Description of problem: AFAIK the new Selinux policy package update is blocking systemd-user-runtime-dir which results of not setting XDG_RUNTIME_DIR and making the other sessions invisible. I was able to saw these denials in the journal: audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=user-runtime-dir@1000 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed'? gdm-password][1896]: pam_systemd(gdm-password:session): Failed to stat() runtime directory '/run/user/1000': Directory or file doesn't exists Version-Release number of selected component (if applicable): selinux-policy 35.9-1.fc35 selinux-policy-targeted 35.9-1.fc35 How reproducible: Always Steps to Reproduce: 1. Boot system with the new selinux package 2. In GDM you will saw only the Gnome and Gnome Classic but Gnome on Xorg will not be visible - the same happens for Sway target. Actual results: GDM will not show Sway or Gnome on Xorg targets. Expected results: GDM will show Sway and Gnome on Xorg targets. Additional info: This happen exactly when upgrading: selinux-policy 35.8-1.fc35 -> 35.9-1.fc35 selinux-policy-targeted 35.8-1.fc35 -> 35.9-1.fc35 Thanks to SilverBlue I was able to verify the result many times.
Seems that it is causing much more problems. This is report from someone on the SilverBlue channel with the same source of the issue: A recent system update (to gupnp, initscripts, selinux) broke my install. Flatpaks and layered apps don't appear in my dock or app drawer, and various system icons (e.g. sound indicator) are absent. A rollback fixed things, but I do want to be able to update.
Adding the correct denial: audit[1913]: AVC avc: denied { create } for pid=1913 comm="systemd-user-ru" name="1000" scontext=system_u:system_r:systemd_logind_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=dir permissive=0 Hopefully this is the one
Jiri, I am afraid I can't follow you. On my F35 machines logging works well and no denials are reported with selinux-policy-35.11-1.fc35. Can you help me with the reproducing steps? Which packages are required to be installed, which X server configured, which other settings need to be done?
I did not tried selinux-policy-35.11-1.fc35, I'll check if the issue is also there.
Nope, still happening also with the new version. I'll try clean installation to see if it is happening there too.
So, I installed system in the VM and it worked correctly but when I have SilverBlue than I shouldn't be able to broke the labels? Also, the same system works correctly with 35.8-1.fc35 but doesn't work with 35.9-1.fc35. Then I did `restorecon -RFv /` and that completely broke my system, relabeled a lot from /ostree and other parts... When I did this I have an issue with login to the system: audit[1823]: AVC avc: denied { transition } for pid=1823 comm="(systemd)" path="/usr/lib/systemd/systemd" dev="dm-0" ino=19901448 scontext=system_u:system_r:kernel_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=process permissive=0 systemd[1823]: user: Failed to execute /usr/lib/systemd/systemd: Permission denied Any recommendation how to fix labels on SB to get them to the correct state? The /.autorelabel won't work because / is RO mount.
See a similar issue to the user from Silverblue channel Jiri cited above. Gnome Wayland session is not listed with selinux-policy-35.11. Logging into Xorg session shows numerous issues like missing custom shortcuts, flickering on login (the refresh changes away from the previously set) and some missing icons. Can confirm, the issue is not reproduciable on a fresh install (like you mentioned before). These are the "denials" I see on the affected machine (permissive enabled to have it running for the moment): ---- type=AVC msg=audit(20.01.2022 21:04:10.398:176) : avc: denied { create } for pid=1135 comm=systemd-user-ru name=42 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=dir permissive=1 ---- type=AVC msg=audit(20.01.2022 21:04:10.398:177) : avc: denied { relabelto } for pid=1135 comm=systemd-user-ru name=/ dev="tmpfs" ino=1 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=dir permissive=1 ---- type=AVC msg=audit(20.01.2022 21:04:10.646:188) : avc: denied { write } for pid=1186 comm=gdm-wayland-ses name=bus dev="tmpfs" ino=36 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:session_dbusd_tmp_t:s0 tclass=sock_file permissive=1 ---- type=AVC msg=audit(20.01.2022 21:04:19.402:215) : avc: denied { create } for pid=1753 comm=systemd-user-ru name=1000 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=dir permissive=1 ---- type=AVC msg=audit(20.01.2022 21:04:19.402:216) : avc: denied { relabelto } for pid=1753 comm=systemd-user-ru name=/ dev="tmpfs" ino=1 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=dir permissive=1 ---- type=AVC msg=audit(20.01.2022 21:04:36.251:232) : avc: denied { unlink } for pid=3923 comm=systemd-user-ru name=bus dev="tmpfs" ino=36 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=unconfined_u:object_r:session_dbusd_tmp_t:s0 tclass=sock_file permissive=1
I've got a longer list of denials here on Silverblue, though I do have some layered packages. I hit the issue going from 35.20220113 (1bca98932) to 35.20220118 (632c7141). Here are the denials systemd[1]: Failed to remove "/run/systemd/default-hostname": Permission denied audit[1]: AVC avc: denied { unlink } for pid=1 comm="systemd" name="default-hostname" dev="tmpfs" ino=12 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:hostname_etc_t:s0 tclass=file permissive=0 audit[941]: AVC avc: denied { mac_admin } for pid=941 comm="systemd-tmpfile" capability=33 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:system_r:systemd_tmpfiles_t:s0 tclass=capability2 permissive=0 audit[1060]: AVC avc: denied { create } for pid=1060 comm="ModemManager" scontext=system_u:system_r:modemmanager_t:s0 tcontext=system_u:system_r:modemmanager_t:s0 tclass=qipcrtr_socket permissive=0 audit[1062]: AVC avc: denied { setpcap } for pid=1062 comm="firewalld" capability=8 scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:system_r:firewalld_t:s0 tclass=capability permissive=0 audit[1062]: AVC avc: denied { setcap } for pid=1062 comm="firewalld" scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:system_r:firewalld_t:s0 tclass=process permissive=0 audit[1195]: AVC avc: denied { create } for pid=1195 comm="systemd-user-ru" name="1000" scontext=system_u:system_r:systemd_logind_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=dir permissive=0 audit[1215]: AVC avc: denied { create } for pid=1215 comm="systemd-user-ru" name="42" scontext=system_u:system_r:systemd_logind_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=dir permissive=0 audit[1280]: AVC avc: denied { execute } for pid=1280 comm="dbus-daemon" name="at-spi-bus-launcher" dev="sda2" ino=30542088 scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0 trawcon="system_u:object_r:gnome_atspi_exec_t:s0" gnome-shell[1242]: AT-SPI: Error retrieving accessibility bus address: org.freedesktop.DBus.Error.Spawn.ExecFailed: Failed to execute program org.a11y.Bus: Permission denied audit[1304]: AVC avc: denied { create } for pid=1304 comm="systemd-user-ru" name="42" scontext=system_u:system_r:systemd_logind_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=dir permissive=0 /usr/libexec/gdm-x-session[1308]: (EE) open /dev/fb0: Permission denied audit[1358]: AVC avc: denied { execute } for pid=1358 comm="dbus-daemon" name="at-spi-bus-launcher" dev="sda2" ino=30542088 scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0 trawcon="system_u:object_r:gnome_atspi_exec_t:s0" gnome-session-c[1341]: AT-SPI: Error retrieving accessibility bus address: org.freedesktop.DBus.Error.Spawn.ExecFailed: Failed to execute program org.a11y.Bus: Permission denied audit[1406]: AVC avc: denied { execute } for pid=1406 comm="dbus-daemon" name="at-spi-bus-launcher" dev="sda2" ino=30542088 scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0 trawcon="system_u:object_r:gnome_atspi_exec_t:s0" gnome-shell[1380]: AT-SPI: Error retrieving accessibility bus address: org.freedesktop.DBus.Error.Spawn.ExecFailed: Failed to execute program org.a11y.Bus: Permission denied audit[1451]: AVC avc: denied { execute } for pid=1451 comm="dbus-daemon" name="at-spi-bus-launcher" dev="sda2" ino=30542088 scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0 trawcon="system_u:object_r:gnome_atspi_exec_t:s0" audit[1559]: AVC avc: denied { execute } for pid=1559 comm="dbus-daemon" name="at-spi-bus-launcher" dev="sda2" ino=30542088 scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0 trawcon="system_u:object_r:gnome_atspi_exec_t:s0" gsd-color[1492]: AT-SPI: Error retrieving accessibility bus address: org.freedesktop.DBus.Error.Spawn.ExecFailed: Failed to execute program org.a11y.Bus: Permission denied gsd-wacom[1490]: AT-SPI: Error retrieving accessibility bus address: org.freedesktop.DBus.Error.Spawn.ExecFailed: Failed to execute program org.a11y.Bus: Permission denied audit[1565]: AVC avc: denied { execute } for pid=1565 comm="dbus-daemon" name="at-spi-bus-launcher" dev="sda2" ino=30542088 scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0 trawcon="system_u:object_r:gnome_atspi_exec_t:s0" gsd-media-keys[1506]: AT-SPI: Error retrieving accessibility bus address: org.freedesktop.DBus.Error.Spawn.ExecFailed: Failed to execute program org.a11y.Bus: Permission denied gsd-keyboard[1496]: AT-SPI: Error retrieving accessibility bus address: org.freedesktop.DBus.Error.Spawn.ExecFailed: Failed to execute program org.a11y.Bus: Permission denied gsd-power[1516]: AT-SPI: Error retrieving accessibility bus address: org.freedesktop.DBus.Error.Spawn.ExecFailed: Failed to execute program org.a11y.Bus: Permission denied audit[1027]: USER_AVC pid=1027 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for scontext=system_u:system_r:fprintd_t:s0 tcontext=system_u:system_r:systemd_logind_t:s0 tclass=dbus permissive=0 dbus-broker[1027]: A security policy denied :1.66 to send method call /org/freedesktop/login1:org.freedesktop.login1.Manager.Inhibit to org.freedesktop.login1. fprintd[1759]: Failed to install a sleep delay inhibitor: GDBus.Error:org.freedesktop.DBus.Error.AccessDenied: Sender is not authorized to send message audit[1884]: AVC avc: denied { create } for pid=1884 comm="systemd-user-ru" name="1000" scontext=system_u:system_r:systemd_logind_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=dir permissive=0
My Silverblue installation suffered similar symptoms after recent selinux-policy updates, but the steps in Silverblue selinux troubleshooting page https://docs.fedoraproject.org/en-US/fedora-silverblue/troubleshooting/#_selinux_problems seemed to fix some stuff for me. I am able to boot into wayland session again and apps don't crash anymore. I don't see the "Failed to stat() runtime directory '/run/user/1000': Directory or file doesn't exists" error anymore.
I've looked into several setups of mine and found the following: - Only systems with at least a single custom SELinux policy/module show the symptoms (meaning systems where ostree admin config-diff | grep policy reports at least one policy difference). In my case only a single machine was affected by these issues. It only had a single extra policy (rtkit-daemon is allowed to be called from a toolbox container to set gamemoded). Upgrading from selinux-policy-35.09-1.fc35 to 35.10, to 35.11 was showing the above described symptoms (showing several tmpfs denials, borking the Wayland session in the process). // the system has a single custom policy (for rtkit-daemon), several denials are visible, wayland session is borked # ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts boot <denials from my previous post> # ostree admin config-diff | grep policy M selinux/targeted/active/policy.linked M selinux/targeted/active/policy.kern M selinux/targeted/policy/policy.33 # rsync -rlv /usr/etc/selinux/ /etc/selinux/ # reboot # ostree admin config-diff | grep policy <empty> # ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts boot <empty, except for the single denial for containers (which I need a custom policy for)> // create custom policy again (same commands as used in the past) # ausearch -c 'rtkit-daemon' --raw | audit2allow -M my-rtkitdaemon # semodule -X 300 -i my-rtkitdaemon.pp # reboot # ostree admin config-diff | grep policy M selinux/targeted/active/policy.linked M selinux/targeted/active/policy.kern M selinux/targeted/policy/policy.33 # ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts boot <empty> The policy files somehow got corrupted. Unfortunatly I do no longer have the corrupted files available to further look into it.
I was able to fix my system by following this guide: https://docs.fedoraproject.org/en-US/fedora-silverblue/troubleshooting/#_running_restorecon and then resolve this issue as mentioned above. I followed the guide above and the first step was to create a backup so I should also have the old policy.
(In reply to Jiri Konecny from comment #11) > I was able to fix my system by following this guide: > https://docs.fedoraproject.org/en-US/fedora-silverblue/troubleshooting/ > #_running_restorecon and then resolve this issue as mentioned above. > > I followed the guide above and the first step was to create a backup so I > should also have the old policy. Can you please confirm if you see these steps as a resolution? As I understand, it was caused by * Wed Jan 12 2022 Zdenek Pytela <zpytela> - 35.9-1 - Allow sshd read filesystem sysctl files - Revert "Allow sshd read sysctl files" - Allow tlp read its systemd unit - Allow gssproxy access to various system files. - Allow gssproxy read, write, and map ica tmpfs files - Allow gssproxy read and write z90crypt device - Allow sssd_kcm read and write z90crypt device - Allow smbcontrol read the network state information - Allow virt_domain map vhost devices - Allow fcoemon request the kernel to load a module - Allow sshd read sysctl files - Ensure that `/run/systemd/*` are properly labeled - Allow admin userdomains use socketpair() - Change /run/user/[0-9]+ to /run/user/%{USERID} for proper labeling ^^^ - Allow lldpd connect to snmpd with a unix domain stream socket - Dontaudit pkcsslotd sys_admin capability which was not tested in an ostree environment. We will try to refrain from future changes like these during one Fedora version, but the impact is not always straightforward.
Unfortunately, I'm most probably not able to test this or don't know how to do that. It happened only during update from one commit and I don't have the commit anymore because of my try to fix the issue. Maybe someone else could help here if they are still have the commit with the issue?
CLosing this bz per #c13, but feel free to reopen it or create a new one in case of outstanding issue.