Description of problem: 1. Booted system. 2. Logged in at the greeter prompt (lightdm) into Xfce. Note I am running slick-greeter. SELinux is preventing lightdm from using the 'transition' accesses on a process. ***** Plugin catchall_boolean (89.3 confidence) suggests ****************** If you want to allow xdm to sysadm login Then you must tell SELinux about this by enabling the 'xdm_sysadm_login' boolean. Do setsebool -P xdm_sysadm_login 1 ***** Plugin catchall (11.6 confidence) suggests ************************** If you believe that lightdm should be allowed transition access on processes labeled unconfined_t by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'lightdm' --raw | audit2allow -M my-lightdm # semodule -X 300 -i my-lightdm.pp Additional Information: Source Context system_u:system_r:xdm_t:s0-s0:c0.c1023 Target Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1 023 Target Objects /etc/X11/xinit/Xsession [ process ] Source lightdm Source Path lightdm Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages xorg-x11-xinit-1.4.0-7.fc33.x86_64 SELinux Policy RPM selinux-policy-targeted-3.14.7-5.fc34.noarch Local Policy RPM selinux-policy-targeted-3.14.7-5.fc34.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name (removed) Platform Linux (removed) 5.9.0-0.rc8.28.fc34.x86_64 #1 SMP Mon Oct 5 14:47:56 UTC 2020 x86_64 x86_64 Alert Count 2 First Seen 2020-10-15 07:56:17 AEDT Last Seen 2020-10-15 07:56:17 AEDT Local ID da785623-8bee-4358-903d-2c6384b0be22 Raw Audit Messages type=AVC msg=audit(1602708977.923:549): avc: denied { transition } for pid=1049 comm="lightdm" path="/etc/X11/xinit/Xsession" dev="dm-0" ino=931376 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process permissive=1 Hash: lightdm,xdm_t,unconfined_t,process,transition Version-Release number of selected component: selinux-policy-targeted-3.14.7-5.fc34.noarch Additional info: component: selinux-policy reporter: libreport-2.14.0 hashmarkername: setroubleshoot kernel: 5.9.0-0.rc8.28.fc34.x86_64 type: libreport
Hi, Please check the type of the reported Xsession file and possibly others: ls -laZ /etc/X11/xinit/ Are you aware of any modifications made on your system? Did you log in as the user root when the denial was triggered? Do you use confined users?
Looks like lxdm (LXDE uses this) sees very similar problem (bug 1888634).
Closing this bz to continue in bz#1886196. *** This bug has been marked as a duplicate of bug 1886196 ***
rawhide$ ls -laZ /etc/X11/xinit/ total 36 drwxr-xr-x. 5 root root system_u:object_r:bin_t:s0 4096 Sep 30 23:49 . drwxr-xr-x. 7 root root system_u:object_r:etc_t:s0 4096 Jul 28 04:22 .. -rwxr-xr-x. 1 root root system_u:object_r:bin_t:s0 2321 Jul 31 07:42 Xclients drwxr-xr-x. 2 root root system_u:object_r:bin_t:s0 4096 Jul 31 07:50 Xclients.d -rwxr-xr-x. 1 root root system_u:object_r:bin_t:s0 1490 Jul 31 07:42 xinitrc -rw-r--r--. 1 root root system_u:object_r:bin_t:s0 1870 Jul 31 07:42 xinitrc-common drwxr-xr-x. 2 root root system_u:object_r:bin_t:s0 4096 Oct 8 19:31 xinitrc.d drwxr-xr-x. 2 root root system_u:object_r:bin_t:s0 4096 Sep 29 22:17 xinput.d lrwxrwxrwx. 1 root root unconfined_u:object_r:bin_t:s0 26 Jun 2 18:21 xinputrc -> /etc/alternatives/xinputrc -rwxr-xr-x. 1 root root system_u:object_r:bin_t:s0 3552 Jul 31 07:42 Xsession rawhide$ 2) This is a standard rawhide install using MATE and Xfce. I've done nothing weird to the configuration. 3) I logged in a a normal user, but that user is a member of wheel. 4) Not sure what that is (confined users) so I would say no.
Ian, Thank you, the bug is isolated now.