Bug 1615117

Summary: After last selinux package update, gdm wasn't able to start properly
Product: [Fedora] Fedora Reporter: David Hill <dhill>
Component: selinux-policy-targetedAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED NOTABUG QA Contact: Ben Levenson <benl>
Severity: urgent Docs Contact:
Priority: unspecified    
Version: 29CC: dwalsh
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-09-01 22:37:57 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
audit logs
none
update history none

Description David Hill 2018-08-12 12:27:11 UTC 
Description of problem:
After last selinux package update, gdm wasn't able to start properly.

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:
Comment 1 David Hill 2018-08-12 12:28:57 UTC 
Created attachment 1475354 [details]
audit logs
Comment 2 David Hill 2018-08-12 12:31:59 UTC 
Setting selinux in permissive permitted me to start gdm back again.   Perhaps we should always relabel when updating the selinux packages ?   I have lots of log entries such as:

type=USER_START msg=audit(1534076475.048:853): pid=3554 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='op=PAM:session_open grantors=pam_keyinit,pam_keyinit,pam_limits,pam_systemd,pam_unix,pam_umask acct="gdm" exe="/usr/libexec/gdm-session-worker" hostname=knox.orion addr=? terminal=/dev/tty1 res=success'UID="root" AUID="unset"
type=AVC msg=audit(1534076487.615:877): avc:  denied  { read } for  pid=3898 comm="gdm-session-wor" name="config" dev="dm-1" ino=5376084 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=1
type=AVC msg=audit(1534076487.615:878): avc:  denied  { open } for  pid=3898 comm="gdm-session-wor" path="/etc/selinux/config" dev="dm-1" ino=5376084 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=1
type=AVC msg=audit(1534076487.615:879): avc:  denied  { getattr } for  pid=3898 comm="gdm-session-wor" path="/etc/selinux/config" dev="dm-1" ino=5376084 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=1

I've attached the audit.log and dnf.rpm.log ...
Comment 3 David Hill 2018-08-12 12:32:33 UTC 
Created attachment 1475355 [details]
update history
Comment 4 Jan Kurik 2018-08-14 10:25:16 UTC 
This bug appears to have been reported against 'rawhide' during the Fedora 29 development cycle.
Changing version to '29'.
Comment 5 Lukas Vrabec 2018-09-01 22:37:57 UTC 
Hi, 

Your system looks mislabeled. Please run:
# restorecon -Rv / 

To fix your issue. 

THanks,
Lukas.