Bug 1288111 - selinux prevents login in gnome-wayland
Summary: selinux prevents login in gnome-wayland
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: 23
Hardware: Unspecified
OS: Unspecified
high
medium
Target Milestone: ---
Assignee: Lukas Vrabec
QA Contact: Ben Levenson
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-12-03 14:47 UTC by bodhi.zazen
Modified: 2016-02-07 05:24 UTC (History)
4 users (show)

Fixed In Version: selinux-policy-3.13.1-164.fc24
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-02-07 05:24:23 UTC
Type: Bug
Embargoed:


Attachments (Terms of Use)

Description bodhi.zazen 2015-12-03 14:47:34 UTC
Description of problem: selinux prevents login in gnome-wayland


Version-Release number of selected component (if applicable):

Name        : selinux-policy-targeted
Arch        : noarch
Epoch       : 0
Version     : 3.13.1
Release     : 155.fc23
Size        : 11 M
Repo        : @System
From repo   : updates
Summary     : SELinux targeted base policy
URL         : http://github.com/TresysTechnology/refpolicy/wiki
License     : GPLv2+
Description : SELinux Reference policy targeted base module.



How reproducible: I am running sddm rather then gdm

Name        : sddm
Arch        : i686
Epoch       : 0
Version     : 0.13.0
Release     : 4.fc23
Size        : 329 k
Repo        : updates
Summary     : QML based X11 desktop manager
URL         : https://github.com/sddm/sddm
License     : GPLv2+ and CC-BY-SA
Description : SDDM is a modern display manager for X11 aiming to be fast, simple
            : and beautiful. It uses modern technologies like QtQuick, which in
            : turn gives the designer the ability to create smooth, animated
            : user interfaces.



Steps to Reproduce:
1. At the login screen select gnome-wayland
2. enter password -> log in
3.

Actual results: brief flash -> returns to log in screen

I CAN log in normally into standard gnome on X

Expected results:

Login to gnome-wayland


Additional info:

Avc denials

time->Thu Dec  3 07:34:58 2015
type=AVC msg=audit(1449153298.975:1169): avc:  denied  { write } for  pid=9692 comm="sddm-helper" name=".wayland-errors" dev="sda5" ino=918139 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:user_home_t:s0 tclass=file permissive=1
----
time->Thu Dec  3 07:34:58 2015
type=AVC msg=audit(1449153298.975:1170): avc:  denied  { entrypoint } for  pid=9692 comm="sddm-helper" path="/etc/sddm/wayland-session" dev="sda6" ino=1862922 scontext=staff_u:staff_r:staff_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=1
----
time->Thu Dec  3 07:34:59 2015
type=AVC msg=audit(1449153299.006:1171): avc:  denied  { accept } for  pid=9691 comm="kwalletd" path="/tmp/kwallet_bodhi.socket" scontext=staff_u:staff_r:staff_t:s0 tcontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=1


fixed with

mywayland.te 

module mywayland 1.0;

require {
	type xdm_t;
	type etc_t;
	type user_home_t;
	type staff_t;
	class unix_stream_socket accept;
	class file { entrypoint write };
}

#============= staff_t ==============

#!!!! WARNING: 'etc_t' is a base type.
allow staff_t etc_t:file entrypoint;
allow staff_t xdm_t:unix_stream_socket accept;

#============= xdm_t ==============
allow xdm_t user_home_t:file write;

NOTE: although my current user is confined, unconfined users were affected as well.

Comment 1 Miroslav Grepl 2015-12-07 20:51:35 UTC
Could you please try to execute

# chcon -t bin_t /etc/sddm/wayland-session

Comment 2 bodhi.zazen 2015-12-07 21:22:33 UTC
That resolved the issue

- removed mywaland.pp
- chcon -t bin_t /etc/sddm/wayland-session

logged out and back into gnome-wayland

Thank you

Comment 3 Lukas Vrabec 2015-12-10 12:18:41 UTC
We need to label all binary files in /etc/sddm/ as we have in /etc/lxdm/

Comment 4 Lukas Vrabec 2015-12-10 12:49:08 UTC
commit 003e5150db347342a73b2d9cb9b5966a311a1400
Author: Lukas Vrabec <lvrabec>
Date:   Thu Dec 10 13:22:11 2015 +0100

    Label ssdm binaries storedin /etc/sddm/ as bin_t. BZ(1288111)

Comment 5 Miroslav Grepl 2015-12-11 13:07:38 UTC
Correct. Thanks.

Comment 6 Fedora Update System 2016-02-03 12:02:28 UTC
selinux-policy-3.13.1-158.4.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2016-2aa7777f21

Comment 7 Fedora Update System 2016-02-03 23:00:22 UTC
selinux-policy-3.13.1-158.4.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-2aa7777f21

Comment 8 Fedora Update System 2016-02-07 05:23:53 UTC
selinux-policy-3.13.1-158.4.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.