Description of problem: Unable to login as xguest user Version-Release number of selected component (if applicable): selinux-policy-3.13.1-129.fc23.noarch How reproducible: 100% Steps to Reproduce: 1. enforcing mode 2. yum install xguest 3. reboot (not really needed) Actual results: #============= xguest_t ============== allow xguest_t event_device_t:chr_file write; #!!!! This avc can be allowed using the boolean 'selinuxuser_use_ssh_chroot' allow xguest_t self:capability { setuid setgid }; allow xguest_t self:capability { net_admin dac_read_search sys_admin dac_override }; Expected results: No AVCs Additional info: Same problem observed on F22
---- type=USER_AVC msg=audit(06/15/2015 18:57:14.552:1416) : pid=1 uid=root auid=unset ses=unset subj=system_u:system_r:init_t:s0 msg='avc: received policyload notice (seqno=2) exe=/usr/lib/systemd/systemd sauid=root hostname=? addr=? terminal=?' ---- type=USER_AVC msg=audit(06/15/2015 18:57:14.552:1417) : pid=1 uid=root auid=unset ses=unset subj=system_u:system_r:init_t:s0 msg='avc: received policyload notice (seqno=3) exe=/usr/lib/systemd/systemd sauid=root hostname=? addr=? terminal=?' ---- type=USER_AVC msg=audit(06/15/2015 18:57:14.552:1418) : pid=1 uid=root auid=unset ses=unset subj=system_u:system_r:init_t:s0 msg='avc: received policyload notice (seqno=4) exe=/usr/lib/systemd/systemd sauid=root hostname=? addr=? terminal=?' ---- type=USER_AVC msg=audit(06/15/2015 18:57:14.552:1419) : pid=1 uid=root auid=unset ses=unset subj=system_u:system_r:init_t:s0 msg='avc: received policyload notice (seqno=5) exe=/usr/lib/systemd/systemd sauid=root hostname=? addr=? terminal=?' ---- type=AVC msg=audit(06/15/2015 18:57:25.276:1433) : avc: denied { sys_admin } for pid=10272 comm=Xorg.wrap capability=sys_admin scontext=xguest_u:xguest_r:xguest_t:s0 tcontext=xguest_u:xguest_r:xguest_t:s0 tclass=capability permissive=0 ---- type=AVC msg=audit(06/15/2015 18:57:25.276:1434) : avc: denied { setgid } for pid=10272 comm=Xorg.wrap capability=setgid scontext=xguest_u:xguest_r:xguest_t:s0 tcontext=xguest_u:xguest_r:xguest_t:s0 tclass=capability permissive=0 ---- type=AVC msg=audit(06/15/2015 18:57:25.276:1435) : avc: denied { setuid } for pid=10272 comm=Xorg.wrap capability=setuid scontext=xguest_u:xguest_r:xguest_t:s0 tcontext=xguest_u:xguest_r:xguest_t:s0 tclass=capability permissive=0 ---- type=AVC msg=audit(06/15/2015 18:57:25.306:1436) : avc: denied { dac_override } for pid=10282 comm=pkexec capability=dac_override scontext=xguest_u:xguest_r:xguest_t:s0 tcontext=xguest_u:xguest_r:xguest_t:s0 tclass=capability permissive=0 ---- type=AVC msg=audit(06/15/2015 18:57:25.306:1437) : avc: denied { dac_read_search } for pid=10282 comm=pkexec capability=dac_read_search scontext=xguest_u:xguest_r:xguest_t:s0 tcontext=xguest_u:xguest_r:xguest_t:s0 tclass=capability permissive=0 ---- type=AVC msg=audit(06/15/2015 18:57:25.310:1438) : avc: denied { dac_override } for pid=10284 comm=pkexec capability=dac_override scontext=xguest_u:xguest_r:xguest_t:s0 tcontext=xguest_u:xguest_r:xguest_t:s0 tclass=capability permissive=0 ---- type=AVC msg=audit(06/15/2015 18:57:25.310:1439) : avc: denied { dac_read_search } for pid=10284 comm=pkexec capability=dac_read_search scontext=xguest_u:xguest_r:xguest_t:s0 tcontext=xguest_u:xguest_r:xguest_t:s0 tclass=capability permissive=0 ---- type=AVC msg=audit(06/15/2015 18:57:25.383:1440) : avc: denied { write } for pid=10272 comm=Xorg path=/dev/input/event2 dev="devtmpfs" ino=10914 scontext=xguest_u:xguest_r:xguest_t:s0 tcontext=system_u:object_r:event_device_t:s0 tclass=chr_file permissive=0 ---- type=AVC msg=audit(06/15/2015 18:57:25.534:1441) : avc: denied { setgid } for pid=10287 comm=gdbus capability=setgid scontext=xguest_u:xguest_r:xguest_t:s0 tcontext=xguest_u:xguest_r:xguest_t:s0 tclass=capability permissive=0 ---- type=AVC msg=audit(06/15/2015 18:57:25.534:1442) : avc: denied { setgid } for pid=10286 comm=gmain capability=setgid scontext=xguest_u:xguest_r:xguest_t:s0 tcontext=xguest_u:xguest_r:xguest_t:s0 tclass=capability permissive=0 ---- type=AVC msg=audit(06/15/2015 18:57:25.535:1443) : avc: denied { setgid } for pid=10284 comm=pkexec capability=setgid scontext=xguest_u:xguest_r:xguest_t:s0 tcontext=xguest_u:xguest_r:xguest_t:s0 tclass=capability permissive=0 ---- type=AVC msg=audit(06/15/2015 18:57:25.537:1444) : avc: denied { net_admin } for pid=10284 comm=pkexec capability=net_admin scontext=xguest_u:xguest_r:xguest_t:s0 tcontext=xguest_u:xguest_r:xguest_t:s0 tclass=capability permissive=0 ---- type=AVC msg=audit(06/15/2015 18:57:25.537:1445) : avc: denied { net_admin } for pid=10284 comm=pkexec capability=net_admin scontext=xguest_u:xguest_r:xguest_t:s0 tcontext=xguest_u:xguest_r:xguest_t:s0 tclass=capability permissive=0 ---- type=AVC msg=audit(06/15/2015 18:57:25.541:1447) : avc: denied { setgid } for pid=10287 comm=gdbus capability=setgid scontext=xguest_u:xguest_r:xguest_t:s0 tcontext=xguest_u:xguest_r:xguest_t:s0 tclass=capability permissive=0 ---- type=AVC msg=audit(06/15/2015 18:57:25.541:1448) : avc: denied { setgid } for pid=10286 comm=gmain capability=setgid scontext=xguest_u:xguest_r:xguest_t:s0 tcontext=xguest_u:xguest_r:xguest_t:s0 tclass=capability permissive=0 ---- type=AVC msg=audit(06/15/2015 18:57:25.541:1449) : avc: denied { setgid } for pid=10284 comm=pkexec capability=setgid scontext=xguest_u:xguest_r:xguest_t:s0 tcontext=xguest_u:xguest_r:xguest_t:s0 tclass=capability permissive=0
Were you able to log in?
(In reply to Miroslav Grepl from comment #2) > Were you able to log in? No. Just get a blank screen with a blinking cursor on top left hand side
Same results here under gdm and Fedora 22. Discussion in fedoraforums.org indicate xguest (in Fedora 22) works fine with kdm: http://forums.fedoraforum.org/showthread.php?p=1736901&posted=1#post1736901
This bug appears to have been reported against 'rawhide' during the Fedora 23 development cycle. Changing version to '23'. (As we did not run this process for some time, it could affect also pre-Fedora 23 development cycle bugs. We are very sorry. It will help us with cleanup during Fedora 23 End Of Life. Thank you.) More information and reason for this action is here: https://fedoraproject.org/wiki/BugZappers/HouseKeeping/Fedora23
It looks like that gdm doing something wrong because kdm and others display managers seem fine. Reading /dev/input/event2 by Xorg make sense to me, but I'm not sure about writing permissions. /dev/input/event2 is mouse event device. Gdm folks, can you make it clear for us? Thank you.
other display managers runs the X server as root, GDM instead runs the X server as the unprivileged user, within the user session.
In this case we need to allow this rule in xguest policy.
selinux-policy-3.13.1-158.15.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2016-df52942a2f
selinux-policy-3.13.1-158.15.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-df52942a2f
selinux-policy-3.13.1-158.15.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
This problem exists for Fedora 24 as well. Guest account appears, but clicking on it momentarily blanks the screen and then the original login selections appear. Same AVC denials appear in /var/log/messages.