Hide Forgot
Description of problem: SELinux is preventing lightdm from 'create' accesses on the file .xsession-errors. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that lightdm should be allowed create access on the .xsession-errors file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep lightdm /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:xdm_t:s0-s0:c0.c1023 Target Context system_u:object_r:user_home_t:s0 Target Objects .xsession-errors [ file ] Source lightdm Source Path lightdm Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-179.fc24.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 4.5.0-0.rc7.git0.2.fc24.x86_64 #1 SMP Tue Mar 8 02:20:08 UTC 2016 x86_64 x86_64 Alert Count 1 First Seen 2016-04-02 22:59:20 CEST Last Seen 2016-04-02 22:59:20 CEST Local ID 213e7ebf-c10d-4a93-8f80-35206adf7d1b Raw Audit Messages type=AVC msg=audit(1459630760.390:285): avc: denied { create } for pid=1204 comm="lightdm" name=".xsession-errors" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:user_home_t:s0 tclass=file permissive=0 Hash: lightdm,xdm_t,user_home_t,file,create Version-Release number of selected component: selinux-policy-3.13.1-179.fc24.noarch Additional info: reporter: libreport-2.6.4 hashmarkername: setroubleshoot kernel: 4.5.0-0.rc7.git0.2.fc24.x86_64 type: libreport Potential duplicate: bug 922958
Hi, Do you know where is ".xsession-errors" stored in your case? Could you attahc output of: $ ls -Z /home Thank you.
$ ls -Z /home system_u:object_r:home_root_t:s0 users $ ls -Z /home/users unconfined_u:object_r:user_home_t:s0 palos $ ls -Z /home/users/palos/.xsession-errors system_u:object_r:user_home_t:s0 /home/users/palos/.xsession-errors At the installation phase I entered /home/users as the place to create users home (I can't remember exact name of the option).
# semanage fcontext -a -e /home/users /home # restorecon -R -v /home/users Should fix your problem.
Thank you. After running the commands, removing .xsession-errors and rebooting the denial reappears - but this time it is the write access that is needed. Raw Audit Messages type=AVC msg=audit(1460406125.677:278): avc: denied { write } for pid=1062 comm="lightdm" path="/home/users/palos/.xsession-errors" dev="vda2" ino=1572893 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:user_home_t:s0 tclass=file permissive=0 Hash: lightdm,xdm_t,user_home_t,file,write
ls -lZd /home/users/palos
$ ls -lZd /home/users/palos drwx------. 19 palos palos unconfined_u:object_r:user_home_t:s0 4096 apr 12 22:34 /home/users/palos I noticed there are 2 denials: first is "rename" and the next is "write" - both about .xsession-errors file.
Hi, Could you run: # semanage fcontext -a -e /home /home/users # restorecon -Rv /home/ (You need to change order of argument from comment3) And then try to reproduce the issue. Thank you.
$ sudo semanage fcontext -a -e /home /home/users ValueError: File spec /home/users conflicts with equivalency rule '/home /home/users'; Try adding '/home/users/users' instead So I tried to delete the wrong rule and add the correct one: $ sudo semanage fcontext -d -e /home/users /home $ sudo semanage fcontext -a -e /home /home/users restorecon printed a lot of lines... but the denial message is gone. Thank you. I suggest to add the 'semanage fcontext -a -e /home <new_home>' command to the installer, if the user chooses another location for home dir...
Could this be done in useradd? shadow-utils has more knowledge about selinux contexts and such, and is the one configuring the directory.
I do not think this is work for useradd. Useradd needs to work in established environment and that is an environment where the root directory of the home directories have already a correct context. Silently manipulating context of the home dir parent is not something I'd like to see in useradd.
This is not default configuration and also agree with Tomas. Closing as NOTABUG