Description of problem: Starting SDDM and trying to log on SELinux is preventing /usr/bin/sddm-greeter from 'write' accesses on the sock_file . ***** Plugin catchall (100. confidence) suggests ************************** If cree que de manera predeterminada, sddm-greeter debería permitir acceso write sobre sock_file. Then debería reportar esto como un error. Puede generar un módulo de política local para permitir este acceso. Do permita el acceso momentáneamente executando: # grep sddm-greeter /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:xdm_t:s0-s0:c0.c1023 Target Context system_u:object_r:tmp_t:s0 Target Objects [ sock_file ] Source sddm-greeter Source Path /usr/bin/sddm-greeter Port <Unknown> Host (removed) Source RPM Packages sddm-0.2.0-0.16.20130914git50ca5b20.fc20.x86_64 Target RPM Packages Policy RPM selinux-policy-3.12.1-127.fc20.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 3.13.6-200.fc20.x86_64 #1 SMP Fri Mar 7 17:02:28 UTC 2014 x86_64 x86_64 Alert Count 2 First Seen 2014-03-13 17:13:06 CET Last Seen 2014-03-13 17:15:07 CET Local ID be4df8fb-3b01-4dba-acc6-72e07ceb50d0 Raw Audit Messages type=AVC msg=audit(1394727307.430:1284): avc: denied { write } for pid=19652 comm="sddm-greeter" name="sddm-:0-mGcEBp" dev="tmpfs" ino=1529186 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tmp_t:s0 tclass=sock_file type=SYSCALL msg=audit(1394727307.430:1284): arch=x86_64 syscall=connect success=no exit=EACCES a0=e a1=7fffa1f48770 a2=6e a3=7fffa1f484b0 items=0 ppid=19648 pid=19652 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm=sddm-greeter exe=/usr/bin/sddm-greeter subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null) Hash: sddm-greeter,xdm_t,tmp_t,sock_file,write Additional info: reporter: libreport-2.2.0 hashmarkername: setroubleshoot kernel: 3.13.6-200.fc20.x86_64 type: libreport
If you re-login does it happen again? Are you able to log in?
It starts Xorg, but I can't log in.
Could you try to use permissive mode to see if you get more AVC msgs? Thank you.
In permissive mode I can log in and I don't see any other AVC.
The question is how did we get a sock_file labeled tmp_t?
Created attachment 875257 [details] F20 (new and not yet updated guest) screenshot I installed a new guest using F20 X96_64, and i did not install any updates yet. I installed and enabled sddm and then performed a reboot. SELinux is in Enforcing (default). It is possible to login and the buttons (reboot, shutdown) also do work properly. I took the screen-shot showing the socket I will install updates on this new guest and retry.
Created attachment 875258 [details] yum.log from the guest vm After applying updates and rebooting, the vm behaves like the physical machine where i noticed it. * Apply updates. (SELinux is still Enforcing) * Reboot. * Boot, in SDDM: (This is what i noticed before) 1. The buttons 'reboot' and 'shutdown' do not work. 2. One cannot login with any user. On another VT: * Login and change SELinux to Permissive and restart SDDM via systemctl. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Package: sddm.x86_64 Version: 0.2.0-0.16.20130914git50ca5b20.fc20 There is not an older version to downgrade for testing. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The uploaded yum.log shows the change from a new install (with only sddm installed) and the fully updated one.
Ok I see it also.
Easy fix. Please execute # chcon -t xdm_exec_t /usr/bin/sddm will fix for now. commit da3cb9eecdcfbea32f6071d0985d27030f899242 Author: Miroslav Grepl <mgrepl> Date: Mon Mar 17 17:11:37 2014 +0100 Label sddm as xdm_exec_t to make KDE working again
selinux-policy-3.12.1-149.fc20 has been submitted as an update for Fedora 20. https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-149.fc20
Package selinux-policy-3.12.1-149.fc20: * should fix your issue, * was pushed to the Fedora 20 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-149.fc20' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2014-4604/selinux-policy-3.12.1-149.fc20 then log in and leave karma (feedback).
selinux-policy-3.12.1-149.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.