Bug 1125129

Summary: SELinux is preventing sddm from 'write' accesses on the file /etc/sddm.conf.
Product: [Fedora] Fedora Reporter: Bruno Roberto Zanuzzo <brunorobertozanuzzo>
Component: sddmAssignee: Martin Bříza <mbriza>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 21CC: bitlord0xff, dominick.grift, dvratil, dwalsh, jgrulich, kevin, ltinkl, lvrabec, mbriza, mgrepl, rdieter
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Unspecified   
Whiteboard: abrt_hash:998c0f988886d919e1817c6b1639a81e5814289c3a83f34f368bc5dcd0fc2459
Fixed In Version: sddm-0.9.0-2.20141007git6a28c29b.fc21 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-10-28 06:46:32 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Description Bruno Roberto Zanuzzo 2014-07-31 06:25:17 UTC
Description of problem:
SELinux is preventing sddm from 'write' accesses on the file /etc/sddm.conf.

*****  Plugin catchall_labels (83.8 confidence) suggests   *******************

If you want to allow sddm to have write access on the sddm.conf file
Then you need to change the label on /etc/sddm.conf
Do
# semanage fcontext -a -t FILE_TYPE '/etc/sddm.conf'
where FILE_TYPE is one of the following: abrt_var_cache_t, afs_cache_t, anon_inodefs_t, auth_cache_t, auth_home_t, cache_home_t, cgroup_t, config_home_t, data_home_t, dbus_home_t, etc_runtime_t, faillog_t, fonts_cache_t, gconf_home_t, gkeyringd_gnome_home_t, gkeyringd_tmp_t, gnome_home_t, gstreamer_home_t, icc_data_home_t, initrc_tmp_t, initrc_var_run_t, krb5_host_rcache_t, lastlog_t, locale_t, mozilla_plugin_tmp_t, mozilla_plugin_tmpfs_t, pam_var_console_t, pam_var_run_t, puppet_tmp_t, security_t, sysfs_t, systemd_passwd_var_run_t, user_cron_spool_t, user_fonts_t, user_tmp_t, var_auth_t, wtmp_t, xauth_home_t, xdm_home_t, xdm_lock_t, xdm_log_t, xdm_rw_etc_t, xdm_spool_t, xdm_tmpfs_t, xdm_var_lib_t, xdm_var_run_t, xkb_var_lib_t, xserver_log_t, xserver_tmpfs_t. 
Then execute: 
restorecon -v '/etc/sddm.conf'


*****  Plugin catchall (17.1 confidence) suggests   **************************

If you believe that sddm should be allowed write access on the sddm.conf file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep sddm /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:xdm_t:s0-s0:c0.c1023
Target Context                system_u:object_r:etc_t:s0
Target Objects                /etc/sddm.conf [ file ]
Source                        sddm
Source Path                   sddm
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           sddm-0.2.0-0.31.20140627gitf49c2c79.fc21.x86_64
Policy RPM                    selinux-policy-3.13.1-67.fc21.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 3.16.0-0.rc6.git2.1.fc21.x86_64 #1
                              SMP Fri Jul 25 14:16:23 UTC 2014 x86_64 x86_64
Alert Count                   3
First Seen                    2014-07-29 14:49:15 BRT
Last Seen                     2014-07-30 14:29:30 BRT
Local ID                      887712bf-2745-43cd-8b56-2e275bb0b416

Raw Audit Messages
type=AVC msg=audit(1406741370.511:410): avc:  denied  { write } for  pid=833 comm="sddm" name="sddm.conf" dev="dm-0" ino=22414744 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=0


Hash: sddm,xdm_t,etc_t,file,write

Version-Release number of selected component:
selinux-policy-3.13.1-67.fc21.noarch

Additional info:
reporter:       libreport-2.2.3
hashmarkername: setroubleshoot
kernel:         3.16.0-0.rc6.git2.1.fc21.x86_64
type:           libreport

Potential duplicate: bug 1114192

Comment 1 Miroslav Grepl 2014-07-31 13:17:23 UTC
The same bug with the config file which we have for F20.

#1114192

Comment 2 Fedora Update System 2014-10-07 09:26:26 UTC
sddm-0.9.0-1.20141007git6a28c29b.fc21 has been submitted as an update for Fedora 21.
https://admin.fedoraproject.org/updates/sddm-0.9.0-1.20141007git6a28c29b.fc21

Comment 3 Fedora Update System 2014-10-07 09:27:29 UTC
sddm-0.9.0-1.20141007git6a28c29b.fc20 has been submitted as an update for Fedora 20.
https://admin.fedoraproject.org/updates/sddm-0.9.0-1.20141007git6a28c29b.fc20

Comment 4 Fedora Update System 2014-10-07 09:28:22 UTC
sddm-0.9.0-1.20141007git6a28c29b.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/sddm-0.9.0-1.20141007git6a28c29b.fc19

Comment 5 Fedora Update System 2014-10-08 18:57:51 UTC
Package sddm-0.9.0-1.20141007git6a28c29b.fc20:
* should fix your issue,
* was pushed to the Fedora 20 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing sddm-0.9.0-1.20141007git6a28c29b.fc20'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2014-12308/sddm-0.9.0-1.20141007git6a28c29b.fc20
then log in and leave karma (feedback).

Comment 6 Fedora Update System 2014-10-28 06:46:32 UTC
sddm-0.9.0-2.20141007git6a28c29b.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 7 Fedora Update System 2014-10-31 02:43:12 UTC
sddm-0.9.0-2.20141007git6a28c29b.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.