Bug 2390023

Summary: SELinux blocks GDM from GNOME 49 Beta [this is the 'update GNOME in Fedora 43 Beta' FE bug]
Product: [Fedora] Fedora Reporter: Kamil Páral <kparal>
Component: selinux-policyAssignee: Zdenek Pytela <zpytela>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: high    
Version: 43CC: awilliam, christopher, decathorpe, dwalsh, lruzicka, lvrabec, mcatanza, mmalik, omosnacek, pbrobinson, petersen, pkoncity, robatino, tpopela, vmojzis, zpytela
Target Milestone: ---Flags: zpytela: mirror+
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: RejectedBlocker AcceptedFreezeException
Fixed In Version: selinux-policy-42.8-1.fc43 Doc Type: ---
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2025-09-12 04:29:43 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2324224    

Description Kamil Páral 2025-08-21 06:28:16 UTC 
Description of problem:
This GNOME 49 Beta update is blocked by SELinux, GDM doesn't start:
https://bodhi.fedoraproject.org/updates/FEDORA-2025-2dde5b6cbc

According to users, it works in permissive mode. The SELinux error is:

Aug 18 16:49:46 fedora audit[3213]: AVC avc: denied { connectto } for pid=3213 comm="systemd-userwor" path="/run/systemd/userdb/org.gnome.DisplayManager" scontext=system_u:system_r:systemd_userdbd_t:s0 tcontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=1 Aug 18 16:49:46 fedora audit[3308]: AVC avc: denied { connectto } for pid=3308 comm="(systemd)" path="/run/systemd/userdb/org.gnome.DisplayManager" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=1 Aug 18 16:49:46 fedora audit[3302]: AVC avc: denied { connectto } for pid=3302 comm="systemd-userwor" path="/run/systemd/userdb/org.gnome.DisplayManager" scontext=system_u:system_r:systemd_userdbd_t:s0 tcontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=1



Version-Release number of selected component (if applicable):
selinux-policy-42.5-1.fc43

How reproducible:
always

Steps to Reproduce:
1. install F43 Workstation from https://download.fedoraproject.org/pub/fedora/linux/development/43/Workstation/x86_64/iso/
2. install the Bodhi update:
$ bodhi updates download --updateid FEDORA-2025-2dde5b6cbc
$ sudo dnf update *.rpm
3. reboot, gdm doesn't start
Comment 2 Kamil Páral 2025-08-21 06:30:07 UTC 
GNOME 49 is an important part of Fedora 43, so if this could be handled with priority, that would be amazing. Thank you very much.
Comment 3 Fedora Blocker Bugs Application 2025-08-28 19:03:57 UTC 
Proposed as a Blocker for 43-beta by Fedora user naheemsays using the blocker tracking app because:

 The gnome stack is important to have up to date and not having this fixed will prevent GDM/mutter/Gnome-shell being their latest versions at the time of beta release.
Comment 4 Adam Williamson 2025-09-01 15:35:57 UTC 
-4 (+1 / -5) in https://pagure.io/fedora-qa/blocker-review/issue/1889 , marking rejected blocker. Proposing as an FE, as there's some discussion of an FE there.
Comment 5 Lukas Ruzicka 2025-09-01 17:39:02 UTC 
Discussed at the 2025-09-01 (blocker / freeze exception) review meeting:

Accepted in principle to update to 49 Beta/49 RC if the SELinux "logjam" can be resolved or worked around, and the update is available for testing within the next 4–5 days; beyond that, it would be risky to land a major update without delaying the release or to remain on 49 Alpha.

https://meetbot-raw.fedoraproject.org//blocker-review_matrix_fedoraproject-org/2025-09-01/f43-blocker-review.2025-09-01-16.00.txt
Comment 6 Michael Catanzaro 2025-09-02 13:10:56 UTC 
In practice, this is *transitively* a beta blocker due to bug #2390900 and bug #2392391, which are beta blockers that are themselves blocked on this.
Comment 7 Adam Williamson 2025-09-04 06:27:04 UTC 
I mean, not necessarily. The way this is supposed to work is that blockers should be fixed with the minimal possible targeted fix. I'm testing a targeted backport for 2390900 ATM.
Comment 8 Zdenek Pytela 2025-09-04 14:38:26 UTC 
The last version seems to be fine, so moving further.
Comment 9 Fedora Update System 2025-09-09 18:26:29 UTC 
FEDORA-2025-7e109c4976 (adwaita-icon-theme-49~rc-1.fc43, at-spi2-core-2.57.2-1.fc43, and 78 more) has been submitted as an update to Fedora 43.
https://bodhi.fedoraproject.org/updates/FEDORA-2025-7e109c4976
Comment 10 Fedora Update System 2025-09-10 01:36:33 UTC 
FEDORA-2025-7e109c4976 has been pushed to the Fedora 43 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2025-7e109c4976`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2025-7e109c4976

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 11 Lukas Ruzicka 2025-09-10 11:41:54 UTC 
I have not seen any problems with GDM and the above update applied.
Comment 12 Fedora Update System 2025-09-11 02:21:53 UTC 
FEDORA-2025-7e109c4976 has been pushed to the Fedora 43 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2025-7e109c4976`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2025-7e109c4976

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 13 Fedora Update System 2025-09-12 04:29:43 UTC 
FEDORA-2025-7e109c4976 (adwaita-icon-theme-49~rc-1.fc43, at-spi2-core-2.57.2-1.fc43, and 89 more) has been pushed to the Fedora 43 stable repository.
If problem still persists, please make note of it in this bug report.