Bug 2224162
| Summary: | selinux denial prevents logging in | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Jeff Peeler <jpeeler+redhat> |
| Component: | tuigreet | Assignee: | Aleksei Bavshin <alebastr89> |
| Status: | CLOSED NOTABUG | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 38 | CC: | alebastr89, rust-sig |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| URL: | https://lists.sr.ht/~kennylevinsen/greetd-devel/%3CCAPc+dhm80-J4k7HZuge+XQ-zuVC5HO4K+r4Z-JUnDEjGAUjGLA%40mail.gmail.com%3E#%3CCAPc+dhm80-J4k7HZuge+XQ-zuVC5HO4K+r4Z-JUnDEjGAUjGLA@mail.gmail.com%3E | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2023-07-28 02:43:45 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
I see the URL field is not shown - https://lists.sr.ht/~kennylevinsen/greetd-devel/%3CCAPc+dhm80-J4k7HZuge+XQ-zuVC5HO4K+r4Z-JUnDEjGAUjGLA%40mail.gmail.com%3E#%3CCAPc+dhm80-J4k7HZuge+XQ-zuVC5HO4K+r4Z-JUnDEjGAUjGLA@mail.gmail.com%3E > scontext=system_u:system_r:unconfined_service_t:s0
That doesn't look right. `/usr/bin/greetd` should be labeled as `system_u:object_r:xdm_exec_t:s0` and transition to `system_u:system_r:xdm_t:s0-*` on start.
Can you check if you have `greetd-selinux` installed and there's no unlabeled greetd binary in /usr/local/bin?
$ ls -lZ /usr/bin/greetd -rwxr-xr-x. 3 root root system_u:object_r:bin_t:s0 839488 Dec 31 1969 /usr/bin/greetd* $ rpm -q greetd-selinux greetd-selinux-0.9.0-4.fc38.noarch There are no other greetd binaries. I can try reinstalling greetd if you'd like, but how do I undo the policy changes that were recommended above? Also, I'm sorry that I failed to mention that this is on Silverblue. $ rpm -ql greetd-selinux /usr/share/selinux/packages/targeted/greetd.pp.bz2 /var/lib/selinux/targeted/active/modules/200/greetd I noticed that the second file isn't on the filesystem. But when I installed it inside a toolbox container it is present as expected. On a clean Sericea VM:
$ rpm-ostree install greetd tuigreet
$ systemctl reboot
<...>
$ rpm-ostree status
...
LayeredPackages: greetd tuigreet
$ ls -Z /usr/bin/greetd
system_u:object_r:xdm_exec_t:s0 /usr/bin/greetd
# semodule -lfull |grep greetd
200 greetd pp
# semodule -lstandard |grep greetd
greetd
# semanage fcontext -l |grep greetd
/etc/greetd(/.*)? all files system_u:object_r:xdm_etc_t:s0
/usr/bin/greetd regular file system_u:object_r:xdm_exec_t:s0
/var/lib/greetd(/.*)? all files system_u:object_r:xdm_var_lib_t:s0
/var/run/greetd[^/]*\.sock socket system_u:object_r:xdm_var_run_t:s0
/var/run/greetd\.run regular file system_u:object_r:xdm_var_run_t:s0
I'm pretty sure this worked on Silverblue as well. Have no idea what went wrong on your system.
Do you see the same output from the semodule/semanage commands above? Is there anything in the journal mentioning SELinux module errors?
> how do I undo the policy changes that were recommended above?
semodule -r greetd-pol
Apologies, I'm closing this. I'm running my own Ublue image and recognize now that there are all kinds of things that can go wrong in doing so. https://github.com/ublue-os/main/issues/223 |
I originally reported this upstream as I didn't even consider SELinux initially. The denials I was getting were: type=AVC msg=audit(1688321821.033:2282): avc: denied { transition } for pid=386427 comm="greetd" path="/usr/bin/bash" dev="dm-1" ino=1720366 scontext=system_u:system_r:unconfined_service_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=process permissive=0 echo 'type=AVC msg=audit(1688321821.033:2282): avc: denied { transition } for pid=386427 comm="greetd" path="/usr/bin/bash" dev="dm-1" ino=1720366 scontext=system_u:system_r:unconfined_service_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=process permissive=0' | audit2allow -M greetd-pol ******************** IMPORTANT *********************** To make this policy package active, execute: semodule -i greetd-pol.pp --- After making the above policy change everything works. Reproducible: Always Steps to Reproduce: 1. Attempt to login (on silverblue) Actual Results: Logging in is not possible Expected Results: Logging in success See the URL for some additional, but maybe unnecessary context.