1267207 – GDM Fails to start when selinux is enforcing

Bug 1267207 - GDM Fails to start when selinux is enforcing

Summary: GDM Fails to start when selinux is enforcing

Keywords:
Status:	CLOSED RAWHIDE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	rawhide
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Miroslav Grepl
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Duplicates (1):	1265913 (view as bug list)
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2015-09-29 10:46 UTC by Richard Bradfield
Modified:	2015-10-05 06:32 UTC (History)
CC List:	11 users (show)
Fixed In Version:	selinux-policy-3.13.1-150.fc24
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2015-10-02 13:57:36 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
Journal log after systemctl restart gdm (386.20 KB, text/plain) 2015-09-29 10:46 UTC, Richard Bradfield	no flags	Details
an audit.log (3.11 MB, text/plain) 2015-10-02 01:35 UTC, York Possemiers	no flags	Details
/var/log/audit/audit.log (4.57 MB, text/plain) 2015-10-02 01:41 UTC, Andre Robatino	no flags	Details
View All

Description Richard Bradfield 2015-09-29 10:46:23 UTC

Created attachment 1078284 [details]
Journal log after systemctl restart gdm

Description of problem:
I installed a clean F23 beta machine, then used dnf system upgrade to
try and move up to Rawhide. 

When I rebooted the system, I got the 'Oh no! Something has gone wrong'
screen, which repeats if I try and relaunch GDM. 

Setting 'setenforce 0', or setting selinux to permissive in the config
allows everything to work normally. 

I have tried relabelling the filesystem. 

Version-Release number of selected component (if applicable):

Rawhide as of 2015-09-28, precise version numbers to follow if required.

How reproducible:

Always

Steps to Reproduce:

Install F23 Beta from ISO. Perform dnf system-upgrade to Rawhide and reboot.

Actual results:

GDM Fails to start with an "Oops, something went wrong." screen.

Expected results:

GDM to start normally.

Additional Info:

Setting setenforce 0 from a tty allows GDM to start. Attached is a journal with all AVCs shown (I disabled dontaudit with semodule -DB).

Comment 1 Lukas Vrabec 2015-09-30 13:17:41 UTC

Hi, 
Could you attach also /var/log/audit/audit.log file? 

Thank you.

Comment 2 Miroslav Grepl 2015-10-01 08:13:22 UTC

It relates with security classes changes. We should have a fix in libselinux and we should require a new libselinux in the policy.

Richard,
could you try to execute

# dnf update libselinux

to see if it fixes your issue.

Thank you.

Comment 3 Miroslav Grepl 2015-10-01 08:13:31 UTC

*** Bug 1265913 has been marked as a duplicate of this bug. ***

Comment 4 Miroslav Grepl 2015-10-01 08:24:02 UTC

And also run

# systemctl daemon-reexec

Comment 5 Vít Ondruch 2015-10-01 10:51:13 UTC

I can't see any difference with latest libselinux.

$ rpm -q libselinux
libselinux-2.4-4.fc24.x86_64

Comment 6 Andre Robatino 2015-10-01 22:36:06 UTC

No difference for me either.

Comment 7 York Possemiers 2015-10-02 00:53:41 UTC

I might add that the title is misleading, this occurred for me during a routine update of a rawhide install from a rawhide boot.iso. Both of my two active installs have this issue.
libselinux-2.4-4 and daemon-reexec have had no effect.

Comment 8 Andre Robatino 2015-10-02 00:57:59 UTC

Yes, I installed originally from one of the early F23 pre-Alpha images, so this is unlikely to depend on how the installation happened. Changing title.

Comment 9 Andre Robatino 2015-10-02 00:59:23 UTC

Also removing needinfo since it's pretty clear the problem is not fixed.

Comment 10 York Possemiers 2015-10-02 01:35:38 UTC

Created attachment 1079323 [details]
an audit.log

Well, an audit.log was asked for in the needinfo. Given that the original reporter has said nothing more, I will provide my own.

Comment 11 Andre Robatino 2015-10-02 01:41:32 UTC

Created attachment 1079324 [details]
/var/log/audit/audit.log

Just noticed that one of the two needinfos I just cancelled was associated with Comment 1 (request for /var/log/audit/audit.log ). Attaching mine.

Comment 12 Miroslav Grepl 2015-10-02 11:24:17 UTC

Ok I added additiona fixes to rawhide.

https://github.com/fedora-selinux/selinux-policy/commit/5aad18c3bcf173f58ab515321f2e6b6ae5570bb0

which fixes this issue for me.

Comment 13 Vít Ondruch 2015-10-04 19:58:16 UTC

$ rpm -q selinux-policy
selinux-policy-3.13.1-151.fc24.noarch

The above version works for me.

Comment 14 Miroslav Grepl 2015-10-05 06:32:00 UTC

Thank you for testing.

Note You need to log in before you can comment on or make changes to this bug.