This service will be undergoing maintenance at 00:00 UTC, 2017-10-23 It is expected to last about 30 minutes
Bug 1267207 - GDM Fails to start when selinux is enforcing
GDM Fails to start when selinux is enforcing
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
rawhide
Unspecified Unspecified
high Severity high
: ---
: ---
Assigned To: Miroslav Grepl
Fedora Extras Quality Assurance
:
: 1265913 (view as bug list)
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2015-09-29 06:46 EDT by Richard Bradfield
Modified: 2015-10-05 02:32 EDT (History)
11 users (show)

See Also:
Fixed In Version: selinux-policy-3.13.1-150.fc24
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-10-02 09:57:36 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Journal log after systemctl restart gdm (386.20 KB, text/plain)
2015-09-29 06:46 EDT, Richard Bradfield
no flags Details
an audit.log (3.11 MB, text/plain)
2015-10-01 21:35 EDT, York Possemiers
no flags Details
/var/log/audit/audit.log (4.57 MB, text/plain)
2015-10-01 21:41 EDT, Andre Robatino
no flags Details

  None (edit)
Description Richard Bradfield 2015-09-29 06:46:23 EDT
Created attachment 1078284 [details]
Journal log after systemctl restart gdm

Description of problem:
I installed a clean F23 beta machine, then used dnf system upgrade to
try and move up to Rawhide. 

When I rebooted the system, I got the 'Oh no! Something has gone wrong'
screen, which repeats if I try and relaunch GDM. 

Setting 'setenforce 0', or setting selinux to permissive in the config
allows everything to work normally. 

I have tried relabelling the filesystem. 

Version-Release number of selected component (if applicable):

Rawhide as of 2015-09-28, precise version numbers to follow if required.

How reproducible:

Always

Steps to Reproduce:

Install F23 Beta from ISO. Perform dnf system-upgrade to Rawhide and reboot.

Actual results:

GDM Fails to start with an "Oops, something went wrong." screen.

Expected results:

GDM to start normally.

Additional Info:

Setting setenforce 0 from a tty allows GDM to start. Attached is a journal with all AVCs shown (I disabled dontaudit with semodule -DB).
Comment 1 Lukas Vrabec 2015-09-30 09:17:41 EDT
Hi, 
Could you attach also /var/log/audit/audit.log file? 

Thank you.
Comment 2 Miroslav Grepl 2015-10-01 04:13:22 EDT
It relates with security classes changes. We should have a fix in libselinux and we should require a new libselinux in the policy.

Richard,
could you try to execute

# dnf update libselinux

to see if it fixes your issue.

Thank you.
Comment 3 Miroslav Grepl 2015-10-01 04:13:31 EDT
*** Bug 1265913 has been marked as a duplicate of this bug. ***
Comment 4 Miroslav Grepl 2015-10-01 04:24:02 EDT
And also run

# systemctl daemon-reexec
Comment 5 Vít Ondruch 2015-10-01 06:51:13 EDT
I can't see any difference with latest libselinux.

$ rpm -q libselinux
libselinux-2.4-4.fc24.x86_64
Comment 6 Andre Robatino 2015-10-01 18:36:06 EDT
No difference for me either.
Comment 7 York Possemiers 2015-10-01 20:53:41 EDT
I might add that the title is misleading, this occurred for me during a routine update of a rawhide install from a rawhide boot.iso. Both of my two active installs have this issue.
libselinux-2.4-4 and daemon-reexec have had no effect.
Comment 8 Andre Robatino 2015-10-01 20:57:59 EDT
Yes, I installed originally from one of the early F23 pre-Alpha images, so this is unlikely to depend on how the installation happened. Changing title.
Comment 9 Andre Robatino 2015-10-01 20:59:23 EDT
Also removing needinfo since it's pretty clear the problem is not fixed.
Comment 10 York Possemiers 2015-10-01 21:35 EDT
Created attachment 1079323 [details]
an audit.log

Well, an audit.log was asked for in the needinfo. Given that the original reporter has said nothing more, I will provide my own.
Comment 11 Andre Robatino 2015-10-01 21:41 EDT
Created attachment 1079324 [details]
/var/log/audit/audit.log

Just noticed that one of the two needinfos I just cancelled was associated with Comment 1 (request for /var/log/audit/audit.log ). Attaching mine.
Comment 12 Miroslav Grepl 2015-10-02 07:24:17 EDT
Ok I added additiona fixes to rawhide.

https://github.com/fedora-selinux/selinux-policy/commit/5aad18c3bcf173f58ab515321f2e6b6ae5570bb0

which fixes this issue for me.
Comment 13 Vít Ondruch 2015-10-04 15:58:16 EDT
$ rpm -q selinux-policy
selinux-policy-3.13.1-151.fc24.noarch

The above version works for me.
Comment 14 Miroslav Grepl 2015-10-05 02:32:00 EDT
Thank you for testing.

Note You need to log in before you can comment on or make changes to this bug.