Bug 1288111 - selinux prevents login in gnome-wayland
selinux prevents login in gnome-wayland
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
23
Unspecified Unspecified
high Severity medium
: ---
: ---
Assigned To: Lukas Vrabec
Ben Levenson
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2015-12-03 09:47 EST by bodhi.zazen
Modified: 2016-02-07 00:24 EST (History)
4 users (show)

See Also:
Fixed In Version: selinux-policy-3.13.1-164.fc24
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-02-07 00:24:23 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description bodhi.zazen 2015-12-03 09:47:34 EST
Description of problem: selinux prevents login in gnome-wayland


Version-Release number of selected component (if applicable):

Name        : selinux-policy-targeted
Arch        : noarch
Epoch       : 0
Version     : 3.13.1
Release     : 155.fc23
Size        : 11 M
Repo        : @System
From repo   : updates
Summary     : SELinux targeted base policy
URL         : http://github.com/TresysTechnology/refpolicy/wiki
License     : GPLv2+
Description : SELinux Reference policy targeted base module.



How reproducible: I am running sddm rather then gdm

Name        : sddm
Arch        : i686
Epoch       : 0
Version     : 0.13.0
Release     : 4.fc23
Size        : 329 k
Repo        : updates
Summary     : QML based X11 desktop manager
URL         : https://github.com/sddm/sddm
License     : GPLv2+ and CC-BY-SA
Description : SDDM is a modern display manager for X11 aiming to be fast, simple
            : and beautiful. It uses modern technologies like QtQuick, which in
            : turn gives the designer the ability to create smooth, animated
            : user interfaces.



Steps to Reproduce:
1. At the login screen select gnome-wayland
2. enter password -> log in
3.

Actual results: brief flash -> returns to log in screen

I CAN log in normally into standard gnome on X

Expected results:

Login to gnome-wayland


Additional info:

Avc denials

time->Thu Dec  3 07:34:58 2015
type=AVC msg=audit(1449153298.975:1169): avc:  denied  { write } for  pid=9692 comm="sddm-helper" name=".wayland-errors" dev="sda5" ino=918139 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:user_home_t:s0 tclass=file permissive=1
----
time->Thu Dec  3 07:34:58 2015
type=AVC msg=audit(1449153298.975:1170): avc:  denied  { entrypoint } for  pid=9692 comm="sddm-helper" path="/etc/sddm/wayland-session" dev="sda6" ino=1862922 scontext=staff_u:staff_r:staff_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=1
----
time->Thu Dec  3 07:34:59 2015
type=AVC msg=audit(1449153299.006:1171): avc:  denied  { accept } for  pid=9691 comm="kwalletd" path="/tmp/kwallet_bodhi.socket" scontext=staff_u:staff_r:staff_t:s0 tcontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=1


fixed with

mywayland.te 

module mywayland 1.0;

require {
	type xdm_t;
	type etc_t;
	type user_home_t;
	type staff_t;
	class unix_stream_socket accept;
	class file { entrypoint write };
}

#============= staff_t ==============

#!!!! WARNING: 'etc_t' is a base type.
allow staff_t etc_t:file entrypoint;
allow staff_t xdm_t:unix_stream_socket accept;

#============= xdm_t ==============
allow xdm_t user_home_t:file write;

NOTE: although my current user is confined, unconfined users were affected as well.
Comment 1 Miroslav Grepl 2015-12-07 15:51:35 EST
Could you please try to execute

# chcon -t bin_t /etc/sddm/wayland-session
Comment 2 bodhi.zazen 2015-12-07 16:22:33 EST
That resolved the issue

- removed mywaland.pp
- chcon -t bin_t /etc/sddm/wayland-session

logged out and back into gnome-wayland

Thank you
Comment 3 Lukas Vrabec 2015-12-10 07:18:41 EST
We need to label all binary files in /etc/sddm/ as we have in /etc/lxdm/
Comment 4 Lukas Vrabec 2015-12-10 07:49:08 EST
commit 003e5150db347342a73b2d9cb9b5966a311a1400
Author: Lukas Vrabec <lvrabec@redhat.com>
Date:   Thu Dec 10 13:22:11 2015 +0100

    Label ssdm binaries storedin /etc/sddm/ as bin_t. BZ(1288111)
Comment 5 Miroslav Grepl 2015-12-11 08:07:38 EST
Correct. Thanks.
Comment 6 Fedora Update System 2016-02-03 07:02:28 EST
selinux-policy-3.13.1-158.4.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2016-2aa7777f21
Comment 7 Fedora Update System 2016-02-03 18:00:22 EST
selinux-policy-3.13.1-158.4.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-2aa7777f21
Comment 8 Fedora Update System 2016-02-07 00:23:53 EST
selinux-policy-3.13.1-158.4.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.