Description of problem: On Fedora Atomic Workstation, SELinux policy is preventing GNOME login from coming up in the latest F28 compose. Setting permissive mode fixes the issue. Version-Release number of selected component (if applicable): [root@localhost ~]# rpm-ostree status State: idle; auto updates disabled Deployments: ● ostree://fedora-workstation:fedora/28/x86_64/workstation Version: 28.20180321.n.0 (2018-03-21 12:44:50) Commit: 0e70779f7f2795223f56175a0a214e18fbcba98431f2a9a87fcce7bd4a04d457 GPGSignature: Valid signature by 128CF232A9371991C8A65695E08E7E629DB62FB1 [root@localhost ~]# rpm -q selinux-policy selinux-policy-3.14.1-14.fc28.noarch [root@localhost ~]# rpm -q gnome-session gnome-session-3.28.0-1.fc28.x86_64 How reproducible: Always Steps to Reproduce: 1. Install latest F28 AW ISO: https://kojipkgs.fedoraproject.org/compose/branched/latest-Fedora-28/compose/AtomicWorkstation/x86_64/iso/ 2. Gaze 3. Actual results: No login screen comes up. [root@localhost ~]# journalctl -b -1 | grep -i 'avc' Mar 22 12:29:22 localhost.localdomain audit[804]: AVC avc: denied { module_request } for pid=804 comm="sh" kmod="netdev-" scontext=system_u:system_r:loadkeys_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=system permissive=1 Mar 22 12:29:26 localhost.localdomain systemd[1267]: selinux: avc: denied { status } for auid=n/a uid=42 gid=42 cmdline="/usr/libexec/gdm-wayland-session gnome-session --autostart /usr/share/gdm/greeter/autostart" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=system permissive=1 Mar 22 12:29:26 localhost.localdomain systemd[1267]: selinux: avc: denied { reload } for auid=n/a uid=42 gid=42 cmdline="/usr/libexec/gnome-session-binary --autostart /usr/share/gdm/greeter/autostart" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=system permissive=1 Mar 22 12:29:27 localhost.localdomain audit[1381]: AVC avc: denied { write } for pid=1381 comm="gnome-session-b" name=".ICE-unix" dev="dm-0" ino=526225 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=dir permissive=1 Mar 22 12:29:27 localhost.localdomain audit[1381]: AVC avc: denied { add_name } for pid=1381 comm="gnome-session-b" name="1381" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=dir permissive=1 Mar 22 12:29:27 localhost.localdomain audit[1381]: AVC avc: denied { create } for pid=1381 comm="gnome-session-b" name="1381" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=sock_file permissive=1 Mar 22 12:29:27 localhost.localdomain audit[1395]: AVC avc: denied { write } for pid=1395 comm="gnome-shell" name=".X11-unix" dev="dm-0" ino=526224 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=dir permissive=1 Mar 22 12:29:27 localhost.localdomain audit[1395]: AVC avc: denied { add_name } for pid=1395 comm="gnome-shell" name="X1024" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=dir permissive=1 Mar 22 12:30:20 localhost.localdomain systemd[1267]: selinux: avc: denied { start } for auid=n/a uid=42 gid=42 path="/usr/lib/systemd/user/dbus.service" cmdline="/usr/libexec/gnome-session-binary --autostart /usr/share/gdm/greeter/autostart" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lib_t:s0 tclass=service permissive=1 Expected results: Login screen comes up. Additional info:
do we know for sure this is only an issue on Atomic Workstation and doesn't affect normal Workstation? If it's normal Workstation then it's a blocker. If only Atomic Workstation then probably not a blocker but worth an FE. I'll propose as FE for now.
Proposed as a Freeze Exception for 28-beta by Fedora user dustymabe using the blocker tracking app because: SELinux issue blocking gdm from starting on Atomic Workstation
Yes, it's only Atomic Workstation. openQA has been catching this for days - e.g. https://openqa.stg.fedoraproject.org/tests/262649 - but I haven't had time to file it; thanks for doing it, Jonathan. +1 FE.
I'm wondering if the issue here may in fact be that we don't have correct SELinux labels in the AW ostree, rather than a policy problem? The fact that regular Workstation works fine rather suggests this may be the case, to me.
At least for the few denials that have target names I recognize, looks like default_t is indeed declared as the correct label: [root@localhost ~]# matchpathcon /tmp/.ICE-unix /tmp/.ICE-unix system_u:object_r:default_t:s0 [root@localhost ~]# matchpathcon /tmp/.X11-unix /tmp/.X11-unix system_u:object_r:default_t:s0
default_t looks like a major labeling issue. default_t is the label of any directories in / that the kernel does not know about. We might have a new directory in atomic workstation that needs a label, or everything is screwed up. I would figure these files should be labeled user_tmp_t. ls -lZd /tmp
Hmm, I wonder if this is due to /tmp being a symlink to /sysroot/tmp. Though I'm not sure how since it's been that way for a while now. E.g. even on my current FAW 27: $ ls -ldZ /tmp lrwxrwxrwx. 3 root root system_u:object_r:tmp_t:s0 11 Sep 10 2017 /tmp -> sysroot/tmp $ ls -ldZ /tmp/.X11-unix drwxrwxrwt. 2 root root system_u:object_r:user_tmp_t:s0 4096 Mar 20 17:16 /tmp/.X11-unix Hmmm: $ matchpathcon $(realpath /tmp/.X11-unix) /sysroot/tmp/.X11-unix system_u:object_r:default_t:s0 Did file context lookups change to using the realpath maybe?
ok a bit of interesting informtion. On F27AH (i know this bug report is against FAW, but I don't have one of those running right now, this data should be the same either way): ``` # semanage fcontext --list | grep '^\/tmp' | grep X11 /tmp/\.X11-unix(/.*)? all files system_u:object_r:user_tmp_t:s0 # ls -ldZ /tmp/.X11-unix drwxrwxrwt. 2 root root system_u:object_r:user_tmp_t:s0 6 Mar 23 17:54 /tmp/.X11-unix # matchpathcon -V /tmp/.X11-unix /tmp/.X11-unix has context system_u:object_r:user_tmp_t:s0, should be system_u:object_r:default_t:s0 # # rpm -q selinux-policy selinux-policy-3.13.1-283.17.fc27.noarch ``` on F28AH ``` # semanage fcontext --list | grep '^\/tmp' | grep X11 /tmp/\.X11-unix(/.*)? all files system_u:object_r:user_tmp_t:s0 # ls -ldZ /tmp/.X11-unix drwxrwxrwt. 2 root root system_u:object_r:default_t:s0 6 Mar 23 17:47 /tmp/.X11-unix # matchpathcon -V /tmp/.X11-unix /tmp/.X11-unix verified. # rpm -q selinux-policy selinux-policy-3.14.1-14.fc28.noarch ``` So on F27 and F28 the policy is the same. On F27 the file context is `user_tmp_t` but matchpathcon thinks it should be `default_t`. On F28 the file context is `default_t` and the file *is* `default_t`.
on this rawhide atomic ws, I have /tmp -> /sysroot/tmp, but no sign of a tmpfs mounted there
So, dropping the `/tmp --> /sysroot/tmp` symlink and letting tmp.mount do its thing, we do get the proper labeling, and gdm comes up. rpm-ostree has a `tmp-is-dir` option which today defaults to `false`. See: https://rpm-ostree.readthedocs.io/en/latest/manual/treefile/ https://github.com/projectatomic/rpm-ostree/pull/778 https://github.com/projectatomic/rpm-ostree/issues/820 So one thing we could do to work around this is turn it on for FAW28?
I suspect this is because we aren't using tmpfs-on-tmp by default; https://github.com/projectatomic/rpm-ostree/pull/778 I think we should unconditionally enable tmp-is-dir for FAW. Looking into that now.
(In reply to Colin Walters from comment #11) > I suspect this is because we aren't using tmpfs-on-tmp by default; > https://github.com/projectatomic/rpm-ostree/pull/778 We've been doing that for a while now, though. > > I think we should unconditionally enable tmp-is-dir for FAW. Looking into > that now. That is fine for a workaround, but I'd definitely be interested in the root cause. i.e. What changed? Was it by-design? Is it desired behavior?
Lukas did a new build. https://koji.fedoraproject.org/koji/buildinfo?buildID=1062582 Still the question in my last comment remains
https://pagure.io/workstation-ostree-config/pull-request/80
Confirmed fixed in latest build.
selinux-policy-3.14.1-18.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-7821b2e7c4
Discussed during the 2018-03-26 blocker review meeting: [1] The decision to classify this bug as an AcceptedFreezeException was made as this is preventing Atomic Workstation installs from booting, and we would like these fixed for Beta. [1] https://meetbot.fedoraproject.org/fedora-blocker-review/2018-03-26/f28-blocker-review.2018-03-26-16.01.txt
selinux-policy-3.14.1-18.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-7821b2e7c4
selinux-policy-3.14.1-18.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.
I am getting selinux denials and GDM gets locked up after showing just the mouse cursor. My machine was recently updated from FC27 to FC28 and does not use Atomic (as far as I know): may 04 21:44:46 karlalex-acer.palosanto.com systemd[662]: selinux: avc: denied { status } for auid=n/a uid=42 gid=42 cmdline="/usr/libexec/gdm-wayland-session gnome-session --autostart /usr/share/gdm/greeter/autostart" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=system permissive=0 may 04 21:44:47 karlalex-acer.palosanto.com systemd[662]: selinux: avc: denied { reload } for auid=n/a uid=42 gid=42 cmdline="/usr/libexec/gnome-session-binary --autostart /usr/share/gdm/greeter/autostart" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=system permissive=0 may 04 21:44:47 karlalex-acer.palosanto.com systemd[662]: selinux: avc: denied { reload } for auid=n/a uid=42 gid=42 cmdline="/usr/libexec/gnome-session-binary --autostart /usr/share/gdm/greeter/autostart" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=system permissive=0 may 04 21:44:47 karlalex-acer.palosanto.com systemd[662]: selinux: avc: denied { reload } for auid=n/a uid=42 gid=42 cmdline="/usr/libexec/gnome-session-binary --autostart /usr/share/gdm/greeter/autostart" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=system permissive=0 Full case and log in https://bugzilla.redhat.com/show_bug.cgi?id=1575194 .