Bug 1291085
| Summary: | SELinux prevents sddm from starting a plasma-wayland session | |||
|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Johannes Pfrang <johannespfrang> | |
| Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> | |
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | |
| Severity: | medium | Docs Contact: | ||
| Priority: | high | |||
| Version: | 23 | CC: | dominick.grift, dwalsh, lvrabec, mgrepl, plautrba | |
| Target Milestone: | --- | |||
| Target Release: | --- | |||
| Hardware: | Unspecified | |||
| OS: | Unspecified | |||
| Whiteboard: | ||||
| Fixed In Version: | selinux-policy-3.13.1-158.fc23 | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | ||
| Clone Of: | ||||
| : | 1294060 (view as bug list) | Environment: | ||
| Last Closed: | 2015-12-22 22:03:41 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
commit db7036d49b628edbcec58930d576a6e8ad822bfc
Author: Lukas Vrabec <lvrabec>
Date: Thu Dec 10 13:22:11 2015 +0100
Label ssdm binaries storedin /etc/sddm/ as bin_t. BZ(1291085)
selinux-policy-3.13.1-158.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2015-eb32da49ac selinux-policy-3.13.1-158.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with $ su -c 'dnf --enablerepo=updates-testing update selinux-policy' You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2015-eb32da49ac The first two entries in the syslog are still showing up. No create access to .wayland-errors is granted. Details:
SELinux is preventing sddm-helper from create access on the file .wayland-errors.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that sddm-helper should be allowed create access on the .wayland-errors file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep sddm-helper /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
Additional Information:
Source Context system_u:system_r:xdm_t:s0-s0:c0.c1023
Target Context system_u:object_r:user_home_t:s0
Target Objects .wayland-errors [ file ]
Source sddm-helper
Source Path sddm-helper
Port <Unknown>
Host johnp-pc
Source RPM Packages
Target RPM Packages
Policy RPM selinux-policy-3.13.1-158.fc23.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name johnp-pc
Platform Linux johnp-pc 4.2.7-300.fc23.x86_64 #1 SMP Wed
Dec 9 22:28:30 UTC 2015 x86_64 x86_64
Alert Count 4
First Seen 2015-11-21 21:35:43 CET
Last Seen 2015-12-18 20:08:56 CET
Local ID 2e70ea4e-dfe3-4d21-ad9a-16ce8fddbda9
Raw Audit Messages
type=AVC msg=audit(1450465736.506:499): avc: denied { create } for pid=1752 comm="sddm-helper" name=".wayland-errors" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:user_home_t:s0 tclass=file permissive=0
Hash: sddm-helper,xdm_t,user_home_t,file,create
selinux-policy-3.13.1-158.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report. *** Bug 1294060 has been marked as a duplicate of this bug. *** |
Description of problem: Not possible to start a plasma-wayland session from sddm. Likely because of SELinux. Version-Release number of selected component (if applicable): 3.13.1-157.fc23 Steps to Reproduce: 1. Install plasma-workspace-wayland 2. Reboot 3. Select Plasma Wayland (Wayland) from sddm menu 4. Login Actual results: Black screen, then dropped back to sddm Expected results: Entering a plasma-wayland session Additional Info (from syslog): Dez 13 12:25:57 johnp-pc setroubleshoot[1983]: SELinux is preventing sddm-helper from create access on the file .wayland-errors. For complete SELinux messages. run sealert -l 2e70ea4e-dfe3-4d21-ad9a-16ce8fddbda9 Dez 13 12:25:57 johnp-pc python3[1983]: SELinux is preventing sddm-helper from create access on the file .wayland-errors. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that sddm-helper should be allowed create access on the .wayland-errors file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep sddm-helper /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Dez 13 12:25:57 johnp-pc setroubleshoot[1983]: SELinux is preventing sddm-helper from entrypoint access on the file /etc/sddm/wayland-session. For complete SELinux messages. run sealert -l 4c899f1b-84ad-4624-9781-a8cf7be23ee4 Dez 13 12:25:57 johnp-pc python3[1983]: SELinux is preventing sddm-helper from entrypoint access on the file /etc/sddm/wayland-session. ***** Plugin catchall_labels (83.8 confidence) suggests ******************* If you want to allow sddm-helper to have entrypoint access on the wayland-session file Then you need to change the label on /etc/sddm/wayland-session Do # semanage fcontext -a -t FILE_TYPE '/etc/sddm/wayland-session' where FILE_TYPE is one of the following: bin_t, gkeyringd_exec_t, mount_ecryptfs_exec_t, mount_exec_t, mozilla_exec_t, shell_exec_t, telepathy_gabble_exec_t, telepathy_idle_exec_t, telepathy_logger_exec_t, telepathy_mission_control_exec_t, telepathy_msn_exec_t, telepathy_salut_exec_t, telepathy_sofiasip_exec_t, telepathy_stream_engine_exec_t, telepathy_sunshine_exec_t, unconfined_exec_t, user_cron_spool_t, user_home_t, usr_t, xsession_exec_t. Then execute: restorecon -v '/etc/sddm/wayland-session' ***** Plugin catchall (17.1 confidence) suggests ************************** If you believe that sddm-helper should be allowed entrypoint access on the wayland-session file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep sddm-helper /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp