Bug 1299402
| Summary: | SELinux is preventing gdm-x-session & gnome-shell from working when Nvidia is installed | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Moez Roy <moez.roy> |
| Component: | gnome-shell | Assignee: | Owen Taylor <otaylor> |
| Status: | CLOSED EOL | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 24 | CC: | akofink, andy, atomic.quark, dominick.grift, dwalsh, fmuellner, froilens, gary.tierney, iamroot, igeorgex, knutjbj, ljn917, lvrabec, martinojones_2009, matthew.hirsch, mgrepl, moez.roy, otaylor, philip, plautrba, rcvanvo, secondary |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Unspecified | ||
| Whiteboard: | abrt_hash:627034e1022f26a29b610bf716bae441a2df63738ac225efafaeeccddb5494f1; | ||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2017-08-08 12:40:19 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Hi, Could you try this? ***** Plugin allow_execmod (91.4 confidence) suggests ********************* If you want to allow gdm-x-session to have execmod access on the libGLdispatch.so.0 file Then you need to change the label on '/usr/lib64/libGLdispatch.so.0' Do # semanage fcontext -a -t textrel_shlib_t '/usr/lib64/libGLdispatch.so.0' # restorecon -v '/usr/lib64/libGLdispatch.so.0' (In reply to Lukas Vrabec from comment #1) > Hi, > Could you try this? > ***** Plugin allow_execmod (91.4 confidence) suggests > ********************* > > If you want to allow gdm-x-session to have execmod access on the > libGLdispatch.so.0 file > Then you need to change the label on '/usr/lib64/libGLdispatch.so.0' > Do > # semanage fcontext -a -t textrel_shlib_t '/usr/lib64/libGLdispatch.so.0' > # restorecon -v '/usr/lib64/libGLdispatch.so.0' Yes I tried that but it was saying something like Type Error or Value error was same as /usr/lib and /usr/lib64. I went ahead and installed this rule: require { type xdm_t; type lib_t; class file execmod; } #============= xdm_t ============== allow xdm_t lib_t:file execmod; I also had to create more rules in addition to the above rule:
require {
type xdm_t;
type xdm_var_lib_t;
type xserver_t;
class file execute;
class unix_dgram_socket sendto;
}
#============= xdm_t ==============
allow xdm_t xdm_var_lib_t:file execute;
allow xdm_t xserver_t:unix_dgram_socket sendto;
(In reply to Moez Roy from comment #3) > I also had to create more rules in addition to the above rule: > > require { > type xdm_t; > type xdm_var_lib_t; > type xserver_t; > class file execute; > class unix_dgram_socket sendto; > } > > #============= xdm_t ============== > allow xdm_t xdm_var_lib_t:file execute; > allow xdm_t xserver_t:unix_dgram_socket sendto; Could you attach raw AVC msgs for these rules? Thank you. *** Bug 1299403 has been marked as a duplicate of this bug. *** (In reply to Miroslav Grepl from comment #4) > (In reply to Moez Roy from comment #3) > > I also had to create more rules in addition to the above rule: > > > > require { > > type xdm_t; > > type xdm_var_lib_t; > > type xserver_t; > > class file execute; > > class unix_dgram_socket sendto; > > } > > > > #============= xdm_t ============== > > allow xdm_t xdm_var_lib_t:file execute; > > allow xdm_t xserver_t:unix_dgram_socket sendto; > > Could you attach raw AVC msgs for these rules? > > Thank you. This is copied from the bug 1299403 which I now marked as duplicate of this: Raw Audit Messages type=AVC msg=audit(1453110250.939:12437): avc: denied { execute } for pid=23990 comm="gnome-shell" path=2F7661722F6C69622F67646D2F2E676C766E646E4C6E7A7778202864656C6574656429 dev="dm-1" ino=391240 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xdm_var_lib_t:s0 tclass=file permissive=1 Let me know if this info is enough? Or if you want me to delete my custom modules and re-create the AVC's? Thanks. Any idea what is executed? Could you run it using ausearch -m avc -i (In reply to Miroslav Grepl from comment #7) > Any idea what is executed? > > Could you run it using > > ausearch -m avc -i ---- type=AVC msg=audit(02/02/2016 09:40:31.973:3354) : avc: denied { execmod } for pid=11219 comm=gdm-x-session path=/usr/lib64/libGLdispatch.so.0 dev="dm-1" ino=189851 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lib_t:s0 tclass=file permissive=0 ---- type=AVC msg=audit(02/02/2016 09:42:08.381:3420) : avc: denied { execute } for pid=11421 comm=gnome-shell path=/var/lib/gdm/.glvnd7mSjOX (deleted) dev="dm-1" ino=95240 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xdm_var_lib_t:s0 tclass=file permissive=0 ---- type=AVC msg=audit(02/02/2016 09:42:10.041:3434) : avc: denied { sendto } for pid=11421 comm=gnome-shell path=nvidia6519e07b scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:xserver_t:s0-s0:c0.c1023 tclass=unix_dgram_socket permissive=0 You assigned this to gnome-shell component? Also any thoughts or comments regarding the above ausearch results? It looks like it is creating a tmp file in /var/lib/gdm/.randomName and trying to execute it. I have just received what looks like the same as in this issue:- but more akin to the issue marked as a duplicate of this one, ie in bug 1299403 Pasting here as the "on the file" reference is the same as in that duplicate bug. May 21 13:46:02 phil.lan setroubleshoot[1528]: SELinux is preventing gnome-shell from execute access on the file 2F7661722F6C69622F676 46D2F233231323934323430202864656C6574656429. For complete SELinux messages. run sealert -l 1ebf1679-31f9-4d20-9551-dc1aa8dd514a May 21 13:46:02 phil.lan python3[1528]: SELinux is preventing gnome-shell from execute access on the file 2F7661722F6C69622F67646D2F23 3231323934323430202864656C6574656429. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that gnome-shell should be allowed execute access on the 2F7661722F6C69622F6764 6D2F233231323934323430202864656C6574656429 file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'gnome-shell' --raw | audit2allow -M my-gnomeshell # semodule -X 300 -i my-gnomeshell.pp This was directly after a reboot with updates applied. ausearch -m avc -i in my case gave: ---- type=AVC msg=audit(21/05/16 13:43:20.320:406) : avc: denied { getattr } for pid=925 comm=systemd-logind path=/dev/shm/lldpad.state dev="tmpfs" ino=206 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file permissive=0 ---- type=AVC msg=audit(21/05/16 13:45:58.252:304) : avc: denied { execute } for pid=1507 comm=gnome-shell path=/var/lib/gdm/#21294240 (deleted) dev="dm-0" ino=21294240 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xdm_var_lib_t:s0 tclass=file permissive=0 however there are previous instances of the second error involving xdm_var_lib_t: ---- type=AVC msg=audit(18/05/16 13:00:19.979:303) : avc: denied { execute } for pid=1561 comm=gnome-shell path=/var/lib/gdm/#21265757 (deleted) dev="dm-0" ino=21265757 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xdm_var_lib_t:s0 tclass=file permissive=0 So only the error involving path=/dev/shm/lldpad.state is new. I'm happy to provide any additional info if it is required and apologies if this post is not related. I'm initially going on the long reference in the log entry copied above. Issue with lldpad.state is solved by systemd. I believe we should allow xdm_t to execute xdm_var_lib_t files. Hey guys, experiencing the same issue let me know if you need any additional information:
SELinux is preventing gnome-shell from execute access on the file 2F7661722F6C69622F67646D2F2331313831343638202864656C6574656429.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that gnome-shell should be allowed execute access on the 2F7661722F6C69622F67646D2F2331313831343638202864656C6574656429 file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'gnome-shell' --raw | audit2allow -M my-gnomeshell
# semodule -X 300 -i my-gnomeshell.pp
Additional Information:
Source Context system_u:system_r:xdm_t:s0-s0:c0.c1023
Target Context system_u:object_r:xdm_var_lib_t:s0
Target Objects 2F7661722F6C69622F67646D2F233131383134363820286465
6C6574656429 [ file ]
Source gnome-shell
Source Path gnome-shell
Port <Unknown>
Host coercion
Source RPM Packages
Target RPM Packages
Policy RPM selinux-policy-3.13.1-191.8.fc24.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Permissive
Host Name coercion
Platform Linux coercion 4.6.6-300.fc24.x86_64 #1 SMP Wed
Aug 10 21:07:35 UTC 2016 x86_64 x86_64
Alert Count 24
First Seen 2016-07-31 21:46:05 EDT
Last Seen 2016-08-11 21:45:44 EDT
Local ID f869b660-1379-460c-90f7-3dfc9c2b6958
Raw Audit Messages
type=AVC msg=audit(1470966344.57:293): avc: denied { execute } for pid=3032 comm="gnome-shell" path=2F7661722F6C69622F67646D2F2331313831343638202864656C6574656429 dev="dm-0" ino=1181468 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xdm_var_lib_t:s0 tclass=file permissive=1
Hash: gnome-shell,xdm_t,xdm_var_lib_t,file,execute
It work on my system. (In reply to Knut J BJuland from comment #13) > It work on my system. What does it mean? You no longer see AVC above? I mean that I am able to load GDM with nvidia driver without any crash. When I issue ausearch -c 'gnome-shell' --raw I do not get the AVC see above. I still get the message "SELinux is preventing gnome-shell from execute access on the file 2F7661722F6C69622F67646D2F2331313831343638202864656C6574656429" with Fedora 24 and nvidia drivers. There is no crash just the SELinux message. This message is a reminder that Fedora 23 is nearing its end of life. Approximately 4 (four) weeks from now Fedora will stop maintaining and issuing updates for Fedora 23. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a Fedora 'version' of '23'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora 23 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior this bug is closed as described in the policy above. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete. I'm also seeing this on Fedora 24 with the nvidia drivers. Please change version info for this bug to keep it alive. folks,
Do you know whats going on? gnome-shell trying to execute something labeled as xdm_var_lib_t:
type=AVC msg=audit(1470966344.57:293): avc: denied { execute } for pid=3032 comm="gnome-shell" path=2F7661722F6C69622F67646D2F2331313831343638202864656C6574656429 dev="dm-0" ino=1181468 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xdm_var_lib_t:s0 tclass=file permissive=1
Also on F25.
Dec 04 02:57:15 audit[1090]: AVC avc: denied { execute } for pid=1090 comm="gnome-shell" path=2F7661722F6C69622F67646D2F23353437373535202864656C6574656429 dev="sda3" ino=547755 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xdm_var_lib_t:s0 tclass=file permissive=0
where "2F7661722F6C69622F67646D2F23353437373535202864656C6574656429" is hex-encoded "/var/lib/gdm/#547755 (deleted)"
Does gnome produce any logs related to the denied execute in /var/lib/gdm/%fname%? Taking a cursory look at the gnome-shell source code, the only exec syscall I can find is here: https://github.com/GNOME/gnome-shell/blob/master/src/shell-global.c#L1340 I'm getting the exact same error message like above (2F7661722F6C69622F67646D2F23353437373535202864656C6574656429), but I don't have an NVidia Card. /var/lib/gdm/ is empty. Also getting the same with a Geforce GT 630m
SELinux is preventing gnome-shell from 'execute' accesses on the file 2F7661722F6C69622F67646D2F23313335323936202864656C6574656429.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that gnome-shell should be allowed execute access on the 2F7661722F6C69622F67646D2F23313335323936202864656C6574656429 file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'gnome-shell' --raw | audit2allow -M my-gnomeshell
# semodule -X 300 -i my-gnomeshell.pp
Additional Information:
Source Context system_u:system_r:xdm_t:s0-s0:c0.c1023
Target Context system_u:object_r:xdm_var_lib_t:s0
Target Objects 2F7661722F6C69622F67646D2F23313335323936202864656C
6574656429 [ file ]
Source gnome-shell
Source Path gnome-shell
Port <Unknown>
Host (removed)
Source RPM Packages
Target RPM Packages
Policy RPM selinux-policy-3.13.1-225.11.fc25.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name (removed)
Platform Linux (removed) 4.8.11-300.fc25.x86_64 #1 SMP Mon
Nov 28 18:24:51 UTC 2016 x86_64 x86_64
Alert Count 3
First Seen 2017-04-08 14:33:12 CEST
Last Seen 2017-04-08 14:39:22 CEST
Local ID 7eb34b14-0d66-43c8-bd1e-984fe7e88a70
Raw Audit Messages
type=AVC msg=audit(1491655162.99:210): avc: denied { execute } for pid=1334 comm="gnome-shell" path=2F7661722F6C69622F67646D2F23313335323936202864656C6574656429 dev="dm-0" ino=135296 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xdm_var_lib_t:s0 tclass=file permissive=0
Hash: gnome-shell,xdm_t,xdm_var_lib_t,file,execute
This message is a reminder that Fedora 24 is nearing its end of life. Approximately 2 (two) weeks from now Fedora will stop maintaining and issuing updates for Fedora 24. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a Fedora 'version' of '24'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora 24 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior this bug is closed as described in the policy above. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete. Fedora 24 changed to end-of-life (EOL) status on 2017-08-08. Fedora 24 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora please feel free to reopen this bug against that version. If you are unable to reopen this bug, please file a new report against the current release. If you experience problems, please add a comment to this bug. Thank you for reporting this bug and we are sorry it could not be fixed. |
Description of problem: Happens with latest Nvidia beta. Had to switch to permissive mode to get gdm to start. SELinux is preventing gdm-x-session from 'execmod' accesses on the file /usr/lib64/libGLdispatch.so.0. ***** Plugin allow_execmod (91.4 confidence) suggests ********************* If you want to allow gdm-x-session to have execmod access on the libGLdispatch.so.0 file Then you need to change the label on '/usr/lib64/libGLdispatch.so.0' Do # semanage fcontext -a -t textrel_shlib_t '/usr/lib64/libGLdispatch.so.0' # restorecon -v '/usr/lib64/libGLdispatch.so.0' ***** Plugin catchall (9.59 confidence) suggests ************************** If you believe that gdm-x-session should be allowed execmod access on the libGLdispatch.so.0 file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep gdm-x-session /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:xdm_t:s0-s0:c0.c1023 Target Context system_u:object_r:lib_t:s0 Target Objects /usr/lib64/libGLdispatch.so.0 [ file ] Source gdm-x-session Source Path gdm-x-session Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-158.fc23.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name (removed) Platform Linux (removed) 4.3.3-300.fc23.x86_64 #1 SMP Tue Jan 5 23:31:01 UTC 2016 x86_64 x86_64 Alert Count 507 First Seen 2016-01-18 01:42:47 PST Last Seen 2016-01-18 01:44:09 PST Local ID 2bc267b9-487a-4ccf-b1e6-0857a75c4a23 Raw Audit Messages type=AVC msg=audit(1453110249.329:12436): avc: denied { execmod } for pid=23928 comm="gdm-x-session" path="/usr/lib64/libGLdispatch.so.0" dev="dm-1" ino=391029 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lib_t:s0 tclass=file permissive=1 Hash: gdm-x-session,xdm_t,lib_t,file,execmod Version-Release number of selected component: selinux-policy-3.13.1-158.fc23.noarch Additional info: reporter: libreport-2.6.3 hashmarkername: setroubleshoot kernel: 4.3.3-300.fc23.x86_64 type: libreport