Bug 1268994 - Gnome not starting when noexec set on /tmp
Gnome not starting when noexec set on /tmp
Status: CLOSED WONTFIX
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: gnome-shell (Show other bugs)
7.1
Unspecified Linux
unspecified Severity high
: rc
: ---
Assigned To: Florian Müllner
Desktop QE
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2015-10-05 16:51 EDT by Joe Wright
Modified: 2016-11-17 15:15 EST (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-11-17 15:15:44 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Joe Wright 2015-10-05 16:51:13 EDT
Description of problem:
- when 'noexec' is passed to the mount point of /tmp and selinux is in enforcing mode, you cannot start the GUI. Setting permissive or removing 'noexec' fixes it
- This issue was previously identified in BZ 1153799 (Fixed by ERRATA) yet persists on this system with patches applied.
- Unable to reproduce in house

Version-Release number of selected component (if applicable):


How reproducible:
- 100% by customer, not at all by us

Steps to Reproduce:
1. apply 'noexec' to /tmp mount point
2.
3.

Actual results:
gnome-session will not start

Expected results:
- gnome-session runs

Additional info:


[root@it011093-r7d klong]# sesearch -s xdm_t -t user_tmpfs_t -c file -p execute -A -C
Found 1 semantic av rules:
   allow xdm_t user_tmp_t : file { ioctl read write create getattr setattr lock append unlink link rename execute execute_no_trans open } ; 

[root@it011093-r7d klong]# sesearch -s xdm_t -t user_tmp_t -c file -p execute -A -C
Found 1 semantic av rules:
   allow xdm_t user_tmp_t : file { ioctl read write create getattr setattr lock append unlink link rename execute execute_no_trans open } ;

As for all those commands, that isn't what I do.  This is a box that I'm CIS hardening and it has the following in it's fstab file:

#
# /etc/fstab
# Created by anaconda on Wed Jun 10 22:33:46 2015
#
# Accessible filesystems, by reference, are maintained under '/dev/disk'
# See man pages fstab(5), findfs(8), mount(8) and/or blkid(8) for more info
#
UUID=25083f86-d9c2-4546-9f47-960e1c253374 /                       xfs     defaults        0 0
UUID=2c59c3ac-bc4f-44e7-834a-2ddfb6211822 /boot                   xfs     defaults        0 0
#UUID=52783b05-0509-4645-a07b-edaf6783ce7b /home                   xfs     defaults        0 0
/dev/vg_it003/home      /home   ext4    nodev,defaults  0 0
UUID=3688df7c-e95c-485b-a0c9-aa5b7ec572b4 swap                    swap    defaults        0 0
/dev/mapper/vg_main-var                 /var            xfs     defaults        1 2
/dev/mapper/vg_main-var_log             /var/log        xfs     defaults,nodev  1 2
/dev/mapper/vg_main-var_log_audit       /var/log/audit  xfs     defaults,nodev  1 2
#
#tmpfs   /tmp            tmpfs   nodev,nosuid,noexec,defaults    0 0
tmpfs   /tmp            tmpfs   nodev,nosuid,defaults   0 0
/tmp    /var/tmp        none    bind    0 0
tmpfs   /dev/shm        tmpfs   nodev,nosuid,noexec,defaults    0 0

The "/tmp" line that is commented out is the one that breaks - the one below it is what I have to use for the GUI to work when I boot up.
Comment 1 Tomas Pelka 2015-10-06 04:42:20 EDT
Joe is this ARM specific as there is a RHELSA flag?

Does the customer have access to 7.2? If yes can they try with 7.2?

Thanks
-Tom

Note You need to log in before you can comment on or make changes to this bug.