Bug 1261235 - SELinux is preventing sddm-helper from 'write' accesses on the file .Xauthority.
Summary: SELinux is preventing sddm-helper from 'write' accesses on the file .Xauthority.
Keywords:
Status: CLOSED WORKSFORME
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 22
Hardware: x86_64
OS: Unspecified
medium
low
Target Milestone: ---
Assignee: Lukas Vrabec
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: abrt_hash:c06bb66b71e1c23b7dd8288b374...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-09-09 01:30 UTC by Richard Jasmin
Modified: 2015-12-17 17:20 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-12-17 17:20:47 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)

Description Richard Jasmin 2015-09-09 01:30:05 UTC 
Description of problem:
I logged in.
SELinux is preventing sddm-helper from 'write' accesses on the file .Xauthority.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that sddm-helper should be allowed write access on the .Xauthority file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep sddm-helper /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:xdm_t:s0-s0:c0.c1023
Target Context                unconfined_u:object_r:user_home_t:s0
Target Objects                .Xauthority [ file ]
Source                        sddm-helper
Source Path                   sddm-helper
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-128.12.fc22.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 4.1.6-200.fc22.x86_64 #1 SMP Mon
                              Aug 17 19:54:31 UTC 2015 x86_64 x86_64
Alert Count                   1
First Seen                    2015-09-08 20:24:51 CDT
Last Seen                     2015-09-08 20:24:51 CDT
Local ID                      f2c0e2f8-332d-4aaa-bb71-e98c5a77af69

Raw Audit Messages
type=AVC msg=audit(1441761891.214:544): avc:  denied  { write } for  pid=1587 comm="sddm-helper" name=".Xauthority" dev="dm-3" ino=4456483 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=0


Hash: sddm-helper,xdm_t,user_home_t,file,write

Version-Release number of selected component:
selinux-policy-3.13.1-128.12.fc22.noarch

Additional info:
reporter:       libreport-2.6.2
hashmarkername: setroubleshoot
kernel:         4.1.6-200.fc22.x86_64
type:           libreport

Potential duplicate: bug 1176052
Comment 1 Miroslav Grepl 2015-09-11 13:05:35 UTC 
Are you able to reproduce it after

$ restorecon ~/.Xauth*
Comment 2 Lorenzo Buzzi 2015-09-17 08:51:58 UTC 
$ restorecon -F -v ~/.Xauthority
resets the context to unconfined_u:object_r:xauth_home_t

But at next login the context is again unconfined_u:object_r:home_root_t and sddm-helper is prevented from writing it.
Comment 3 Miroslav Grepl 2015-10-09 07:44:43 UTC 
(In reply to Lorenzo Buzzi from comment #2)
> $ restorecon -F -v ~/.Xauthority
> resets the context to unconfined_u:object_r:xauth_home_t
> 
> But at next login the context is again unconfined_u:object_r:home_root_t and
> sddm-helper is prevented from writing it.

Can you show us what labels are for 

$ ls -Z /home
Comment 4 Richard Jasmin 2015-10-16 16:12:14 UTC 
system_u:object_r:lost_found_t:s0    lost+found
unconfined_u:object_r:user_home_dir_t:s0    me
Comment 5 Miroslav Grepl 2015-11-10 08:35:45 UTC 
Ok it is correct. Do you still have the same issue?
Comment 6 Richard Jasmin 2015-12-17 17:20:47 UTC 
not anymore. seems some files may have been out of whack.
I ported as it were from debian based systems a while back.Linux is wonderful in that regards but Debian based setups DO NOT have SELinux working by default.

AND MIND YOU, THEY SHOULD.

Getting it to work is like pulling teeth.

DoD and letter agencies dont develop software to make themselves look pretty.They do it to solve a problem.So maybe people should USE it if they open source something.....
Note You need to log in before you can comment on or make changes to this bug.