Description of problem: selinux prevents login in gnome-wayland Version-Release number of selected component (if applicable): Name : selinux-policy-targeted Arch : noarch Epoch : 0 Version : 3.13.1 Release : 155.fc23 Size : 11 M Repo : @System From repo : updates Summary : SELinux targeted base policy URL : http://github.com/TresysTechnology/refpolicy/wiki License : GPLv2+ Description : SELinux Reference policy targeted base module. How reproducible: I am running sddm rather then gdm Name : sddm Arch : i686 Epoch : 0 Version : 0.13.0 Release : 4.fc23 Size : 329 k Repo : updates Summary : QML based X11 desktop manager URL : https://github.com/sddm/sddm License : GPLv2+ and CC-BY-SA Description : SDDM is a modern display manager for X11 aiming to be fast, simple : and beautiful. It uses modern technologies like QtQuick, which in : turn gives the designer the ability to create smooth, animated : user interfaces. Steps to Reproduce: 1. At the login screen select gnome-wayland 2. enter password -> log in 3. Actual results: brief flash -> returns to log in screen I CAN log in normally into standard gnome on X Expected results: Login to gnome-wayland Additional info: Avc denials time->Thu Dec 3 07:34:58 2015 type=AVC msg=audit(1449153298.975:1169): avc: denied { write } for pid=9692 comm="sddm-helper" name=".wayland-errors" dev="sda5" ino=918139 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:user_home_t:s0 tclass=file permissive=1 ---- time->Thu Dec 3 07:34:58 2015 type=AVC msg=audit(1449153298.975:1170): avc: denied { entrypoint } for pid=9692 comm="sddm-helper" path="/etc/sddm/wayland-session" dev="sda6" ino=1862922 scontext=staff_u:staff_r:staff_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=1 ---- time->Thu Dec 3 07:34:59 2015 type=AVC msg=audit(1449153299.006:1171): avc: denied { accept } for pid=9691 comm="kwalletd" path="/tmp/kwallet_bodhi.socket" scontext=staff_u:staff_r:staff_t:s0 tcontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=1 fixed with mywayland.te module mywayland 1.0; require { type xdm_t; type etc_t; type user_home_t; type staff_t; class unix_stream_socket accept; class file { entrypoint write }; } #============= staff_t ============== #!!!! WARNING: 'etc_t' is a base type. allow staff_t etc_t:file entrypoint; allow staff_t xdm_t:unix_stream_socket accept; #============= xdm_t ============== allow xdm_t user_home_t:file write; NOTE: although my current user is confined, unconfined users were affected as well.
Could you please try to execute # chcon -t bin_t /etc/sddm/wayland-session
That resolved the issue - removed mywaland.pp - chcon -t bin_t /etc/sddm/wayland-session logged out and back into gnome-wayland Thank you
We need to label all binary files in /etc/sddm/ as we have in /etc/lxdm/
commit 003e5150db347342a73b2d9cb9b5966a311a1400 Author: Lukas Vrabec <lvrabec> Date: Thu Dec 10 13:22:11 2015 +0100 Label ssdm binaries storedin /etc/sddm/ as bin_t. BZ(1288111)
Correct. Thanks.
selinux-policy-3.13.1-158.4.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2016-2aa7777f21
selinux-policy-3.13.1-158.4.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-2aa7777f21
selinux-policy-3.13.1-158.4.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.