Bug 1637358 - SELinux is preventing gdm-wayland-session from starting
Summary: SELinux is preventing gdm-wayland-session from starting
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 29
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Lukas Vrabec
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-10-09 06:52 UTC by Matej Marušák
Modified: 2018-11-07 02:41 UTC (History)
5 users (show)

Fixed In Version: selinux-policy-3.14.2-41.fc29
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-11-07 02:41:43 UTC


Attachments (Terms of Use)

Description Matej Marušák 2018-10-09 06:52:38 UTC
Description of problem:

New selinux-policy is preventing gdm to start. After picking a user on login screen and typing password I can see background for a few seconds and then I am redirected back to the screen with users.

In journal I can see following denials:

Oct 09 08:33:25 localhost.localdomain systemd[1147]: selinux: avc:  denied  { status } for auid=n/a uid=42 gid=42 cmdline="/usr/libexec/gdm-wayland-session gnome-session --autostart /usr/share/gdm/greeter/autostart" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=system permissive=0
Oct 09 08:33:25 localhost.localdomain systemd[1147]: selinux: avc:  denied  { reload } for auid=n/a uid=42 gid=42 cmdline="/usr/libexec/gnome-session-binary --autostart /usr/share/gdm/greeter/autostart" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=system permissive=0
Oct 09 08:33:25 localhost.localdomain systemd[1147]: selinux: avc:  denied  { reload } for auid=n/a uid=42 gid=42 cmdline="/usr/libexec/gnome-session-binary --autostart /usr/share/gdm/greeter/autostart" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=system permissive=0
Oct 09 08:33:25 localhost.localdomain systemd[1147]: selinux: avc:  denied  { reload } for auid=n/a uid=42 gid=42 cmdline="/usr/libexec/gnome-session-binary --autostart /usr/share/gdm/greeter/autostart" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=system permissive=0
Oct 09 08:33:25 localhost.localdomain systemd[1147]: selinux: avc:  denied  { reload } for auid=n/a uid=42 gid=42 cmdline="/usr/libexec/gnome-session-binary --autostart /usr/share/gdm/greeter/autostart" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=system permissive=0
Oct 09 08:33:25 localhost.localdomain systemd[1147]: selinux: avc:  denied  { reload } for auid=n/a uid=42 gid=42 cmdline="/usr/libexec/gnome-session-binary --autostart /usr/share/gdm/greeter/autostart" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=system permissive=0


Simple workaround is switching to tty2, disabling selinux, switching back to GUI and then after I select user, write password I am not kicked back to selecting users. Also downgrading selinux-policy (to selinux-policy-3.14.2-34) works.


Version-Release number of selected component (if applicable):
selinux-policy-3.14.2-36

How reproducible:
Update selinux-policy on F29 to version selinux-policy-3.14.2-36. Reproducible each time.

Comment 1 Lukas Vrabec 2018-10-15 10:10:02 UTC
Hi Matej, 

I installed latest compose of Fedora 29 workstation, update selinux-policy to the latest build (https://koji.fedoraproject.org/koji/buildinfo?buildID=1153003)

and I have no problem login to the system when system is in enforcing state. Could you please run: 

# restorecon -Rv / 

and try to reproduce the scenario? 

Thanks,
Lukas.

Comment 2 Matej Marušák 2018-10-15 11:32:49 UTC
Hi,

I've updated to the newest selinux-policy.
$rpm -q selinux-policy
selinux-policy-3.14.2-38.fc29.noarch

I've run 
# restorecon -Rv /
then turn my pc off, turn it on again and the same problem.

I am still able to reproduce it easily, so I can provide you with any logs or information about my system.

Comment 3 Lukas Vrabec 2018-10-22 13:40:42 UTC
commit 998f4c42a68d4934ffb6025d7403d995546a8c2e (HEAD -> rawhide, origin/rawhide)
Author: Lukas Vrabec <lvrabec@redhat.com>
Date:   Mon Oct 22 15:37:45 2018 +0200

    Allow X display manager to check status and reload services which are part of x_domain attribute

Comment 4 Fedora Update System 2018-11-04 10:07:28 UTC
selinux-policy-3.14.2-41.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2018-506e97bb9b

Comment 5 Fedora Update System 2018-11-05 04:19:46 UTC
selinux-policy-3.14.2-41.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-506e97bb9b

Comment 6 Fedora Update System 2018-11-07 02:41:43 UTC
selinux-policy-3.14.2-41.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.