Bug 1268994

Summary: Gnome not starting when noexec set on /tmp
Product: Red Hat Enterprise Linux 7 Reporter: Joe Wright <jwright>
Component: gnome-shellAssignee: Florian Müllner <fmuellner>
Status: CLOSED WONTFIX QA Contact: Desktop QE <desktop-qa-list>
Severity: high Docs Contact:
Priority: unspecified    
Version: 7.1CC: cww, lmiksik, tpelka
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-11-17 20:15:44 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Joe Wright 2015-10-05 20:51:13 UTC 
Description of problem:
- when 'noexec' is passed to the mount point of /tmp and selinux is in enforcing mode, you cannot start the GUI. Setting permissive or removing 'noexec' fixes it
- This issue was previously identified in BZ 1153799 (Fixed by ERRATA) yet persists on this system with patches applied.
- Unable to reproduce in house

Version-Release number of selected component (if applicable):


How reproducible:
- 100% by customer, not at all by us

Steps to Reproduce:
1. apply 'noexec' to /tmp mount point
2.
3.

Actual results:
gnome-session will not start

Expected results:
- gnome-session runs

Additional info:


[root@it011093-r7d klong]# sesearch -s xdm_t -t user_tmpfs_t -c file -p execute -A -C
Found 1 semantic av rules:
   allow xdm_t user_tmp_t : file { ioctl read write create getattr setattr lock append unlink link rename execute execute_no_trans open } ; 

[root@it011093-r7d klong]# sesearch -s xdm_t -t user_tmp_t -c file -p execute -A -C
Found 1 semantic av rules:
   allow xdm_t user_tmp_t : file { ioctl read write create getattr setattr lock append unlink link rename execute execute_no_trans open } ;

As for all those commands, that isn't what I do.  This is a box that I'm CIS hardening and it has the following in it's fstab file:

#
# /etc/fstab
# Created by anaconda on Wed Jun 10 22:33:46 2015
#
# Accessible filesystems, by reference, are maintained under '/dev/disk'
# See man pages fstab(5), findfs(8), mount(8) and/or blkid(8) for more info
#
UUID=25083f86-d9c2-4546-9f47-960e1c253374 /                       xfs     defaults        0 0
UUID=2c59c3ac-bc4f-44e7-834a-2ddfb6211822 /boot                   xfs     defaults        0 0
#UUID=52783b05-0509-4645-a07b-edaf6783ce7b /home                   xfs     defaults        0 0
/dev/vg_it003/home      /home   ext4    nodev,defaults  0 0
UUID=3688df7c-e95c-485b-a0c9-aa5b7ec572b4 swap                    swap    defaults        0 0
/dev/mapper/vg_main-var                 /var            xfs     defaults        1 2
/dev/mapper/vg_main-var_log             /var/log        xfs     defaults,nodev  1 2
/dev/mapper/vg_main-var_log_audit       /var/log/audit  xfs     defaults,nodev  1 2
#
#tmpfs   /tmp            tmpfs   nodev,nosuid,noexec,defaults    0 0
tmpfs   /tmp            tmpfs   nodev,nosuid,defaults   0 0
/tmp    /var/tmp        none    bind    0 0
tmpfs   /dev/shm        tmpfs   nodev,nosuid,noexec,defaults    0 0

The "/tmp" line that is commented out is the one that breaks - the one below it is what I have to use for the GUI to work when I boot up.
Comment 1 Tomas Pelka 2015-10-06 08:42:20 UTC 
Joe is this ARM specific as there is a RHELSA flag?

Does the customer have access to 7.2? If yes can they try with 7.2?

Thanks
-Tom