1615117 – After last selinux package update, gdm wasn't able to start properly

Bug 1615117 - After last selinux package update, gdm wasn't able to start properly

Summary: After last selinux package update, gdm wasn't able to start properly

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy-targeted
Sub Component:
Version:	29
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	urgent
Target Milestone:	---
Assignee:	Lukas Vrabec
QA Contact:	Ben Levenson
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2018-08-12 12:27 UTC by David Hill
Modified:	2018-09-01 22:37 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2018-09-01 22:37:57 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
audit logs (1.71 MB, text/plain) 2018-08-12 12:28 UTC, David Hill	no flags	Details
update history (559.83 KB, text/plain) 2018-08-12 12:32 UTC, David Hill	no flags	Details
View All

Description David Hill 2018-08-12 12:27:11 UTC

Description of problem:
After last selinux package update, gdm wasn't able to start properly.

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:

Comment 1 David Hill 2018-08-12 12:28:57 UTC

Created attachment 1475354 [details]
audit logs

Comment 2 David Hill 2018-08-12 12:31:59 UTC

Setting selinux in permissive permitted me to start gdm back again.   Perhaps we should always relabel when updating the selinux packages ?   I have lots of log entries such as:

type=USER_START msg=audit(1534076475.048:853): pid=3554 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='op=PAM:session_open grantors=pam_keyinit,pam_keyinit,pam_limits,pam_systemd,pam_unix,pam_umask acct="gdm" exe="/usr/libexec/gdm-session-worker" hostname=knox.orion addr=? terminal=/dev/tty1 res=success'UID="root" AUID="unset"
type=AVC msg=audit(1534076487.615:877): avc:  denied  { read } for  pid=3898 comm="gdm-session-wor" name="config" dev="dm-1" ino=5376084 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=1
type=AVC msg=audit(1534076487.615:878): avc:  denied  { open } for  pid=3898 comm="gdm-session-wor" path="/etc/selinux/config" dev="dm-1" ino=5376084 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=1
type=AVC msg=audit(1534076487.615:879): avc:  denied  { getattr } for  pid=3898 comm="gdm-session-wor" path="/etc/selinux/config" dev="dm-1" ino=5376084 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=1

I've attached the audit.log and dnf.rpm.log ...

Comment 3 David Hill 2018-08-12 12:32:33 UTC

Created attachment 1475355 [details]
update history

Comment 4 Jan Kurik 2018-08-14 10:25:16 UTC

This bug appears to have been reported against 'rawhide' during the Fedora 29 development cycle.
Changing version to '29'.

Comment 5 Lukas Vrabec 2018-09-01 22:37:57 UTC

Hi, 

Your system looks mislabeled. Please run:
# restorecon -Rv / 

To fix your issue. 

THanks,
Lukas.

Note You need to log in before you can comment on or make changes to this bug.