sddm from 'write' accesses on the file . ***** Plugin catchall_labels (83.8 confidence) suggests ******************* If you want to allow sddm to have write access on the file Then necesita modificar la etiqueta en $FIX_TARGET_PATH Do # semanage fcontext -a -t FILE_TYPE '$FIX_TARGET_PATH' donde FILE_TYPE es uno de los siguientes: afs_cache_t, anon_inodefs_t, auth_cache_t, auth_home_t, cache_home_t, cgroup_t, config_home_t, data_home_t, dbus_home_t, etc_runtime_t, faillog_t, fonts_cache_t, gconf_home_t, gnome_home_t, gstreamer_home_t, icc_data_home_t, initrc_tmp_t, initrc_var_run_t, krb5_host_rcache_t, lastlog_t, locale_t, mozilla_plugin_tmpfs_t, pam_var_console_t, pam_var_run_t, puppet_tmp_t, security_t, sysfs_t, systemd_passwd_var_run_t, user_cron_spool_t, user_fonts_t, user_tmp_t, user_tmpfs_t, var_auth_t, wtmp_t, xauth_home_t, xdm_home_t, xdm_lock_t, xdm_log_t, xdm_rw_etc_t, xdm_spool_t, xdm_tmp_t, xdm_tmpfs_t, xdm_var_lib_t, xdm_var_run_t, xkb_var_lib_t, xserver_log_t, xserver_tmpfs_t. Luego ejecute: restorecon -v '$FIX_TARGET_PATH' ***** Plugin catchall (17.1 confidence) suggests ************************** If cree que de manera predeterminada, sddm debería permitir acceso write sobre file. Then debería reportar esto como un error. Puede generar un módulo de política local para permitir este acceso. Do permita el acceso momentáneamente executando: # grep sddm /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:xdm_t:s0-s0:c0.c1023 Target Context system_u:object_r:etc_t:s0 Target Objects [ file ] Source sddm Source Path /usr/bin/sddm Port <Unknown> Host (removed) Source RPM Packages sddm-0.2.0-0.16.20130914git50ca5b20.fc20.x86_64 Target RPM Packages Policy RPM selinux-policy-3.12.1-171.fc20.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 3.15.0-1.fc20.x86_64 #1 SMP Tue Jun 17 21:48:04 CEST 2014 x86_64 x86_64 Alert Count 1 First Seen 2014-06-28 14:38:22 CEST Last Seen 2014-06-28 14:38:22 CEST Local ID ed6cc9d8-ee0f-4517-be1e-872468db10d0 Raw Audit Messages type=AVC msg=audit(1403959102.403:589): avc: denied { write } for pid=3020 comm="sddm" name="sddm.conf" dev="sda2" ino=5050368 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=file type=SYSCALL msg=audit(1403959102.403:589): arch=x86_64 syscall=open success=no exit=EACCES a0=7f8de526de28 a1=80042 a2=1b6 a3=4 items=0 ppid=1 pid=3020 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=6 comm=sddm exe=/usr/bin/sddm subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null) Hash: sddm,xdm_t,etc_t,file,write Additional info: reporter: libreport-2.2.2 hashmarkername: setroubleshoot kernel: 3.15.0-1.fc20.x86_64 type: libreport