Created attachment 950799 [details] Raw AVC denials Description of problem: Can not log in with selinux enabled. I am using the targeted policy with confined users (staff_u for now, user_u not tested). Note: I upgraded from Fedora 20 Version-Release number of selected component (if applicable): selinux-policy-targeted.noarch 3.13.1-85.fc21 How reproducible: Every time selinux is enabled Steps to Reproduce: Log in at the log in screen. Actual results: Brief flash to console, login restarts Expected results: Sucessful log in Additional info: I am attaching the raw avc denials (policykit)
I tried to add pollicy, mypolicykit, but got an error when adding it Error: semanage -i mypolicykit.pp usage: semanage [-h] {import,export,login,user,port,interface,module,node,fcontext,boolean,permissive,dontaudit} ... semanage: error: argument subcommand: invalid choice: '\x8f\xff|\xf9\x01\x00\x00\x00\x01\x00\x00\x00\x10\x00\x00\x00\x8d\xff|\xf9\x0f\x00\x00\x00SE' (choose from 'import', 'export', 'login', 'user', 'port', 'interface', 'module', 'node', 'fcontext', 'boolean', 'permissive', 'dontaudit') Here is the .te module mypolicykit 1.0; require { type staff_t; type policykit_auth_t; type config_home_t; type init_t; class unix_stream_socket connectto; class dir write; class file { write read getattr open }; } #============= policykit_auth_t ============== allow policykit_auth_t config_home_t:dir write; allow policykit_auth_t config_home_t:file write; allow policykit_auth_t init_t:file { read getattr open }; allow policykit_auth_t staff_t:unix_stream_socket connectto;
I had to add additional policy module mylogin 1.0; require { type staff_t; type unconfined_service_t; type xsession_exec_t; class dbus send_msg; class file entrypoint; } #============= staff_t ============== allow staff_t unconfined_service_t:dbus send_msg; allow staff_t xsession_exec_t:file entrypoint;
I had to add all this to allow log in module myproblems 1.0; require { type staff_t; type staff_dbusd_t; type policykit_auth_t; type init_t; type pulseaudio_t; type var_run_t; type unconfined_service_t; type setroubleshootd_t; type mozilla_plugin_t; type chkpwd_t; type wtmp_t; type gpg_agent_t; type systemd_tmpfiles_t; type user_devpts_t; type initrc_exec_t; type system_dbusd_t; type fcoemon_exec_t; type shadow_t; type xsession_exec_t; type user_tmp_t; type systemd_unit_file_t; type staff_ssh_agent_t; type usr_t; type user_home_dir_t; type lldpad_exec_t; type policykit_t; type rpm_var_lib_t; type xdm_home_t; type iceauth_home_t; type initrc_var_run_t; type xdm_t; type vmtools_helper_t; class process { siginh noatsecure rlimitinh }; class unix_stream_socket { read write ioctl }; class chr_file { read write }; class capability net_admin; class file { write getattr ioctl read open execute }; class sock_file unlink; class dir { getattr search }; } #============= chkpwd_t ============== allow chkpwd_t user_devpts_t:chr_file { read write }; #============= gpg_agent_t ============== allow gpg_agent_t xdm_home_t:file { write getattr }; #============= mozilla_plugin_t ============== allow mozilla_plugin_t xdm_home_t:file write; #============= policykit_auth_t ============== allow policykit_auth_t iceauth_home_t:file { read getattr open }; allow policykit_auth_t init_t:dir search; allow policykit_auth_t user_home_dir_t:dir getattr; allow policykit_auth_t user_tmp_t:file open; allow policykit_auth_t xdm_home_t:file write; #============= policykit_t ============== allow policykit_t policykit_auth_t:process { siginh rlimitinh noatsecure }; #============= pulseaudio_t ============== allow pulseaudio_t xdm_home_t:file write; #============= setroubleshootd_t ============== allow setroubleshootd_t rpm_var_lib_t:file write; allow setroubleshootd_t var_run_t:sock_file unlink; #============= staff_dbusd_t ============== allow staff_dbusd_t staff_t:process { siginh rlimitinh noatsecure }; allow staff_dbusd_t systemd_unit_file_t:dir getattr; allow staff_dbusd_t xdm_home_t:file write; #============= staff_ssh_agent_t ============== allow staff_ssh_agent_t staff_t:process { siginh rlimitinh noatsecure }; allow staff_ssh_agent_t xdm_home_t:file write; #============= staff_t ============== allow staff_t fcoemon_exec_t:file { read getattr execute }; allow staff_t gpg_agent_t:process { siginh rlimitinh noatsecure }; allow staff_t initrc_exec_t:file execute; allow staff_t initrc_var_run_t:file write; allow staff_t lldpad_exec_t:file { read getattr execute }; allow staff_t mozilla_plugin_t:process { siginh rlimitinh }; allow staff_t policykit_auth_t:process { siginh rlimitinh noatsecure }; allow staff_t pulseaudio_t:process { siginh rlimitinh noatsecure }; allow staff_t staff_dbusd_t:process { siginh rlimitinh noatsecure }; allow staff_t staff_dbusd_t:unix_stream_socket { read write ioctl }; allow staff_t staff_ssh_agent_t:process { siginh rlimitinh noatsecure }; allow staff_t vmtools_helper_t:process { siginh rlimitinh noatsecure }; allow staff_t wtmp_t:file write; allow staff_t xsession_exec_t:file { read ioctl open getattr }; #============= system_dbusd_t ============== allow system_dbusd_t setroubleshootd_t:process { siginh rlimitinh noatsecure }; allow system_dbusd_t unconfined_service_t:process { siginh rlimitinh noatsecure }; #============= systemd_tmpfiles_t ============== allow systemd_tmpfiles_t self:capability net_admin; #============= xdm_t ============== allow xdm_t chkpwd_t:process { siginh rlimitinh noatsecure }; allow xdm_t shadow_t:file { read getattr open }; allow xdm_t staff_t:process { siginh noatsecure }; allow xdm_t usr_t:file write;
Any chance try to execute # restorecon -R -v /usr/bin /usr/sbin to see if there are mislabeled files? And if I see correctly, you use KDE?
I use primarity KDE, but I am testing gnome and xfce a bit for Fedora 21. Yes, I ran restorecon and fixfiles (on reboot) before working through all the denials (with audit2why and audit2allow). If it helps, I use confined users, staff_u mainly. I can look at user_u as well.
Looks like you turned off lots of dontaudit rules. Most of these you should not need. What process is running as unconfined_service_t on your machine? ps -eZ | grep unconfined_service_t On comment 1 you should use semodule not semanage.
Sorry for comment 1, I noted that after I posted and can not delete it. tab completion fail, lol ps -eZ | grep unconfined_service_t does not return anything
Updated to most recent selinux policy I still can not log in with confined users ( staff_u or user_u ) with the default targeted policy. selinux-policy.noarch 3.13.1-91.fc21 @fedora selinux-policy-targeted.noarch 3.13.1-91.fc21 @fedora Some of the problems are silent denials. After a reboot and relabel of the file system, I logged into kde, gnome-shell, and xfce as a user_u and staff_u and swithced users between the two. I will attach the raw AVC denials (there are tons) and here is the my myuser_u.te module myuser_u 1.0; require { type vhost_device_t; type uhid_device_t; type systemd_tmpfiles_t; type unconfined_service_t; type home_root_t; type thumb_t; type mozilla_plugin_t; type chkpwd_t; type bluetooth_tmp_t; type howl_port_t; type autofs_device_t; type initrc_exec_t; type abrt_t; type user_tmp_t; type var_run_t; type initctl_t; type systemd_logind_t; type iptables_t; type selinux_config_t; type ppp_device_t; type rpm_t; type user_gkeyringd_t; type vmtools_helper_t; type default_context_t; type freeipmi_port_t; type policykit_auth_t; type auditd_log_t; type printer_device_t; type NetworkManager_t; type user_dbusd_t; type systemd_logind_var_run_t; type setroubleshootd_t; type lvm_control_t; type memory_device_t; type insmod_t; type us_cli_port_t; type kvm_device_t; type file_context_t; type systemd_unit_file_t; type nvram_device_t; type config_home_t; type firewalld_t; type rpm_tmp_t; type pulseaudio_port_t; type apm_bios_t; type xdm_home_t; type device_t; type iceauth_home_t; type getty_t; type netcontrol_device_t; type staff_t; type semanage_store_t; type pulseaudio_t; type iceauth_t; type initrc_t; type wtmp_t; type user_devpts_t; type dhcpc_t; type ms_streaming_port_t; type fcoemon_exec_t; type power_unit_file_t; type telepathy_mission_control_t; type ssh_t; type lldpad_exec_t; type policykit_t; type rpm_var_lib_t; type usbmon_device_t; type init_var_run_t; type condor_port_t; type user_t; type staff_gkeyringd_t; type xdm_t; type unconfined_t; type staff_dbusd_t; type tty_device_t; type init_t; type usr_t; type ricci_port_t; type sysfs_t; type system_dbusd_t; type local_login_t; type gpg_agent_t; type shadow_t; type xsession_exec_t; type loop_control_device_t; type staff_ssh_agent_t; type unreserved_port_t; type user_home_dir_t; type abrt_watch_log_exec_t; type framebuf_device_t; type var_lib_t; type clock_device_t; type readahead_t; type staff_sudo_t; type user_ssh_agent_t; type initrc_var_run_t; type bin_t; type tmpfs_t; class fifo_file getattr; class service status; class process { siginh execmem noatsecure rlimitinh }; class unix_stream_socket { write connectto ioctl read getattr }; class dbus send_msg; class chr_file { read write getattr }; class capability { setuid dac_read_search sys_admin sys_module net_admin dac_override }; class tcp_socket name_bind; class file { execute read lock create getattr write ioctl entrypoint open }; class sock_file unlink; class udp_socket name_bind; class dir { search read mounton write getattr }; } #============= NetworkManager_t ============== #!!!! This avc has a dontaudit rule in the current policy allow NetworkManager_t dhcpc_t:process { siginh noatsecure rlimitinh }; #!!!! This avc has a dontaudit rule in the current policy allow NetworkManager_t initrc_t:process { siginh noatsecure rlimitinh }; #!!!! This avc has a dontaudit rule in the current policy allow NetworkManager_t self:capability sys_module; #============= abrt_t ============== #!!!! This avc has a dontaudit rule in the current policy allow abrt_t rpm_var_lib_t:file write; #!!!! This avc has a dontaudit rule in the current policy allow abrt_t self:capability net_admin; #============= chkpwd_t ============== #!!!! This avc has a dontaudit rule in the current policy allow chkpwd_t tty_device_t:chr_file { read write }; #!!!! This avc has a dontaudit rule in the current policy allow chkpwd_t user_devpts_t:chr_file { read write }; #============= firewalld_t ============== #!!!! This avc has a dontaudit rule in the current policy allow firewalld_t iptables_t:process { siginh noatsecure rlimitinh }; #============= getty_t ============== #!!!! This avc has a dontaudit rule in the current policy allow getty_t local_login_t:process { siginh noatsecure rlimitinh }; #============= gpg_agent_t ============== #!!!! This avc is allowed in the current policy allow gpg_agent_t user_tmp_t:file { create open }; #!!!! This avc has a dontaudit rule in the current policy allow gpg_agent_t xdm_home_t:file { write getattr }; #============= iceauth_t ============== #!!!! This avc has a dontaudit rule in the current policy allow iceauth_t xdm_home_t:file write; #============= iptables_t ============== #!!!! This avc has a dontaudit rule in the current policy allow iptables_t insmod_t:process { siginh noatsecure rlimitinh }; #============= local_login_t ============== #!!!! This avc has a dontaudit rule in the current policy allow local_login_t chkpwd_t:process { siginh noatsecure rlimitinh }; #!!!! This avc has a dontaudit rule in the current policy allow local_login_t self:capability net_admin; #!!!! This avc has a dontaudit rule in the current policy allow local_login_t unconfined_t:process { siginh noatsecure }; #============= mozilla_plugin_t ============== #!!!! This avc has a dontaudit rule in the current policy allow mozilla_plugin_t xdm_home_t:file write; #============= policykit_auth_t ============== allow policykit_auth_t config_home_t:dir write; allow policykit_auth_t config_home_t:file write; allow policykit_auth_t home_root_t:dir read; #!!!! This avc has a dontaudit rule in the current policy allow policykit_auth_t iceauth_home_t:file { read getattr open }; #!!!! This avc has a dontaudit rule in the current policy allow policykit_auth_t init_t:dir search; allow policykit_auth_t init_t:file { read getattr open }; allow policykit_auth_t staff_t:unix_stream_socket connectto; allow policykit_auth_t tmpfs_t:file { read write }; allow policykit_auth_t user_home_dir_t:dir write; #!!!! This avc has a dontaudit rule in the current policy allow policykit_auth_t user_home_dir_t:dir { read getattr search }; allow policykit_auth_t user_t:unix_stream_socket connectto; #!!!! This avc has a dontaudit rule in the current policy allow policykit_auth_t user_tmp_t:file open; #!!!! This avc has a dontaudit rule in the current policy allow policykit_auth_t xdm_home_t:file write; #============= policykit_t ============== #!!!! This avc has a dontaudit rule in the current policy allow policykit_t policykit_auth_t:process { siginh noatsecure rlimitinh }; #============= pulseaudio_t ============== allow pulseaudio_t self:process execmem; #!!!! This avc has a dontaudit rule in the current policy allow pulseaudio_t staff_t:unix_stream_socket { read write }; allow pulseaudio_t user_home_dir_t:file create; #!!!! This avc has a dontaudit rule in the current policy allow pulseaudio_t user_t:unix_stream_socket { read write }; #!!!! This avc is allowed in the current policy allow pulseaudio_t user_tmp_t:file execute; #!!!! This avc has a dontaudit rule in the current policy allow pulseaudio_t xdm_home_t:file write; #============= readahead_t ============== #!!!! This avc has a dontaudit rule in the current policy allow readahead_t auditd_log_t:file getattr; #!!!! This avc has a dontaudit rule in the current policy allow readahead_t default_context_t:file { read open }; #!!!! This avc has a dontaudit rule in the current policy allow readahead_t file_context_t:file { read open }; #!!!! This avc has a dontaudit rule in the current policy allow readahead_t selinux_config_t:file { read ioctl open getattr }; #!!!! This avc has a dontaudit rule in the current policy allow readahead_t semanage_store_t:file { read ioctl open getattr }; #!!!! This avc has a dontaudit rule in the current policy allow readahead_t shadow_t:file { read open }; #============= setroubleshootd_t ============== #!!!! This avc has a dontaudit rule in the current policy allow setroubleshootd_t rpm_var_lib_t:dir write; #!!!! This avc has a dontaudit rule in the current policy allow setroubleshootd_t rpm_var_lib_t:file write; #!!!! This avc has a dontaudit rule in the current policy allow setroubleshootd_t self:capability net_admin; allow setroubleshootd_t user_t:dbus send_msg; allow setroubleshootd_t var_lib_t:file { read lock open }; allow setroubleshootd_t var_run_t:sock_file unlink; #============= staff_dbusd_t ============== #!!!! This avc has a dontaudit rule in the current policy allow staff_dbusd_t staff_gkeyringd_t:process { siginh noatsecure rlimitinh }; #!!!! This avc has a dontaudit rule in the current policy allow staff_dbusd_t staff_t:process { siginh noatsecure rlimitinh }; #!!!! This avc has a dontaudit rule in the current policy allow staff_dbusd_t systemd_unit_file_t:dir getattr; #!!!! This avc has a dontaudit rule in the current policy allow staff_dbusd_t telepathy_mission_control_t:process { siginh noatsecure rlimitinh }; #!!!! This avc has a dontaudit rule in the current policy allow staff_dbusd_t thumb_t:process { siginh noatsecure rlimitinh }; #!!!! This avc has a dontaudit rule in the current policy allow staff_dbusd_t xdm_home_t:file write; #============= staff_gkeyringd_t ============== #!!!! This avc has a dontaudit rule in the current policy allow staff_gkeyringd_t staff_dbusd_t:unix_stream_socket { read write }; #!!!! This avc has a dontaudit rule in the current policy allow staff_gkeyringd_t staff_t:unix_stream_socket { read write getattr }; #============= staff_ssh_agent_t ============== #!!!! This avc has a dontaudit rule in the current policy allow staff_ssh_agent_t staff_t:process { siginh noatsecure rlimitinh }; #!!!! This avc has a dontaudit rule in the current policy allow staff_ssh_agent_t xdm_home_t:file write; #============= staff_sudo_t ============== #!!!! This avc has a dontaudit rule in the current policy allow staff_sudo_t chkpwd_t:process { siginh noatsecure rlimitinh }; allow staff_sudo_t init_var_run_t:fifo_file getattr; #!!!! This avc has a dontaudit rule in the current policy allow staff_sudo_t unconfined_t:process { siginh noatsecure rlimitinh }; #============= staff_t ============== #!!!! This avc has a dontaudit rule in the current policy allow staff_t abrt_watch_log_exec_t:file { read execute getattr }; #!!!! This avc has a dontaudit rule in the current policy allow staff_t apm_bios_t:chr_file getattr; #!!!! This avc has a dontaudit rule in the current policy allow staff_t autofs_device_t:chr_file getattr; #!!!! This avc has a dontaudit rule in the current policy allow staff_t bluetooth_tmp_t:fifo_file getattr; #!!!! This avc has a dontaudit rule in the current policy allow staff_t chkpwd_t:process { siginh noatsecure rlimitinh }; #!!!! This avc has a dontaudit rule in the current policy allow staff_t clock_device_t:chr_file getattr; #!!!! This avc can be allowed using the boolean 'selinuxuser_udp_server' allow staff_t condor_port_t:udp_socket name_bind; #!!!! This avc has a dontaudit rule in the current policy allow staff_t device_t:chr_file getattr; #!!!! This avc has a dontaudit rule in the current policy allow staff_t fcoemon_exec_t:file { read getattr execute }; #!!!! This avc has a dontaudit rule in the current policy allow staff_t framebuf_device_t:chr_file getattr; #!!!! This avc can be allowed using the boolean 'selinuxuser_udp_server' allow staff_t freeipmi_port_t:udp_socket name_bind; #!!!! This avc has a dontaudit rule in the current policy allow staff_t gpg_agent_t:process { siginh noatsecure rlimitinh }; #!!!! This avc can be allowed using the boolean 'selinuxuser_udp_server' allow staff_t howl_port_t:udp_socket name_bind; #!!!! This avc has a dontaudit rule in the current policy allow staff_t iceauth_t:process { siginh noatsecure rlimitinh }; #!!!! This avc has a dontaudit rule in the current policy allow staff_t initctl_t:fifo_file getattr; #!!!! This avc has a dontaudit rule in the current policy allow staff_t initrc_exec_t:file execute; #!!!! This avc has a dontaudit rule in the current policy allow staff_t initrc_var_run_t:file write; #!!!! This avc can be allowed using the boolean 'staff_use_svirt' allow staff_t kvm_device_t:chr_file getattr; #!!!! This avc has a dontaudit rule in the current policy allow staff_t lldpad_exec_t:file { read getattr execute }; #!!!! This avc has a dontaudit rule in the current policy allow staff_t loop_control_device_t:chr_file getattr; #!!!! This avc has a dontaudit rule in the current policy allow staff_t lvm_control_t:chr_file getattr; #!!!! This avc has a dontaudit rule in the current policy allow staff_t memory_device_t:chr_file getattr; #!!!! This avc has a dontaudit rule in the current policy allow staff_t mozilla_plugin_t:process { siginh rlimitinh }; #!!!! This avc can be allowed using the boolean 'selinuxuser_udp_server' allow staff_t ms_streaming_port_t:udp_socket name_bind; #!!!! This avc has a dontaudit rule in the current policy allow staff_t netcontrol_device_t:chr_file getattr; #!!!! This avc has a dontaudit rule in the current policy allow staff_t nvram_device_t:chr_file getattr; #!!!! This avc has a dontaudit rule in the current policy allow staff_t policykit_auth_t:process { siginh noatsecure rlimitinh }; #!!!! This avc has a dontaudit rule in the current policy allow staff_t ppp_device_t:chr_file getattr; #!!!! This avc has a dontaudit rule in the current policy allow staff_t printer_device_t:chr_file getattr; #!!!! This avc can be allowed using the boolean 'selinuxuser_udp_server' allow staff_t pulseaudio_port_t:udp_socket name_bind; #!!!! This avc has a dontaudit rule in the current policy allow staff_t pulseaudio_t:process { siginh noatsecure rlimitinh }; #!!!! This avc can be allowed using the boolean 'selinuxuser_udp_server' allow staff_t ricci_port_t:udp_socket name_bind; #!!!! This avc has a dontaudit rule in the current policy allow staff_t rpm_tmp_t:dir getattr; #!!!! This avc has a dontaudit rule in the current policy allow staff_t self:capability net_admin; #!!!! This avc is allowed in the current policy allow staff_t self:capability { setuid sys_admin }; allow staff_t self:capability { dac_read_search dac_override }; #!!!! This avc has a dontaudit rule in the current policy allow staff_t ssh_t:process { siginh noatsecure rlimitinh }; #!!!! This avc has a dontaudit rule in the current policy allow staff_t staff_dbusd_t:process { siginh noatsecure rlimitinh }; allow staff_t staff_dbusd_t:unix_stream_socket ioctl; #!!!! This avc has a dontaudit rule in the current policy allow staff_t staff_dbusd_t:unix_stream_socket { read write }; #!!!! This avc has a dontaudit rule in the current policy allow staff_t staff_gkeyringd_t:process { siginh noatsecure rlimitinh }; #!!!! This avc has a dontaudit rule in the current policy allow staff_t staff_ssh_agent_t:process { siginh noatsecure rlimitinh }; #!!!! This avc has a dontaudit rule in the current policy allow staff_t staff_sudo_t:process { siginh noatsecure rlimitinh }; allow staff_t sysfs_t:file write; #!!!! This avc has a dontaudit rule in the current policy allow staff_t uhid_device_t:chr_file getattr; allow staff_t unconfined_service_t:dbus send_msg; #!!!! This avc can be allowed using one of the these booleans: # nis_enabled, selinuxuser_tcp_server allow staff_t unreserved_port_t:tcp_socket name_bind; #!!!! This avc can be allowed using the boolean 'selinuxuser_udp_server' allow staff_t us_cli_port_t:udp_socket name_bind; #!!!! This avc has a dontaudit rule in the current policy allow staff_t usbmon_device_t:chr_file getattr; #!!!! This avc has a dontaudit rule in the current policy allow staff_t vhost_device_t:chr_file getattr; #!!!! This avc has a dontaudit rule in the current policy allow staff_t vmtools_helper_t:process { siginh noatsecure rlimitinh }; #!!!! This avc has a dontaudit rule in the current policy allow staff_t wtmp_t:file write; allow staff_t xsession_exec_t:file entrypoint; #!!!! This avc has a dontaudit rule in the current policy allow staff_t xsession_exec_t:file { read ioctl open getattr }; #============= system_dbusd_t ============== #!!!! This avc has a dontaudit rule in the current policy allow system_dbusd_t abrt_t:process { siginh noatsecure rlimitinh }; #!!!! This avc has a dontaudit rule in the current policy allow system_dbusd_t setroubleshootd_t:process { siginh noatsecure rlimitinh }; #!!!! This avc has a dontaudit rule in the current policy allow system_dbusd_t unconfined_service_t:process { siginh noatsecure rlimitinh }; #============= systemd_logind_t ============== #!!!! This avc is allowed in the current policy allow systemd_logind_t self:capability sys_admin; #!!!! This avc is allowed in the current policy allow systemd_logind_t tmpfs_t:dir read; allow systemd_logind_t unconfined_service_t:dbus send_msg; #!!!! This avc is allowed in the current policy allow systemd_logind_t user_tmp_t:dir mounton; #============= systemd_tmpfiles_t ============== #!!!! This avc has a dontaudit rule in the current policy allow systemd_tmpfiles_t self:capability net_admin; #============= telepathy_mission_control_t ============== allow telepathy_mission_control_t bin_t:file execute; #!!!! This avc has a dontaudit rule in the current policy allow telepathy_mission_control_t staff_dbusd_t:unix_stream_socket { read write }; #!!!! This avc has a dontaudit rule in the current policy allow telepathy_mission_control_t user_dbusd_t:unix_stream_socket { read write }; #============= thumb_t ============== #!!!! This avc has a dontaudit rule in the current policy allow thumb_t staff_dbusd_t:unix_stream_socket { read write }; #!!!! This avc has a dontaudit rule in the current policy allow thumb_t user_dbusd_t:unix_stream_socket { read write }; #============= user_dbusd_t ============== #!!!! This avc has a dontaudit rule in the current policy allow user_dbusd_t systemd_unit_file_t:dir getattr; #!!!! This avc has a dontaudit rule in the current policy allow user_dbusd_t telepathy_mission_control_t:process { siginh noatsecure rlimitinh }; #!!!! This avc has a dontaudit rule in the current policy allow user_dbusd_t thumb_t:process { siginh noatsecure rlimitinh }; #!!!! This avc has a dontaudit rule in the current policy allow user_dbusd_t user_t:process { siginh noatsecure rlimitinh }; #!!!! This avc has a dontaudit rule in the current policy allow user_dbusd_t xdm_home_t:file write; #============= user_gkeyringd_t ============== #!!!! This avc has a dontaudit rule in the current policy allow user_gkeyringd_t user_t:unix_stream_socket { read write getattr }; #============= user_ssh_agent_t ============== #!!!! This avc has a dontaudit rule in the current policy allow user_ssh_agent_t user_t:process { siginh noatsecure rlimitinh }; #!!!! This avc has a dontaudit rule in the current policy allow user_ssh_agent_t xdm_home_t:file write; #============= user_t ============== #!!!! This avc has a dontaudit rule in the current policy allow user_t gpg_agent_t:process { siginh noatsecure rlimitinh }; #!!!! This avc has a dontaudit rule in the current policy allow user_t iceauth_t:process { siginh noatsecure rlimitinh }; #!!!! This avc has a dontaudit rule in the current policy allow user_t init_var_run_t:dir read; #!!!! This avc has a dontaudit rule in the current policy allow user_t initrc_var_run_t:file write; #!!!! This avc has a dontaudit rule in the current policy allow user_t policykit_auth_t:process { siginh noatsecure rlimitinh }; #!!!! This avc has a dontaudit rule in the current policy allow user_t pulseaudio_t:process { siginh noatsecure rlimitinh }; #!!!! This avc has a dontaudit rule in the current policy allow user_t rpm_t:dbus send_msg; allow user_t self:capability net_admin; allow user_t setroubleshootd_t:dbus send_msg; allow user_t sysfs_t:file write; #!!!! This avc has a dontaudit rule in the current policy allow user_t systemd_logind_var_run_t:dir read; allow user_t unconfined_service_t:dbus send_msg; #!!!! This avc has a dontaudit rule in the current policy allow user_t user_dbusd_t:process { siginh noatsecure rlimitinh }; allow user_t user_dbusd_t:unix_stream_socket ioctl; #!!!! This avc has a dontaudit rule in the current policy allow user_t user_dbusd_t:unix_stream_socket { read write }; #!!!! This avc has a dontaudit rule in the current policy allow user_t user_gkeyringd_t:process { siginh noatsecure rlimitinh }; #!!!! This avc has a dontaudit rule in the current policy allow user_t user_ssh_agent_t:process { siginh noatsecure rlimitinh }; #!!!! This avc has a dontaudit rule in the current policy allow user_t vmtools_helper_t:process { siginh noatsecure rlimitinh }; #!!!! This avc has a dontaudit rule in the current policy allow user_t wtmp_t:file write; allow user_t xsession_exec_t:file entrypoint; #!!!! This avc has a dontaudit rule in the current policy allow user_t xsession_exec_t:file { read ioctl open getattr }; #============= xdm_t ============== #!!!! This avc has a dontaudit rule in the current policy allow xdm_t chkpwd_t:process { siginh noatsecure rlimitinh }; allow xdm_t power_unit_file_t:service status; #!!!! This avc has a dontaudit rule in the current policy allow xdm_t shadow_t:file { read getattr open }; #!!!! This avc has a dontaudit rule in the current policy allow xdm_t staff_gkeyringd_t:process { siginh noatsecure rlimitinh }; #!!!! This avc has a dontaudit rule in the current policy allow xdm_t staff_t:process { siginh noatsecure }; #!!!! This avc has a dontaudit rule in the current policy allow xdm_t user_gkeyringd_t:process { siginh noatsecure rlimitinh }; #!!!! This avc has a dontaudit rule in the current policy allow xdm_t user_t:process { siginh noatsecure }; #!!!! This avc has a dontaudit rule in the current policy allow xdm_t usr_t:file write;
Created attachment 952789 [details] Raw AVC denials 11-01-2014
Could you turn dontaudit rules on to clean up it. # semodule -B and then try to login into Gnome as staff_u with permissive and run # ausearch -m avc,user_avc -ts recent I don't see this problem.
This is what I got : ---- time->Mon Nov 3 16:11:56 2014 type=USER_AVC msg=audit(1415056316.318:468): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: received policyload notice (seqno=2) exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?' ---- time->Mon Nov 3 16:11:56 2014 type=USER_AVC msg=audit(1415056316.318:469): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: received setenforce notice (enforcing=0) exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?' ---- time->Mon Nov 3 16:11:56 2014 type=PROCTITLE msg=audit(1415056316.572:474): proctitle=2F62696E2F7368002F6574632F6B64652F6B646D2F5873657373696F6E00676E6F6D652D73657373696F6E type=SYSCALL msg=audit(1415056316.572:474): arch=c000003e syscall=59 success=yes exit=0 a0=7fd74c28d0b0 a1=7fd74c28d090 a2=7fd74c2a7cd0 a3=21 items=0 ppid=3072 pid=3153 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=4 comm="Xsession" exe="/usr/bin/bash" subj=staff_u:staff_r:staff_t:s0 key=(null) type=AVC msg=audit(1415056316.572:474): avc: denied { entrypoint } for pid=3153 comm="kdm" path="/etc/kde/kdm/Xsession" dev="dm-2" ino=131925 scontext=staff_u:staff_r:staff_t:s0 tcontext=system_u:object_r:xsession_exec_t:s0 tclass=file permissive=1 However .... I think the silent denials are also causing problems.
Those avc denials result in cat mystaff_u.te module mystaff_u 1.0; require { type staff_t; type xsession_exec_t; class file entrypoint; } #============= staff_t ============== allow staff_t xsession_exec_t:file entrypoint; and after adding that to my semodules, I still can not log in as staff_U [root@daemon selinux]# ausearch -m avc,user_avc -ts recent | audit2why [root@daemon selinux]#
Ok what does ps -efZ |grep kdm
root@daemon ~]# ps -efZ |grep kdm system_u:system_r:kernel_t:s0 root 433 2 0 17:36 ? 00:00:00 [kdmflush] system_u:system_r:kernel_t:s0 root 509 2 0 17:36 ? 00:00:00 [kdmflush] system_u:system_r:kernel_t:s0 root 517 2 0 17:36 ? 00:00:00 [kdmflush] system_u:system_r:kernel_t:s0 root 744 2 0 17:36 ? 00:00:00 [kdmflush] system_u:system_r:xdm_t:s0-s0:c0.c1023 root 888 1 0 17:37 ? 00:00:00 /usr/bin/kdm vt1 system_u:system_r:xserver_t:s0-s0:c0.c1023 root 1041 888 6 17:37 tty1 00:02:20 /usr/libexec/Xorg.bin :0 vt1 -background none -nolisten tcp -seat seat0 -auth /var/run/kdm/A:0-t0GDma
Lukas, are you able to reproduce it with KDE?
*** Bug 1158260 has been marked as a duplicate of this bug. ***
Update: with most recent policy selinux-policy.noarch 3.13.1-92.fc21 @fedora selinux-policy-targeted.noarch 3.13.1-92.fc21 @fedora I am attaching the AVC denials ;) I can not identify the unconfined service.
Created attachment 956089 [details] AVC denials 11-10-2014
We have another bug related to this issue with SELinux confined users. Try to execute # chcon -t bin_t /etc/kde/kdm/Xsession for now to see if it works.
Brilliant !!! Thank you so much, I can now log into gnome and kde as both a staff_u and user_u . FWIW, there are other binaries in that directory -rwxr-xr-x. root root system_u:object_r:bin_t:s0 Xsession -rwxr-xr-x. root root system_u:object_r:etc_t:s0 Xsetup -rwxr-xr-x. root root system_u:object_r:etc_t:s0 Xwilling I am not sure if Xsetup or Xwilling may need to be relabeled or not.
Looks like already fixed in F21. Closing for now.