Description of problem: New selinux-policy is preventing gdm to start. After picking a user on login screen and typing password I can see background for a few seconds and then I am redirected back to the screen with users. In journal I can see following denials: Oct 09 08:33:25 localhost.localdomain systemd[1147]: selinux: avc: denied { status } for auid=n/a uid=42 gid=42 cmdline="/usr/libexec/gdm-wayland-session gnome-session --autostart /usr/share/gdm/greeter/autostart" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=system permissive=0 Oct 09 08:33:25 localhost.localdomain systemd[1147]: selinux: avc: denied { reload } for auid=n/a uid=42 gid=42 cmdline="/usr/libexec/gnome-session-binary --autostart /usr/share/gdm/greeter/autostart" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=system permissive=0 Oct 09 08:33:25 localhost.localdomain systemd[1147]: selinux: avc: denied { reload } for auid=n/a uid=42 gid=42 cmdline="/usr/libexec/gnome-session-binary --autostart /usr/share/gdm/greeter/autostart" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=system permissive=0 Oct 09 08:33:25 localhost.localdomain systemd[1147]: selinux: avc: denied { reload } for auid=n/a uid=42 gid=42 cmdline="/usr/libexec/gnome-session-binary --autostart /usr/share/gdm/greeter/autostart" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=system permissive=0 Oct 09 08:33:25 localhost.localdomain systemd[1147]: selinux: avc: denied { reload } for auid=n/a uid=42 gid=42 cmdline="/usr/libexec/gnome-session-binary --autostart /usr/share/gdm/greeter/autostart" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=system permissive=0 Oct 09 08:33:25 localhost.localdomain systemd[1147]: selinux: avc: denied { reload } for auid=n/a uid=42 gid=42 cmdline="/usr/libexec/gnome-session-binary --autostart /usr/share/gdm/greeter/autostart" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=system permissive=0 Simple workaround is switching to tty2, disabling selinux, switching back to GUI and then after I select user, write password I am not kicked back to selecting users. Also downgrading selinux-policy (to selinux-policy-3.14.2-34) works. Version-Release number of selected component (if applicable): selinux-policy-3.14.2-36 How reproducible: Update selinux-policy on F29 to version selinux-policy-3.14.2-36. Reproducible each time.
Hi Matej, I installed latest compose of Fedora 29 workstation, update selinux-policy to the latest build (https://koji.fedoraproject.org/koji/buildinfo?buildID=1153003) and I have no problem login to the system when system is in enforcing state. Could you please run: # restorecon -Rv / and try to reproduce the scenario? Thanks, Lukas.
Hi, I've updated to the newest selinux-policy. $rpm -q selinux-policy selinux-policy-3.14.2-38.fc29.noarch I've run # restorecon -Rv / then turn my pc off, turn it on again and the same problem. I am still able to reproduce it easily, so I can provide you with any logs or information about my system.
commit 998f4c42a68d4934ffb6025d7403d995546a8c2e (HEAD -> rawhide, origin/rawhide) Author: Lukas Vrabec <lvrabec> Date: Mon Oct 22 15:37:45 2018 +0200 Allow X display manager to check status and reload services which are part of x_domain attribute
selinux-policy-3.14.2-41.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2018-506e97bb9b
selinux-policy-3.14.2-41.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-506e97bb9b
selinux-policy-3.14.2-41.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report.