Bug 1559531 - SELinux preventing gdm from starting
Summary: SELinux preventing gdm from starting
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 28
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Lukas Vrabec
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: AcceptedFreezeException
Depends On:
Blocks: F28BetaFreezeException
TreeView+ depends on / blocked
 
Reported: 2018-03-22 17:37 UTC by Jonathan Lebon
Modified: 2018-05-05 16:46 UTC (History)
15 users (show)

Fixed In Version: selinux-policy-3.14.1-18.fc28
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-03-26 22:30:52 UTC
Type: Bug


Attachments (Terms of Use)

Description Jonathan Lebon 2018-03-22 17:37:42 UTC
Description of problem:

On Fedora Atomic Workstation, SELinux policy is preventing GNOME login from coming up in the latest F28 compose. Setting permissive mode fixes the issue.

Version-Release number of selected component (if applicable):

[root@localhost ~]# rpm-ostree status
State: idle; auto updates disabled
Deployments:
● ostree://fedora-workstation:fedora/28/x86_64/workstation
                   Version: 28.20180321.n.0 (2018-03-21 12:44:50)
                    Commit: 0e70779f7f2795223f56175a0a214e18fbcba98431f2a9a87fcce7bd4a04d457
              GPGSignature: Valid signature by 128CF232A9371991C8A65695E08E7E629DB62FB1
[root@localhost ~]# rpm -q selinux-policy
selinux-policy-3.14.1-14.fc28.noarch
[root@localhost ~]# rpm -q gnome-session
gnome-session-3.28.0-1.fc28.x86_64

How reproducible:

Always

Steps to Reproduce:
1. Install latest F28 AW ISO: https://kojipkgs.fedoraproject.org/compose/branched/latest-Fedora-28/compose/AtomicWorkstation/x86_64/iso/
2. Gaze 
3.

Actual results:

No login screen comes up.

[root@localhost ~]# journalctl -b -1 | grep -i 'avc'
Mar 22 12:29:22 localhost.localdomain audit[804]: AVC avc:  denied  { module_request } for  pid=804 comm="sh" kmod="netdev-" scontext=system_u:system_r:loadkeys_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=system permissive=1
Mar 22 12:29:26 localhost.localdomain systemd[1267]: selinux: avc:  denied  { status } for auid=n/a uid=42 gid=42 cmdline="/usr/libexec/gdm-wayland-session gnome-session --autostart /usr/share/gdm/greeter/autostart" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=system permissive=1
Mar 22 12:29:26 localhost.localdomain systemd[1267]: selinux: avc:  denied  { reload } for auid=n/a uid=42 gid=42 cmdline="/usr/libexec/gnome-session-binary --autostart /usr/share/gdm/greeter/autostart" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=system permissive=1
Mar 22 12:29:27 localhost.localdomain audit[1381]: AVC avc:  denied  { write } for  pid=1381 comm="gnome-session-b" name=".ICE-unix" dev="dm-0" ino=526225 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=dir permissive=1
Mar 22 12:29:27 localhost.localdomain audit[1381]: AVC avc:  denied  { add_name } for  pid=1381 comm="gnome-session-b" name="1381" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=dir permissive=1
Mar 22 12:29:27 localhost.localdomain audit[1381]: AVC avc:  denied  { create } for  pid=1381 comm="gnome-session-b" name="1381" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=sock_file permissive=1
Mar 22 12:29:27 localhost.localdomain audit[1395]: AVC avc:  denied  { write } for  pid=1395 comm="gnome-shell" name=".X11-unix" dev="dm-0" ino=526224 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=dir permissive=1
Mar 22 12:29:27 localhost.localdomain audit[1395]: AVC avc:  denied  { add_name } for  pid=1395 comm="gnome-shell" name="X1024" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=dir permissive=1
Mar 22 12:30:20 localhost.localdomain systemd[1267]: selinux: avc:  denied  { start } for auid=n/a uid=42 gid=42 path="/usr/lib/systemd/user/dbus.service" cmdline="/usr/libexec/gnome-session-binary --autostart /usr/share/gdm/greeter/autostart" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lib_t:s0 tclass=service permissive=1

Expected results:

Login screen comes up.

Additional info:

Comment 1 Dusty Mabe 2018-03-23 01:33:00 UTC
do we know for sure this is only an issue on Atomic Workstation and doesn't affect normal Workstation?

If it's normal Workstation then it's a blocker. If only Atomic Workstation then probably not a blocker but worth an FE. I'll propose as FE for now.

Comment 2 Fedora Blocker Bugs Application 2018-03-23 01:33:09 UTC
Proposed as a Freeze Exception for 28-beta by Fedora user dustymabe using the blocker tracking app because:

 SELinux issue blocking gdm from starting on Atomic Workstation

Comment 3 Adam Williamson 2018-03-23 02:05:40 UTC
Yes, it's only Atomic Workstation.

openQA has been catching this for days - e.g. https://openqa.stg.fedoraproject.org/tests/262649 - but I haven't had time to file it; thanks for doing it, Jonathan.

+1 FE.

Comment 4 Adam Williamson 2018-03-23 02:07:06 UTC
I'm wondering if the issue here may in fact be that we don't have correct SELinux labels in the AW ostree, rather than a policy problem? The fact that regular Workstation works fine rather suggests this may be the case, to me.

Comment 5 Jonathan Lebon 2018-03-23 13:38:18 UTC
At least for the few denials that have target names I recognize, looks like default_t is indeed declared as the correct label:

[root@localhost ~]# matchpathcon /tmp/.ICE-unix
/tmp/.ICE-unix  system_u:object_r:default_t:s0
[root@localhost ~]# matchpathcon /tmp/.X11-unix
/tmp/.X11-unix  system_u:object_r:default_t:s0

Comment 6 Daniel Walsh 2018-03-23 13:56:19 UTC
default_t looks like a major labeling issue.  default_t is the label of any directories in / that the kernel does not know about.

We might have a new directory in atomic workstation that needs a label, or everything is screwed up.  I would figure these files should be labeled user_tmp_t.

ls -lZd /tmp

Comment 7 Jonathan Lebon 2018-03-23 16:16:56 UTC
Hmm, I wonder if this is due to /tmp being a symlink to /sysroot/tmp. Though I'm not sure how since it's been that way for a while now. E.g. even on my current FAW 27:

$ ls -ldZ /tmp
lrwxrwxrwx. 3 root root system_u:object_r:tmp_t:s0 11 Sep 10  2017 /tmp -> sysroot/tmp
$ ls -ldZ /tmp/.X11-unix
drwxrwxrwt. 2 root root system_u:object_r:user_tmp_t:s0 4096 Mar 20 17:16 /tmp/.X11-unix

Hmmm:

$ matchpathcon $(realpath /tmp/.X11-unix)
/sysroot/tmp/.X11-unix  system_u:object_r:default_t:s0

Did file context lookups change to using the realpath maybe?

Comment 8 Dusty Mabe 2018-03-23 18:55:23 UTC
ok a bit of interesting informtion. On F27AH (i know this bug report is against FAW, but I don't have one of those running right now, this data should be the same either way): 

```
# semanage fcontext --list | grep '^\/tmp' | grep X11
/tmp/\.X11-unix(/.*)?                              all files          system_u:object_r:user_tmp_t:s0
# ls -ldZ /tmp/.X11-unix
drwxrwxrwt. 2 root root system_u:object_r:user_tmp_t:s0 6 Mar 23 17:54 /tmp/.X11-unix                   
# matchpathcon -V /tmp/.X11-unix                                              
/tmp/.X11-unix has context system_u:object_r:user_tmp_t:s0, should be system_u:object_r:default_t:s0    
#                         
# rpm -q selinux-policy   
selinux-policy-3.13.1-283.17.fc27.noarch
```

on F28AH

```
# semanage fcontext --list | grep '^\/tmp' | grep X11
/tmp/\.X11-unix(/.*)?                              all files          system_u:object_r:user_tmp_t:s0
# ls -ldZ /tmp/.X11-unix                                                     
drwxrwxrwt. 2 root root system_u:object_r:default_t:s0 6 Mar 23 17:47 /tmp/.X11-unix                    
# matchpathcon -V /tmp/.X11-unix                                             
/tmp/.X11-unix verified.  
# rpm -q selinux-policy  
selinux-policy-3.14.1-14.fc28.noarch
```


So on F27 and F28 the policy is the same.

On F27 the file context is `user_tmp_t` but matchpathcon thinks it should be `default_t`.

On F28 the file context is `default_t` and the file *is* `default_t`.

Comment 9 Matthias Clasen 2018-03-26 13:21:07 UTC
on this rawhide atomic ws, I have /tmp -> /sysroot/tmp, but no sign of a tmpfs mounted there

Comment 10 Jonathan Lebon 2018-03-26 13:26:17 UTC
So, dropping the `/tmp --> /sysroot/tmp` symlink and letting tmp.mount do its thing, we do get the proper labeling, and gdm comes up.

rpm-ostree has a `tmp-is-dir` option which today defaults to `false`. See:

https://rpm-ostree.readthedocs.io/en/latest/manual/treefile/
https://github.com/projectatomic/rpm-ostree/pull/778
https://github.com/projectatomic/rpm-ostree/issues/820

So one thing we could do to work around this is turn it on for FAW28?

Comment 11 Colin Walters 2018-03-26 13:29:34 UTC
I suspect this is because we aren't using tmpfs-on-tmp by default; https://github.com/projectatomic/rpm-ostree/pull/778

I think we should unconditionally enable tmp-is-dir for FAW.  Looking into that now.

Comment 12 Dusty Mabe 2018-03-26 14:00:16 UTC
(In reply to Colin Walters from comment #11)
> I suspect this is because we aren't using tmpfs-on-tmp by default;
> https://github.com/projectatomic/rpm-ostree/pull/778

We've been doing that for a while now, though. 

> 
> I think we should unconditionally enable tmp-is-dir for FAW.  Looking into
> that now.

That is fine for a workaround, but I'd definitely be interested in the root cause. i.e. What changed? Was it by-design? Is it desired behavior?

Comment 13 Dusty Mabe 2018-03-26 14:22:58 UTC
Lukas did a new build.

https://koji.fedoraproject.org/koji/buildinfo?buildID=1062582

Still the question in my last comment remains

Comment 15 Jonathan Lebon 2018-03-26 17:36:09 UTC
Confirmed fixed in latest build.

Comment 16 Fedora Update System 2018-03-26 17:58:24 UTC
selinux-policy-3.14.1-18.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-7821b2e7c4

Comment 17 Geoffrey Marr 2018-03-26 18:55:04 UTC
Discussed during the 2018-03-26 blocker review meeting: [1]

The decision to classify this bug as an AcceptedFreezeException was made as this is preventing Atomic Workstation installs from booting, and we would like these fixed for Beta.

[1] https://meetbot.fedoraproject.org/fedora-blocker-review/2018-03-26/f28-blocker-review.2018-03-26-16.01.txt

Comment 18 Fedora Update System 2018-03-26 20:52:27 UTC
selinux-policy-3.14.1-18.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-7821b2e7c4

Comment 19 Fedora Update System 2018-03-26 22:30:52 UTC
selinux-policy-3.14.1-18.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.

Comment 20 Alex Villacís Lasso 2018-05-05 16:46:20 UTC
I am getting selinux denials and GDM gets locked up after showing just the mouse cursor. My machine was recently updated from FC27 to FC28 and does not use Atomic (as far as I know):

may 04 21:44:46 karlalex-acer.palosanto.com systemd[662]: selinux: avc:  denied  { status } for auid=n/a uid=42 gid=42 cmdline="/usr/libexec/gdm-wayland-session gnome-session --autostart /usr/share/gdm/greeter/autostart" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=system permissive=0
may 04 21:44:47 karlalex-acer.palosanto.com systemd[662]: selinux: avc:  denied  { reload } for auid=n/a uid=42 gid=42 cmdline="/usr/libexec/gnome-session-binary --autostart /usr/share/gdm/greeter/autostart" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=system permissive=0
may 04 21:44:47 karlalex-acer.palosanto.com systemd[662]: selinux: avc:  denied  { reload } for auid=n/a uid=42 gid=42 cmdline="/usr/libexec/gnome-session-binary --autostart /usr/share/gdm/greeter/autostart" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=system permissive=0
may 04 21:44:47 karlalex-acer.palosanto.com systemd[662]: selinux: avc:  denied  { reload } for auid=n/a uid=42 gid=42 cmdline="/usr/libexec/gnome-session-binary --autostart /usr/share/gdm/greeter/autostart" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=system permissive=0

Full case and log in https://bugzilla.redhat.com/show_bug.cgi?id=1575194 .


Note You need to log in before you can comment on or make changes to this bug.