Bug 166761
| Summary: | GDM Login failure with SELinux enabled | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | James Laska <jlaska> |
| Component: | selinux-policy-targeted | Assignee: | Daniel Walsh <dwalsh> |
| Status: | CLOSED RAWHIDE | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | rawhide | CC: | jturner, rstrode, tjb |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2005-08-25 14:13:52 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Update to the latest policy and make sure /usr/sbin/gdm-binary has xdm_exec_t as a context. Tried ... $ fixfiles -R / restore and ... $ fixfiles relabel / also did not resolve the issue. # ls -Z /usr/sbin/gdm-binary -rwxr-xr-x root root system_u:object_r:xdm_exec_t /usr/sbin/gdm-binary Updating to selinux-policy-targeted-1.25.4-8 does not appear to resolve the issue for me. I'm going to attempt a relabel on reboot and see how that fares ... I did a "fixfiles relabel" and it fixed it for me. (I had to restart gdm but it worked after that.) I've only got selinux-policy-targeted-1.25.4-5 currently installed. ps -eZ | grep gdm. The proper way to relabel is touch /.autorelabel reboot fixfiles -R / restore (Means find the RPM package / and restore all files owned by it) dwalsh: thanks for the tips, making an note for future reference here ;) $ touch /.autorelabel and a reboot did the trick I was also retesting by way of gdm inside of Xnest (not sure if the pids were getting any new contexts). Changing this issue to RESOLVED/RAWHIDE |
# RPMS gdm-2.8.0.2-2.i386 # libselinux-1.25.2-1.i386.rpm # selinux-policy-targeted-1.25.4-5.noarch.rpm Attempting to login to gdm with selinux targeted policy enabled fails. A dialog appears stating: "Cannot start the session due to some internal error." I am able to login without error if I disable selinux $(setenforce 0). When selinux is enabled and my logins are rejected, I observe the following selinux avc denial: ==> /var/log/messages <== Aug 25 08:55:29 flatline gdm(pam_unix)[5126]: session opened for user guest by (uid=0) Aug 25 08:55:29 flatline kernel: audit(1124974529.816:7): avc: denied { transition } for pid=5187 comm="gdm-binary" name="Xsession" dev=hda5 ino=1933254 scontext=system_u:system_r:init_t tcontext=user_u:system_r:unconfined_t tclass=process Aug 25 08:55:29 flatline gdm[5187]: session_child_run: Could not exec /etc/X11/xdm/Xsession default Aug 25 08:55:42 flatline gdm(pam_unix)[5126]: session closed for user guest Aug 25 08:55:42 flatline kernel: agpgart: Found an AGP 2.0 compliant device at 0000:00:00.0. Aug 25 08:55:42 flatline kernel: agpgart: Putting AGP V2 device at 0000:00:00.0 into 1x mode Aug 25 08:55:42 flatline kernel: agpgart: Putting AGP V2 device at 0000:01:00.0 into 1x mode Using audit2allow I can see the following potentially resolve the issue: [root@flatline jlaska]# audit2allow Aug 25 08:55:29 flatline kernel: audit(1124974529.816:7): avc: denied { transition } for pid=5187 comm="gdm-binary" name="Xsession" dev=hda5 ino=1933254 scontext=system_u:system_r:init_t tcontext=user_u:system_r:unconfined_t tclass=process allow init_t unconfined_t:process transition;