Bug 1299402 - SELinux is preventing gdm-x-session & gnome-shell from working when Nvidia is installed
SELinux is preventing gdm-x-session & gnome-shell from working when Nvidia is...
Status: CLOSED EOL
Product: Fedora
Classification: Fedora
Component: gnome-shell (Show other bugs)
24
x86_64 Unspecified
medium Severity medium
: ---
: ---
Assigned To: Owen Taylor
Fedora Extras Quality Assurance
abrt_hash:627034e1022f26a29b610bf716b...
:
: 1299403 (view as bug list)
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2016-01-18 04:52 EST by Moez Roy
Modified: 2017-08-08 08:40 EDT (History)
22 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2017-08-08 08:40:19 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Moez Roy 2016-01-18 04:52:01 EST
Description of problem:
Happens with latest Nvidia beta. Had to switch to permissive mode to get gdm to start.
SELinux is preventing gdm-x-session from 'execmod' accesses on the file /usr/lib64/libGLdispatch.so.0.

*****  Plugin allow_execmod (91.4 confidence) suggests   *********************

If you want to allow gdm-x-session to have execmod access on the libGLdispatch.so.0 file
Then you need to change the label on '/usr/lib64/libGLdispatch.so.0'
Do
# semanage fcontext -a -t textrel_shlib_t '/usr/lib64/libGLdispatch.so.0'
# restorecon -v '/usr/lib64/libGLdispatch.so.0'

*****  Plugin catchall (9.59 confidence) suggests   **************************

If you believe that gdm-x-session should be allowed execmod access on the libGLdispatch.so.0 file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep gdm-x-session /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:xdm_t:s0-s0:c0.c1023
Target Context                system_u:object_r:lib_t:s0
Target Objects                /usr/lib64/libGLdispatch.so.0 [ file ]
Source                        gdm-x-session
Source Path                   gdm-x-session
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-158.fc23.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     (removed)
Platform                      Linux (removed) 4.3.3-300.fc23.x86_64 #1 SMP Tue
                              Jan 5 23:31:01 UTC 2016 x86_64 x86_64
Alert Count                   507
First Seen                    2016-01-18 01:42:47 PST
Last Seen                     2016-01-18 01:44:09 PST
Local ID                      2bc267b9-487a-4ccf-b1e6-0857a75c4a23

Raw Audit Messages
type=AVC msg=audit(1453110249.329:12436): avc:  denied  { execmod } for  pid=23928 comm="gdm-x-session" path="/usr/lib64/libGLdispatch.so.0" dev="dm-1" ino=391029 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lib_t:s0 tclass=file permissive=1


Hash: gdm-x-session,xdm_t,lib_t,file,execmod

Version-Release number of selected component:
selinux-policy-3.13.1-158.fc23.noarch

Additional info:
reporter:       libreport-2.6.3
hashmarkername: setroubleshoot
kernel:         4.3.3-300.fc23.x86_64
type:           libreport
Comment 1 Lukas Vrabec 2016-01-20 04:32:51 EST
Hi,
Could you try this? 
*****  Plugin allow_execmod (91.4 confidence) suggests   *********************

If you want to allow gdm-x-session to have execmod access on the libGLdispatch.so.0 file
Then you need to change the label on '/usr/lib64/libGLdispatch.so.0'
Do
# semanage fcontext -a -t textrel_shlib_t '/usr/lib64/libGLdispatch.so.0'
# restorecon -v '/usr/lib64/libGLdispatch.so.0'
Comment 2 Moez Roy 2016-01-21 12:35:47 EST
(In reply to Lukas Vrabec from comment #1)
> Hi,
> Could you try this? 
> *****  Plugin allow_execmod (91.4 confidence) suggests  
> *********************
> 
> If you want to allow gdm-x-session to have execmod access on the
> libGLdispatch.so.0 file
> Then you need to change the label on '/usr/lib64/libGLdispatch.so.0'
> Do
> # semanage fcontext -a -t textrel_shlib_t '/usr/lib64/libGLdispatch.so.0'
> # restorecon -v '/usr/lib64/libGLdispatch.so.0'

Yes I tried that but it was saying something like Type Error or Value error was same as /usr/lib and /usr/lib64.

I went ahead and installed this rule:

require {
	type xdm_t;
	type lib_t;
	class file execmod;
}

#============= xdm_t ==============
allow xdm_t lib_t:file execmod;
Comment 3 Moez Roy 2016-01-21 12:41:52 EST
I also had to create more rules in addition to the above rule:

require {
	type xdm_t;
	type xdm_var_lib_t;
	type xserver_t;
	class file execute;
	class unix_dgram_socket sendto;
}

#============= xdm_t ==============
allow xdm_t xdm_var_lib_t:file execute;
allow xdm_t xserver_t:unix_dgram_socket sendto;
Comment 4 Miroslav Grepl 2016-01-25 02:29:16 EST
(In reply to Moez Roy from comment #3)
> I also had to create more rules in addition to the above rule:
> 
> require {
> 	type xdm_t;
> 	type xdm_var_lib_t;
> 	type xserver_t;
> 	class file execute;
> 	class unix_dgram_socket sendto;
> }
> 
> #============= xdm_t ==============
> allow xdm_t xdm_var_lib_t:file execute;
> allow xdm_t xserver_t:unix_dgram_socket sendto;

Could you attach raw AVC msgs for these rules?

Thank you.
Comment 5 Moez Roy 2016-01-25 11:05:37 EST
*** Bug 1299403 has been marked as a duplicate of this bug. ***
Comment 6 Moez Roy 2016-01-25 11:13:36 EST
(In reply to Miroslav Grepl from comment #4)
> (In reply to Moez Roy from comment #3)
> > I also had to create more rules in addition to the above rule:
> > 
> > require {
> > 	type xdm_t;
> > 	type xdm_var_lib_t;
> > 	type xserver_t;
> > 	class file execute;
> > 	class unix_dgram_socket sendto;
> > }
> > 
> > #============= xdm_t ==============
> > allow xdm_t xdm_var_lib_t:file execute;
> > allow xdm_t xserver_t:unix_dgram_socket sendto;
> 
> Could you attach raw AVC msgs for these rules?
> 
> Thank you.

This is copied from the bug 1299403 which I now marked as duplicate of this:

Raw Audit Messages
type=AVC msg=audit(1453110250.939:12437): avc:  denied  { execute } for  pid=23990 comm="gnome-shell" path=2F7661722F6C69622F67646D2F2E676C766E646E4C6E7A7778202864656C6574656429 dev="dm-1" ino=391240 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xdm_var_lib_t:s0 tclass=file permissive=1

Let me know if this info is enough? Or if you want me to delete my custom modules and re-create the AVC's? Thanks.
Comment 7 Miroslav Grepl 2016-01-29 08:22:47 EST
Any idea what is executed?

Could you run it using

ausearch -m avc -i
Comment 8 Moez Roy 2016-02-02 23:26:18 EST
(In reply to Miroslav Grepl from comment #7)
> Any idea what is executed?
> 
> Could you run it using
> 
> ausearch -m avc -i

----
type=AVC msg=audit(02/02/2016 09:40:31.973:3354) : avc:  denied  { execmod } for  pid=11219 comm=gdm-x-session path=/usr/lib64/libGLdispatch.so.0 dev="dm-1" ino=189851 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lib_t:s0 tclass=file permissive=0 
----
type=AVC msg=audit(02/02/2016 09:42:08.381:3420) : avc:  denied  { execute } for  pid=11421 comm=gnome-shell path=/var/lib/gdm/.glvnd7mSjOX (deleted) dev="dm-1" ino=95240 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xdm_var_lib_t:s0 tclass=file permissive=0 
----
type=AVC msg=audit(02/02/2016 09:42:10.041:3434) : avc:  denied  { sendto } for  pid=11421 comm=gnome-shell path=nvidia6519e07b scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:xserver_t:s0-s0:c0.c1023 tclass=unix_dgram_socket permissive=0
Comment 9 Moez Roy 2016-02-02 23:31:57 EST
You assigned this to gnome-shell component? Also any thoughts or comments regarding the above ausearch results? It looks like it is creating a tmp file in /var/lib/gdm/.randomName and trying to execute it.
Comment 10 Philip Guyton 2016-05-21 10:04:19 EDT
I have just received what looks like the same as in this issue:-
but more akin to the issue marked as a duplicate of this one, ie in bug 1299403
Pasting here as the "on the file" reference is the same as in that duplicate bug.

May 21 13:46:02 phil.lan setroubleshoot[1528]: SELinux is preventing gnome-shell from execute access on the file 2F7661722F6C69622F676
46D2F233231323934323430202864656C6574656429. For complete SELinux messages. run sealert -l 1ebf1679-31f9-4d20-9551-dc1aa8dd514a
May 21 13:46:02 phil.lan python3[1528]: SELinux is preventing gnome-shell from execute access on the file 2F7661722F6C69622F67646D2F23
3231323934323430202864656C6574656429.
                                        
                                        *****  Plugin catchall (100. confidence) suggests   **************************
                                        
                                        If you believe that gnome-shell should be allowed execute access on the 2F7661722F6C69622F6764
6D2F233231323934323430202864656C6574656429 file by default.
                                        Then you should report this as a bug.
                                        You can generate a local policy module to allow this access.
                                        Do
                                        allow this access for now by executing:
                                        # ausearch -c 'gnome-shell' --raw | audit2allow -M my-gnomeshell
                                        # semodule -X 300 -i my-gnomeshell.pp

This was directly after a reboot with updates applied.


ausearch -m avc -i
in my case gave:

----
type=AVC msg=audit(21/05/16 13:43:20.320:406) : avc:  denied  { getattr } for  pid=925 comm=systemd-logind path=/dev/shm/lldpad.state dev="tmpfs" ino=206 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file permissive=0 
----
type=AVC msg=audit(21/05/16 13:45:58.252:304) : avc:  denied  { execute } for  pid=1507 comm=gnome-shell path=/var/lib/gdm/#21294240 (deleted) dev="dm-0" ino=21294240 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xdm_var_lib_t:s0 tclass=file permissive=0 

however there are previous instances of the second error involving xdm_var_lib_t:
----
type=AVC msg=audit(18/05/16 13:00:19.979:303) : avc:  denied  { execute } for  pid=1561 comm=gnome-shell path=/var/lib/gdm/#21265757 (deleted) dev="dm-0" ino=21265757 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xdm_var_lib_t:s0 tclass=file permissive=0 

So only the error involving path=/dev/shm/lldpad.state is new.

I'm happy to provide any additional info if it is required and apologies if this post is not related. I'm initially going on the long reference in the log entry copied above.
Comment 11 Lukas Vrabec 2016-05-30 08:02:24 EDT
Issue with lldpad.state is solved by systemd. 

I believe we should allow xdm_t to execute xdm_var_lib_t files.
Comment 12 Robert Van Voorhees 2016-08-11 21:53:25 EDT
Hey guys, experiencing the same issue let me know if you need any additional information:

SELinux is preventing gnome-shell from execute access on the file 2F7661722F6C69622F67646D2F2331313831343638202864656C6574656429.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that gnome-shell should be allowed execute access on the 2F7661722F6C69622F67646D2F2331313831343638202864656C6574656429 file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'gnome-shell' --raw | audit2allow -M my-gnomeshell
# semodule -X 300 -i my-gnomeshell.pp

Additional Information:
Source Context                system_u:system_r:xdm_t:s0-s0:c0.c1023
Target Context                system_u:object_r:xdm_var_lib_t:s0
Target Objects                2F7661722F6C69622F67646D2F233131383134363820286465
                              6C6574656429 [ file ]
Source                        gnome-shell
Source Path                   gnome-shell
Port                          <Unknown>
Host                          coercion
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-191.8.fc24.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     coercion
Platform                      Linux coercion 4.6.6-300.fc24.x86_64 #1 SMP Wed
                              Aug 10 21:07:35 UTC 2016 x86_64 x86_64
Alert Count                   24
First Seen                    2016-07-31 21:46:05 EDT
Last Seen                     2016-08-11 21:45:44 EDT
Local ID                      f869b660-1379-460c-90f7-3dfc9c2b6958

Raw Audit Messages
type=AVC msg=audit(1470966344.57:293): avc:  denied  { execute } for  pid=3032 comm="gnome-shell" path=2F7661722F6C69622F67646D2F2331313831343638202864656C6574656429 dev="dm-0" ino=1181468 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xdm_var_lib_t:s0 tclass=file permissive=1


Hash: gnome-shell,xdm_t,xdm_var_lib_t,file,execute
Comment 13 Knut J BJuland 2016-10-01 16:20:38 EDT
It work on my system.
Comment 14 Lukas Vrabec 2016-10-03 06:54:37 EDT
(In reply to Knut J BJuland from comment #13)
> It work on my system.

What does it mean? You no longer see AVC above?
Comment 15 Knut J BJuland 2016-10-03 10:24:53 EDT
I mean that I am able to load GDM with nvidia driver without any crash.
Comment 16 Knut J BJuland 2016-10-03 15:29:23 EDT
When I issue ausearch -c 'gnome-shell' --raw I do not get the AVC see above.
Comment 17 JM 2016-11-24 06:29:48 EST
I still get the message

"SELinux is preventing gnome-shell from execute access on the file 2F7661722F6C69622F67646D2F2331313831343638202864656C6574656429"

with Fedora 24 and nvidia drivers. There is no crash just the SELinux message.
Comment 18 Fedora End Of Life 2016-11-24 10:01:38 EST
This message is a reminder that Fedora 23 is nearing its end of life.
Approximately 4 (four) weeks from now Fedora will stop maintaining
and issuing updates for Fedora 23. It is Fedora's policy to close all
bug reports from releases that are no longer maintained. At that time
this bug will be closed as EOL if it remains open with a Fedora  'version'
of '23'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version.

Thank you for reporting this issue and we are sorry that we were not 
able to fix it before Fedora 23 is end of life. If you would still like 
to see this bug fixed and are able to reproduce it against a later version 
of Fedora, you are encouraged  change the 'version' to a later Fedora 
version prior this bug is closed as described in the policy above.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.
Comment 19 Matt Hirsch 2016-11-27 02:04:43 EST
I'm also seeing this on Fedora 24 with the nvidia drivers. Please change version info for this bug to keep it alive.
Comment 20 Lukas Vrabec 2016-11-30 07:14:45 EST
folks, 
Do you know whats going on? gnome-shell trying to execute something labeled as xdm_var_lib_t:
type=AVC msg=audit(1470966344.57:293): avc:  denied  { execute } for  pid=3032 comm="gnome-shell" path=2F7661722F6C69622F67646D2F2331313831343638202864656C6574656429 dev="dm-0" ino=1181468 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xdm_var_lib_t:s0 tclass=file permissive=1
Comment 21 secondary 2016-12-04 12:21:59 EST
Also on F25.

Dec 04 02:57:15 audit[1090]: AVC avc:  denied  { execute } for  pid=1090 comm="gnome-shell" path=2F7661722F6C69622F67646D2F23353437373535202864656C6574656429 dev="sda3" ino=547755 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xdm_var_lib_t:s0 tclass=file permissive=0

where "2F7661722F6C69622F67646D2F23353437373535202864656C6574656429" is hex-encoded "/var/lib/gdm/#547755 (deleted)"
Comment 22 Gary Tierney 2016-12-12 15:29:51 EST
Does gnome produce any logs related to the denied execute in /var/lib/gdm/%fname%?  Taking a cursory look at the gnome-shell source code, the only exec syscall I can find is here: https://github.com/GNOME/gnome-shell/blob/master/src/shell-global.c#L1340
Comment 23 Andy 2017-04-03 12:13:13 EDT
I'm getting the exact same error message like above (2F7661722F6C69622F67646D2F23353437373535202864656C6574656429), but I don't have an NVidia Card.

/var/lib/gdm/ is empty.
Comment 24 Matteo Paolini 2017-04-08 09:39:43 EDT
Also getting the same with a Geforce GT 630m 

SELinux is preventing gnome-shell from 'execute' accesses on the file 2F7661722F6C69622F67646D2F23313335323936202864656C6574656429.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that gnome-shell should be allowed execute access on the 2F7661722F6C69622F67646D2F23313335323936202864656C6574656429 file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'gnome-shell' --raw | audit2allow -M my-gnomeshell
# semodule -X 300 -i my-gnomeshell.pp

Additional Information:
Source Context                system_u:system_r:xdm_t:s0-s0:c0.c1023
Target Context                system_u:object_r:xdm_var_lib_t:s0
Target Objects                2F7661722F6C69622F67646D2F23313335323936202864656C
                              6574656429 [ file ]
Source                        gnome-shell
Source Path                   gnome-shell
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-225.11.fc25.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 4.8.11-300.fc25.x86_64 #1 SMP Mon
                              Nov 28 18:24:51 UTC 2016 x86_64 x86_64
Alert Count                   3
First Seen                    2017-04-08 14:33:12 CEST
Last Seen                     2017-04-08 14:39:22 CEST
Local ID                      7eb34b14-0d66-43c8-bd1e-984fe7e88a70

Raw Audit Messages
type=AVC msg=audit(1491655162.99:210): avc:  denied  { execute } for  pid=1334 comm="gnome-shell" path=2F7661722F6C69622F67646D2F23313335323936202864656C6574656429 dev="dm-0" ino=135296 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xdm_var_lib_t:s0 tclass=file permissive=0


Hash: gnome-shell,xdm_t,xdm_var_lib_t,file,execute
Comment 25 Fedora End Of Life 2017-07-25 15:47:51 EDT
This message is a reminder that Fedora 24 is nearing its end of life.
Approximately 2 (two) weeks from now Fedora will stop maintaining
and issuing updates for Fedora 24. It is Fedora's policy to close all
bug reports from releases that are no longer maintained. At that time
this bug will be closed as EOL if it remains open with a Fedora  'version'
of '24'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version'
to a later Fedora version.

Thank you for reporting this issue and we are sorry that we were not
able to fix it before Fedora 24 is end of life. If you would still like
to see this bug fixed and are able to reproduce it against a later version
of Fedora, you are encouraged  change the 'version' to a later Fedora
version prior this bug is closed as described in the policy above.

Although we aim to fix as many bugs as possible during every release's
lifetime, sometimes those efforts are overtaken by events. Often a
more recent Fedora release includes newer upstream software that fixes
bugs or makes them obsolete.
Comment 26 Fedora End Of Life 2017-08-08 08:40:19 EDT
Fedora 24 changed to end-of-life (EOL) status on 2017-08-08. Fedora 24 is
no longer maintained, which means that it will not receive any further
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of
Fedora please feel free to reopen this bug against that version. If you
are unable to reopen this bug, please file a new report against the
current release. If you experience problems, please add a comment to this
bug.

Thank you for reporting this bug and we are sorry it could not be fixed.

Note You need to log in before you can comment on or make changes to this bug.