496470 – After update, cannot login through GDM

Bug 496470 - After update, cannot login through GDM

Summary: After update, cannot login through GDM

Keywords:
Status:	CLOSED DUPLICATE of bug 495924
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	gdm
Sub Component:
Version:	rawhide
Hardware:	All
OS:	Linux
Priority:	low
Severity:	urgent
Target Milestone:	---
Assignee:	jmccann
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	F11Blocker, F11FinalBlocker
TreeView+	depends on / blocked

Reported:	2009-04-19 13:43 UTC by Oded Arbel
Modified:	2015-01-14 23:22 UTC (History)
CC List:	5 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2009-04-23 13:34:58 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Oded Arbel 2009-04-19 13:43:32 UTC

Description of problem:
As of today (which is the first time I logged off since last week, so it could be caused by any update in the last week or so) I can no longer login graphically using any user (both local and winbind). Login through text terminal or SSH still works well as well as sudo (I haven't tried anything else).

I haven't found anything interesting in the logs, except this from /var/log/secure:
---8<---
Apr 19 16:34:49 chen pam: gdm-password[2626]: pam_unix(gdm-password:auth): authentication failure; logname= uid=0 euid=0 tty=:0 ruser= rhost=  user=oded.a
---8<---
(Which interestingly enough reports failures for any user except root - failing to log in as root does not generate a failure line in /var/log/secure).

And this from /var/log/messages:
---8<---
Apr 19 16:34:38 chen setroubleshoot: SELinux prevented kde4-config from writing .kde. For complete SELinux messages. run sealert -l a08e9abb-f598-4ebb-b47a-d9c6557ab07d
Apr 19 16:34:46 chen setroubleshoot: SELinux is preventing gdm-session-wor (xdm_t) "read" home_root_t. For complete SELinux messages. run sealert -l 763f61fe-92b2-4add-ab04-a98dbd91d2d3
Apr 19 16:35:51 chen setroubleshoot: SELinux is preventing gdm-simple-gree (xdm_t) "read" to oded.a (home_root_t). For complete SELinux messages. run sealert -l a5f3b4e5-46de-4f37-a088-ecc07b152a53
---8<---

I get similar errors about sshd trying to "read" from home_root_t but logins through ssh work, so I'm not sure that is related.

Here is the complete sealert report anyway, for completion:

Summary:

SELinux is preventing gdm-session-wor (xdm_t) "read" home_root_t.

Detailed Description:

SELinux denied access requested by gdm-session-wor. It is not expected that this
access is required by gdm-session-wor and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                system_u:system_r:xdm_t:s0-s0:c0.c1023
Target Context                unconfined_u:object_r:home_root_t:s0
Target Objects                .dmrc [ file ]
Source                        gdm-session-wor
Source Path                   /usr/libexec/gdm-session-worker
Port                          <Unknown>
Host                          chen.office.taboola.com
Source RPM Packages           gdm-2.26.1-1.fc11
Target RPM Packages           
Policy RPM                    selinux-policy-3.6.12-4.fc11
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     chen.office.taboola.com
Platform                      Linux chen.office.taboola.com
                              2.6.29.1-68.fc11.x86_64 #1 SMP Sat Apr 11 02:20:46
                              EDT 2009 x86_64 x86_64
Alert Count                   7
First Seen                    Mon Apr 13 14:29:14 2009
Last Seen                     Sun Apr 19 16:30:27 2009
Local ID                      763f61fe-92b2-4add-ab04-a98dbd91d2d3
Line Numbers                  

Raw Audit Messages            

node=chen.office.taboola.com type=AVC msg=audit(1240147827.179:1012): avc:  denied  { read } for  pid=23167 comm="gdm-session-wor" name=".dmrc" dev=dm-1 ino=4882 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:home_root_t:s0 tclass=file

node=chen.office.taboola.com type=SYSCALL msg=audit(1240147827.179:1012): arch=c000003e syscall=2 success=no exit=-13 a0=18d61e0 a1=0 a2=0 a3=2 items=0 ppid=22344 pid=23167 auid=4294967295 uid=0 gid=0 euid=16777216 suid=0 fsuid=16777216 egid=16777216 sgid=0 fsgid=16777216 tty=(none) ses=4294967295 comm="gdm-session-wor" exe="/usr/libexec/gdm-session-worker" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)


Version-Release number of selected component (if applicable):
2.26.1

How reproducible:
Always

Steps to Reproduce:
1. Log off
2. try to log in by choosing "other", typing the user name and password
  
Actual results:
GDM reports "Unable to authenticate the user"

Expected results:
GDM should start the desktop session properly.

Additional info:
I'm using winbind to authenticate against an active directory domain, which normally works great.

Comment 1 Oded Arbel 2009-04-19 13:44:29 UTC

Sorry, updated severity as currently I can't log in to my system and I have no workaround for this (maybe log in through console and use startx? sounds like 90s)

Comment 2 Oded Arbel 2009-04-19 16:02:31 UTC

I found a workaround - I replaced my display manager to KDM and now I can login.

I'll leave the severity as "urgent" as changing the display manager is not really trivial and the default configuration is severely broken.

Comment 3 Daniel Walsh 2009-04-20 12:19:32 UTC

Are you trying to login via the console as root?  This is not allowed, via SELinux rules.

Comment 4 Oded Arbel 2009-04-20 17:42:12 UTC

I tried both as root and as a normal user. A normal user logs in successfully through the text console or with KDM but fails with GDM. I haven't tried to log in as root using KDM, and I don't remember if I tried using the console - I only tried to log in through GDM to see if it works (and it doesn't - and reports the same error as a normal user). I currently can't try to login with the text console, as for some reason under a KDM login I can't CTRL-ALT-F* to a text console. Weird.

I do succeed in logging in as root through ssh.

Comment 5 Oded Arbel 2009-04-20 18:00:32 UTC

I just confirmed - I can log in as root using the text console. can't with GDM though because of the same error as when logging in with a normal user.

Funny thing with KDM though - I can't switch to a virtual terminal when KDM is the display manager, I can with GDM though. On the other hand, I can zap the X server (CTRL-ALT-Backspace) with KDM and can't with GDM (which is on purpose IIRC). Still, that is another bug report.

Comment 6 Daniel Walsh 2009-04-20 18:49:50 UTC

Could you attach the output of

#semanage login -l
#semanage user -l

Your problem could be described here:

http://danwalsh.livejournal.com/2008/07/10/

Comment 7 Oded Arbel 2009-04-20 19:25:25 UTC

---8<---
# semanage login -l

Login Name                SELinux User              MLS/MCS Range            

__default__               unconfined_u              s0                       
root                      unconfined_u              s0-s0:c0.c1023           
system_u                  system_u                  s0-s0:c0.c1023           

# semanage user -l

                Labeling   MLS/       MLS/                          
SELinux User    Prefix     MCS Level  MCS Range                      SELinux Roles

guest_u         user       s0         s0                             guest_r
root            user       s0         s0-s0:c0.c1023                 staff_r sysadm_r system_r unconfined_r
staff_u         user       s0         s0-s0:c0.c1023                 staff_r sysadm_r system_r
sysadm_u        user       s0         s0-s0:c0.c1023                 sysadm_r
system_u        user       s0         s0-s0:c0.c1023                 system_r
unconfined_u    user       s0         s0-s0:c0.c1023                 system_r unconfined_r
user_u          user       s0         s0                             user_r
xguest_u        user       s0         s0                             xguest_r
---8<---

This is a new installation, not an upgrade of a previous Fedora (as the first time I tried to upgrade F10 it didn't work very well for me). Not that I can read the output of semanage, but compared to danwalsh's journal mentioned above, it looks OK.

Comment 8 Daniel Walsh 2009-04-20 19:52:18 UTC

Yes this is fine.  

What avc messages are you seeing in /var/log/audit/audit.log?

Comment 9 Oded Arbel 2009-04-21 07:49:23 UTC

Nothing seems relevant - a lot of stuff about root getting permissions to run crond or ssh logs. It doesn't look like normal (non-root) logins generate lines in audit.log.

Comment 10 Daniel Walsh 2009-04-21 17:29:00 UTC

And you are able to login with SELinux in permissive mode?

Anything in /var/log/secure?

Comment 11 Ray Strode [halfline] 2009-04-23 13:34:58 UTC

Hey guys, run 

authconfig --updateall

to work around this bug

*** This bug has been marked as a duplicate of bug 495924 ***

Comment 12 Oded Arbel 2009-04-23 18:34:02 UTC

I don't think this is the same problem, as I can't use gdm to log in with local accounts as well, but I'll try.

Comment 13 Oded Arbel 2009-04-23 18:36:34 UTC

Well, apparently that was the problem - after running authconfig --updateall, I could log in fine.

Note You need to log in before you can comment on or make changes to this bug.