Bug 983304
| Summary: | SELinux prevents login from GDM in current Rawhide | ||||||
|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Adam Williamson <awilliam> | ||||
| Component: | selinux-policy-targeted | Assignee: | Miroslav Grepl <mgrepl> | ||||
| Status: | CLOSED RAWHIDE | QA Contact: | Ben Levenson <benl> | ||||
| Severity: | urgent | Docs Contact: | |||||
| Priority: | unspecified | ||||||
| Version: | rawhide | CC: | awilliam, dwalsh, robatino | ||||
| Target Milestone: | --- | ||||||
| Target Release: | --- | ||||||
| Hardware: | All | ||||||
| OS: | All | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2013-07-11 23:45:31 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Bug Depends On: | |||||||
| Bug Blocks: | 980649 | ||||||
| Attachments: |
|
||||||
Looks like you have a labeling issue, since gdm is running as kernel_t? I'm building my live image from a Rawhide host, with https://bugzilla.redhat.com/show_bug.cgi?id=965896 , SELinux in enforcing mode, with livecd-creator as I always do... Grr. "with selinux-policy-3.12.1-62.fc20.noarch" , that was meant to say. Ignore the bugzilla link. I would figure something is breaking within the livecd tools to not label content correctly. Are you seeing any AVC's on the host that you are building the livecd from? If you boot in permissive mode, how much is mislabeled? "Are you seeing any AVC's on the host that you are building the livecd from?" Doesn't look like it. The live image is dated 15:15; these are the only 'avc'-related journalctl entries from around that time: Jul 10 15:05:16 adam.localdomain dbus-daemon[586]: dbus[586]: avc: received setenforce notice (enforcing=0) Jul 10 15:05:16 adam.localdomain dbus[586]: avc: received setenforce notice (enforcing=0) Jul 10 15:05:16 adam.localdomain dbus[1654]: avc: received setenforce notice (enforcing=0) Jul 10 15:05:16 adam.localdomain dbus[1833]: avc: received setenforce notice (enforcing=0) Jul 10 15:15:45 adam.localdomain dbus[1833]: avc: received setenforce notice (enforcing=1) Jul 10 15:15:45 adam.localdomain dbus[1654]: avc: received setenforce notice (enforcing=1) Jul 10 15:15:45 adam.localdomain dbus[586]: avc: received setenforce notice (enforcing=1) Jul 10 15:15:45 adam.localdomain dbus-daemon[586]: dbus[586]: avc: received setenforce notice (enforcing=1) i.e. it got set to permissive then to enforcing; I think that's probably part of the live creation process, perhaps within the live env rather than the host system? But no actual denials, at any rate. "If you boot in permissive mode, how much is mislabeled?" Attaching output from restorecon -nvr / . Created attachment 771896 [details]
output of restorecon -nvr within the live environment
Ah. During live compose, I do see these errors: /etc/selinux/targeted/contexts/files/file_contexts: line 1361 has invalid context system_u:object_r:prosody_var_lib_t:s0 /etc/selinux/targeted/contexts/files/file_contexts: line 1362 has invalid context system_u:object_r:prosody_var_run_t:s0 /etc/selinux/targeted/contexts/files/file_contexts: line 2494 has invalid context system_u:object_r:prosody_unit_file_t:s0 /etc/selinux/targeted/contexts/files/file_contexts: line 2581 has invalid context system_u:object_r:iodined_unit_file_t:s0 /etc/selinux/targeted/contexts/files/file_contexts: line 3382 has invalid context system_u:object_r:prosody_exec_t:s0 /etc/selinux/targeted/contexts/files/file_contexts: line 3846 has invalid context system_u:object_r:prosody_exec_t:s0 /etc/selinux/targeted/contexts/files/file_contexts: line 5228 has invalid context system_u:object_r:systemd_vconsole_unit_file_t:s0 9.4%/etc/selinux/targeted/contexts/files/file_contexts: has invalid context system_u:object_r:systemd_vconsole_unit_file_t:s0 Could you try it with selinux-policy-3.12.1-63.fc20? Sure, will do. Indeed, with -63 in host and guest, seems to work. |
I built a Rawhide live image as of 2013-07-10, with gdm-3.8.3-2.fc20 and selinux-policy-3.12.1-62.fc20 . On boot, it shows the GDM greeter (it should auto login as liveuser) and attempting to log in just loops back to GDM. If you boot with enforcing=0, it boots to GNOME as expected. SELinux Troubleshooter doesn't seem to catch any AVCs, but journalctl shows these: Jul 10 18:44:30 localhost setroubleshoot[959]: dbus avc(node=localhost type=AVC msg=audit(1373496266.682:271): avc: denied { transition } for pid=956 comm="gdm-session-wor" path="/etc/X11/xinit/Xsession" dev="dm-0" ino=154478 scontext=system_u:system_r:kernel_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=process Jul 10 18:44:30 localhost setroubleshoot[959]: AuditRecordReceiver.feed() got node=localhost type=AVC msg=audit(1373496266.682:271): avc: denied { transition } for pid=956 comm="gdm-session-wor" path="/etc/X11/xinit/Xsession" dev="dm-0" ino=154478 scontext=system_u:system_r:kernel_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=process Jul 10 18:44:30 localhost setroubleshoot[959]: AuditRecordReceiver.add_record_to_cache(): node=localhost type=AVC msg=audit(1373496266.682:271): avc: denied { transition } for pid=956 comm="gdm-session-wor" path="/etc/X11/xinit/Xsession" dev="dm-0" ino=154478 scontext=system_u:system_r:kernel_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=process Jul 10 18:44:30 localhost setroubleshoot[959]: setroubleshoot generated AVC, exiting to avoid recursion, context=system_u:system_r:kernel_t:s0, AVC scontext=system_u:system_r:kernel_t:s0 Proposing as an Alpha blocker: https://fedoraproject.org/wiki/Fedora_20_Alpha_Release_Criteria#Expected_image_boot_behavior "Release-blocking live images must boot to the expected boot menu, and then to a desktop or to a login prompt where it is clear how to log in to a desktop."