Bug 1114192 - SELinux is preventing /usr/bin/sddm from 'write' accesses on the file .
Summary: SELinux is preventing /usr/bin/sddm from 'write' accesses on the file .
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: sddm
Version: 20
Hardware: x86_64
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Martin Bříza
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: abrt_hash:998c0f988886d919e1817c6b163...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-06-28 12:47 UTC by Juan Orti Alcaine
Modified: 2014-10-31 02:43 UTC (History)
14 users (show)

Fixed In Version: sddm-0.9.0-2.20141007git6a28c29b.fc21
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2014-10-28 06:46:25 UTC


Attachments (Terms of Use)

Description Juan Orti Alcaine 2014-06-28 12:47:58 UTC
Description of problem:
Just starting sddm:

systemctl enable --force sddm.service
systemctl start sddm.service
SELinux is preventing /usr/bin/sddm from 'write' accesses on the file .

*****  Plugin catchall_labels (83.8 confidence) suggests   *******************

If you want to allow sddm to have write access on the  file
Then necesita modificar la etiqueta en $FIX_TARGET_PATH
Do
# semanage fcontext -a -t FILE_TYPE '$FIX_TARGET_PATH'
donde FILE_TYPE es uno de los siguientes: afs_cache_t, anon_inodefs_t, auth_cache_t, auth_home_t, cache_home_t, cgroup_t, config_home_t, data_home_t, dbus_home_t, etc_runtime_t, faillog_t, fonts_cache_t, gconf_home_t, gnome_home_t, gstreamer_home_t, icc_data_home_t, initrc_tmp_t, initrc_var_run_t, krb5_host_rcache_t, lastlog_t, locale_t, mozilla_plugin_tmpfs_t, pam_var_console_t, pam_var_run_t, puppet_tmp_t, security_t, sysfs_t, systemd_passwd_var_run_t, user_cron_spool_t, user_fonts_t, user_tmp_t, user_tmpfs_t, var_auth_t, wtmp_t, xauth_home_t, xdm_home_t, xdm_lock_t, xdm_log_t, xdm_rw_etc_t, xdm_spool_t, xdm_tmp_t, xdm_tmpfs_t, xdm_var_lib_t, xdm_var_run_t, xkb_var_lib_t, xserver_log_t, xserver_tmpfs_t. 
Luego ejecute: 
restorecon -v '$FIX_TARGET_PATH'


*****  Plugin catchall (17.1 confidence) suggests   **************************

If cree que de manera predeterminada, sddm debería permitir acceso write sobre   file.     
Then debería reportar esto como un error.
Puede generar un módulo de política local para permitir este acceso.
Do
permita el acceso momentáneamente executando:
# grep sddm /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:xdm_t:s0-s0:c0.c1023
Target Context                system_u:object_r:etc_t:s0
Target Objects                 [ file ]
Source                        sddm
Source Path                   /usr/bin/sddm
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           sddm-0.2.0-0.16.20130914git50ca5b20.fc20.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.12.1-171.fc20.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 3.15.0-1.fc20.x86_64 #1 SMP Tue
                              Jun 17 21:48:04 CEST 2014 x86_64 x86_64
Alert Count                   1
First Seen                    2014-06-28 14:38:22 CEST
Last Seen                     2014-06-28 14:38:22 CEST
Local ID                      ed6cc9d8-ee0f-4517-be1e-872468db10d0

Raw Audit Messages
type=AVC msg=audit(1403959102.403:589): avc:  denied  { write } for  pid=3020 comm="sddm" name="sddm.conf" dev="sda2" ino=5050368 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=file


type=SYSCALL msg=audit(1403959102.403:589): arch=x86_64 syscall=open success=no exit=EACCES a0=7f8de526de28 a1=80042 a2=1b6 a3=4 items=0 ppid=1 pid=3020 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=6 comm=sddm exe=/usr/bin/sddm subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)

Hash: sddm,xdm_t,etc_t,file,write

Additional info:
reporter:       libreport-2.2.2
hashmarkername: setroubleshoot
kernel:         3.15.0-1.fc20.x86_64
type:           libreport

Comment 1 Daniel Walsh 2014-07-14 13:16:28 UTC
Why does sddm write to its config FIle?

Comment 2 Rex Dieter 2014-07-14 13:34:10 UTC
The old version of sddm did that to record LastUser, but I believe the latest version does not do that anymore.  Please upgrade to at least,
https://admin.fedoraproject.org/updates/FEDORA-2014-7755/sddm-0.2.0-0.31.20140627gitf49c2c79.fc20

and retest please.

Comment 3 Juan Orti Alcaine 2014-07-15 17:03:23 UTC
It has happenend again:

# rpm -q sddm
sddm-0.2.0-0.31.20140627gitf49c2c79.fc20.x86_64


SELinux is preventing /usr/bin/sddm from write access on the file .

*****  Plugin catchall_labels (83.8 confidence) suggests   *******************

If you want to allow sddm to have write access on the  file
Then necesita modificar la etiqueta en $FIX_TARGET_PATH
Do
# semanage fcontext -a -t FILE_TYPE '$FIX_TARGET_PATH'
donde FILE_TYPE es uno de los siguientes: afs_cache_t, anon_inodefs_t, auth_cache_t, auth_home_t, cache_home_t, cgroup_t, config_home_t, data_home_t, dbus_home_t, etc_runtime_t, faillog_t, fonts_cache_t, gconf_home_t, gnome_home_t, gstreamer_home_t, icc_data_home_t, initrc_tmp_t, initrc_var_run_t, krb5_host_rcache_t, lastlog_t, locale_t, mozilla_plugin_tmpfs_t, pam_var_console_t, pam_var_run_t, puppet_tmp_t, security_t, sysfs_t, systemd_passwd_var_run_t, user_cron_spool_t, user_fonts_t, user_tmp_t, user_tmpfs_t, var_auth_t, wtmp_t, xauth_home_t, xdm_home_t, xdm_lock_t, xdm_log_t, xdm_rw_etc_t, xdm_spool_t, xdm_tmp_t, xdm_tmpfs_t, xdm_var_lib_t, xdm_var_run_t, xkb_var_lib_t, xserver_log_t, xserver_tmpfs_t. 
Luego ejecute: 
restorecon -v '$FIX_TARGET_PATH'


*****  Plugin catchall (17.1 confidence) suggests   **************************

If cree que de manera predeterminada, sddm debería permitir acceso write sobre   file.     
Then debería reportar esto como un error.
Puede generar un módulo de política local para permitir este acceso.
Do
permita el acceso momentáneamente executando:
# grep sddm /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:xdm_t:s0-s0:c0.c1023
Target Context                system_u:object_r:etc_t:s0
Target Objects                 [ file ]
Source                        sddm
Source Path                   /usr/bin/sddm
Port                          <Unknown>
Host                          <removed>
Source RPM Packages           sddm-0.2.0-0.31.20140627gitf49c2c79.fc20.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.12.1-176.fc20.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     <removed>
Platform                      Linux <removed>
                              3.15.4-200.1.fc20.1.x86_64 #1 SMP Fri Jul 11
                              14:02:03 CEST 2014 x86_64 x86_64
Alert Count                   1
First Seen                    2014-07-15 18:58:50 CEST
Last Seen                     2014-07-15 18:58:50 CEST
Local ID                      9b88a9a8-9e8a-4a29-a6a5-99c708581b39

Raw Audit Messages
type=AVC msg=audit(1405443530.128:788): avc:  denied  { write } for  pid=1804 comm="sddm" name="sddm.conf" dev="sda2" ino=7793701 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=file


type=SYSCALL msg=audit(1405443530.128:788): arch=x86_64 syscall=open success=no exit=EACCES a0=7f4d5da27e48 a1=80042 a2=1b6 a3=4 items=0 ppid=1 pid=1804 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=sddm exe=/usr/bin/sddm subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)

Hash: sddm,xdm_t,etc_t,file,write

Comment 4 Rex Dieter 2014-07-15 17:15:40 UTC
To be sure, did you reboot since upgrading sddm ?  (if not, please do... if you did, then nevermind)

Comment 5 Juan Orti Alcaine 2014-07-15 17:51:28 UTC
I have received the same SELinux alert after a reboot.

Comment 6 Orion Poplawski 2014-07-25 20:47:55 UTC
Seeing this on fresh F21 install

sddm-0.2.0-0.31.20140627gitf49c2c79.fc21.x86_64

Comment 7 Andrei Amuraritei 2014-10-06 14:14:52 UTC
Description of problem:
Install sddm from dvratil/plasma-5 copr repo. Start with systemctl start sddm, get a blinking cursor on black tty. After a few seconds sddm shows. 
Disable SELINUX or set manual policy according to abrt solution fixes this.

Also same behavior on Fedora 21 Alpha.

Additional info:
reporter:       libreport-2.2.3
hashmarkername: setroubleshoot
kernel:         3.16.3-200.fc20.x86_64
type:           libreport

Comment 8 Fedora Update System 2014-10-07 09:26:21 UTC
sddm-0.9.0-1.20141007git6a28c29b.fc21 has been submitted as an update for Fedora 21.
https://admin.fedoraproject.org/updates/sddm-0.9.0-1.20141007git6a28c29b.fc21

Comment 9 Fedora Update System 2014-10-07 09:27:25 UTC
sddm-0.9.0-1.20141007git6a28c29b.fc20 has been submitted as an update for Fedora 20.
https://admin.fedoraproject.org/updates/sddm-0.9.0-1.20141007git6a28c29b.fc20

Comment 10 Fedora Update System 2014-10-07 09:28:17 UTC
sddm-0.9.0-1.20141007git6a28c29b.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/sddm-0.9.0-1.20141007git6a28c29b.fc19

Comment 11 Fedora Update System 2014-10-08 18:57:45 UTC
Package sddm-0.9.0-1.20141007git6a28c29b.fc20:
* should fix your issue,
* was pushed to the Fedora 20 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing sddm-0.9.0-1.20141007git6a28c29b.fc20'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2014-12308/sddm-0.9.0-1.20141007git6a28c29b.fc20
then log in and leave karma (feedback).

Comment 12 Fedora Update System 2014-10-28 06:46:25 UTC
sddm-0.9.0-2.20141007git6a28c29b.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 13 Fedora Update System 2014-10-31 02:43:06 UTC
sddm-0.9.0-2.20141007git6a28c29b.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.