Bug 1637358

Summary: SELinux is preventing gdm-wayland-session from starting
Product: [Fedora] Fedora Reporter: Matej Marušák <mmarusak>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 29CC: dwalsh, lvrabec, mgrepl, mmarusak, plautrba
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: selinux-policy-3.14.2-41.fc29 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-11-07 02:41:43 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Matej Marušák 2018-10-09 06:52:38 UTC
Description of problem:

New selinux-policy is preventing gdm to start. After picking a user on login screen and typing password I can see background for a few seconds and then I am redirected back to the screen with users.

In journal I can see following denials:

Oct 09 08:33:25 localhost.localdomain systemd[1147]: selinux: avc:  denied  { status } for auid=n/a uid=42 gid=42 cmdline="/usr/libexec/gdm-wayland-session gnome-session --autostart /usr/share/gdm/greeter/autostart" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=system permissive=0
Oct 09 08:33:25 localhost.localdomain systemd[1147]: selinux: avc:  denied  { reload } for auid=n/a uid=42 gid=42 cmdline="/usr/libexec/gnome-session-binary --autostart /usr/share/gdm/greeter/autostart" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=system permissive=0
Oct 09 08:33:25 localhost.localdomain systemd[1147]: selinux: avc:  denied  { reload } for auid=n/a uid=42 gid=42 cmdline="/usr/libexec/gnome-session-binary --autostart /usr/share/gdm/greeter/autostart" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=system permissive=0
Oct 09 08:33:25 localhost.localdomain systemd[1147]: selinux: avc:  denied  { reload } for auid=n/a uid=42 gid=42 cmdline="/usr/libexec/gnome-session-binary --autostart /usr/share/gdm/greeter/autostart" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=system permissive=0
Oct 09 08:33:25 localhost.localdomain systemd[1147]: selinux: avc:  denied  { reload } for auid=n/a uid=42 gid=42 cmdline="/usr/libexec/gnome-session-binary --autostart /usr/share/gdm/greeter/autostart" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=system permissive=0
Oct 09 08:33:25 localhost.localdomain systemd[1147]: selinux: avc:  denied  { reload } for auid=n/a uid=42 gid=42 cmdline="/usr/libexec/gnome-session-binary --autostart /usr/share/gdm/greeter/autostart" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=system permissive=0


Simple workaround is switching to tty2, disabling selinux, switching back to GUI and then after I select user, write password I am not kicked back to selecting users. Also downgrading selinux-policy (to selinux-policy-3.14.2-34) works.


Version-Release number of selected component (if applicable):
selinux-policy-3.14.2-36

How reproducible:
Update selinux-policy on F29 to version selinux-policy-3.14.2-36. Reproducible each time.

Comment 1 Lukas Vrabec 2018-10-15 10:10:02 UTC
Hi Matej, 

I installed latest compose of Fedora 29 workstation, update selinux-policy to the latest build (https://koji.fedoraproject.org/koji/buildinfo?buildID=1153003)

and I have no problem login to the system when system is in enforcing state. Could you please run: 

# restorecon -Rv / 

and try to reproduce the scenario? 

Thanks,
Lukas.

Comment 2 Matej Marušák 2018-10-15 11:32:49 UTC
Hi,

I've updated to the newest selinux-policy.
$rpm -q selinux-policy
selinux-policy-3.14.2-38.fc29.noarch

I've run 
# restorecon -Rv /
then turn my pc off, turn it on again and the same problem.

I am still able to reproduce it easily, so I can provide you with any logs or information about my system.

Comment 3 Lukas Vrabec 2018-10-22 13:40:42 UTC
commit 998f4c42a68d4934ffb6025d7403d995546a8c2e (HEAD -> rawhide, origin/rawhide)
Author: Lukas Vrabec <lvrabec>
Date:   Mon Oct 22 15:37:45 2018 +0200

    Allow X display manager to check status and reload services which are part of x_domain attribute

Comment 4 Fedora Update System 2018-11-04 10:07:28 UTC
selinux-policy-3.14.2-41.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2018-506e97bb9b

Comment 5 Fedora Update System 2018-11-05 04:19:46 UTC
selinux-policy-3.14.2-41.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-506e97bb9b

Comment 6 Fedora Update System 2018-11-07 02:41:43 UTC
selinux-policy-3.14.2-41.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report.