Bug 834427 - Selinux messages while using lightdm
Selinux messages while using lightdm
Status: CLOSED NOTABUG
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
19
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Miroslav Grepl
Fedora Extras Quality Assurance
: Reopened, Triaged
: 834430 (view as bug list)
Depends On:
Blocks: 834430
  Show dependency treegraph
 
Reported: 2012-06-21 16:38 EDT by hannes
Modified: 2014-09-15 02:22 EDT (History)
10 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-08-29 03:00:17 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
selinux warning accounts daemon (2.80 KB, text/plain)
2012-06-21 16:38 EDT, hannes
no flags Details
selinux warning accounts daemon 2 (2.39 KB, text/plain)
2012-06-21 16:39 EDT, hannes
no flags Details
xauth link (2.32 KB, text/plain)
2012-06-21 16:39 EDT, hannes
no flags Details
xauth open (2.30 KB, text/plain)
2012-06-21 16:40 EDT, hannes
no flags Details
xauth remove name (2.57 KB, text/plain)
2012-06-21 16:40 EDT, hannes
no flags Details
xauth write (2.94 KB, text/plain)
2012-06-21 16:41 EDT, hannes
no flags Details
lightdm errors (36.68 KB, text/x-log)
2013-08-19 15:25 EDT, hannes
no flags Details

  None (edit)
Description hannes 2012-06-21 16:38:37 EDT
Created attachment 593587 [details]
selinux warning accounts daemon

Description of problem:
With selinux enforcing it's not possible to use lightdm at the moment.


Version-Release number of selected component (if applicable):
Version     : 1.2.2-15.fc17
Comment 1 hannes 2012-06-21 16:39:09 EDT
Created attachment 593588 [details]
selinux warning accounts daemon 2
Comment 2 hannes 2012-06-21 16:39:45 EDT
Created attachment 593589 [details]
xauth link
Comment 3 hannes 2012-06-21 16:40:17 EDT
Created attachment 593590 [details]
xauth open
Comment 4 hannes 2012-06-21 16:40:43 EDT
Created attachment 593591 [details]
xauth remove name
Comment 5 hannes 2012-06-21 16:41:09 EDT
Created attachment 593592 [details]
xauth write
Comment 6 hannes 2012-06-21 17:46:33 EDT
Ok, so with a lot of help from the #selinux channel, namely grift, and a little bit of testing on my side I could now login with lightdm without any problems.

chcon -t xdm_exec_t /usr/sbin/lightdm
chcon -t xdm_exec_t /usr/sbin/lightdm-gtk-greeter
chcon -R -t xserver_log_t /var/log/lightdm
chcon -R -t xdm_var_lib_t /var/lib/lightdm
chcon -R -t xdm_var_lib_t /var/cache/lightdm
semanage fcontext -a -t xdm_var_run_t "/var/run/lightdm(/.*)?"
restorecon -R -v /var/run/lightdm
chcon -R -t xdm_etc_t /etc/lightdm
Comment 7 hannes 2012-06-22 09:15:04 EDT
Did I choose the wrong component? I don't really know in which part of selinux those commands have to go. If I was wrong, please change the component to the appropriate one.

Thanks
Comment 8 Rex Dieter 2012-06-22 09:23:52 EDT
seems just selinux-policy is the best fit
Comment 9 Gregor Tätzner 2012-06-22 12:47:23 EDT
*** Bug 834430 has been marked as a duplicate of this bug. ***
Comment 10 Rex Dieter 2012-06-22 15:44:39 EDT
to add to comment #6, 
chcon -t xdm_exec_t /usr/sbin/lightdm-kde-greeter

or just use
chcon -t xdm_exec_t /usr/sbin/lightdm-*-greeter

to match all.
Comment 11 Dominick Grift 2012-06-22 15:59:56 EDT
Note for those that apply this temporary fix:

semanage fcontext -a -t xdm_var_run_t "/var/run/lightdm(/.*)?"

Was added because /run is on a a tmpfs. This as opposed to chcon -R -t xdm_var_run_t /var/run/lightdm is needed because systemd-tmpfilesd or systemd will query the list of system wide file context specifications and restore the contexts of /run accordingly once tmpfs is mounted on /run or so at least i suspect.

Be sure to remove this particular file context specification before you update your selinux-policy with this fix applied to avoid possible update failure due to a conflict: "duplicate file context specification"

To remove the entry from the system wide list of file context specifications:

semanage fcontext -d -t xdm_var_run_t "/var/run/lightdm(/.*)?"
Comment 12 Miroslav Grepl 2012-06-25 06:28:47 EDT
Fixed in selinux-policy-3.10.0-134.fc17
Comment 13 Fedora Update System 2012-06-26 17:48:33 EDT
selinux-policy-3.10.0-134.fc17 has been submitted as an update for Fedora 17.
https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-134.fc17
Comment 14 Rex Dieter 2012-06-27 11:21:56 EDT
fyi, I'd like to be able to deploy/release lightdm for f16 too if possible, but I can understand if you don't want to backport the fixes back that far.
Comment 15 Fedora Update System 2012-06-27 23:38:45 EDT
Package selinux-policy-3.10.0-134.fc17:
* should fix your issue,
* was pushed to the Fedora 17 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-134.fc17'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-10008/selinux-policy-3.10.0-134.fc17
then log in and leave karma (feedback).
Comment 16 Miroslav Grepl 2012-06-28 07:26:34 EDT
(In reply to comment #14)
> fyi, I'd like to be able to deploy/release lightdm for f16 too if possible,
> but I can understand if you don't want to backport the fixes back that far.

Backported. Will be in the next F16 release (today/tomorrow).
Comment 17 Sergio 2012-06-29 11:40:14 EDT
If the delay that lightdm 1.2.2-15.fc17 has to startup and then to show the desktop is due to this bug then selinux-policy-3.10.0-134.fc17 doesn't fix it.
Comment 18 Christoph Wickert 2012-06-29 11:45:32 EDT
You can easily test this by temporarily disabling SELinux.
Comment 19 Heiko Adams 2012-06-29 11:46:23 EDT
Maybe su -c'systemctl enabled accounts-daemon.service' solves that problem
Comment 20 Sergio 2012-06-29 12:02:31 EDT
(In reply to comment #18)
> You can easily test this by temporarily disabling SELinux.

Confirmed. Disabling selinux makes lightdm start up fine as well as the desktop.
Also with selinux running we can't login as root in the terminal, for instance (or run beesu) and with it disabled that works fine again.
Comment 21 Christoph Wickert 2012-06-29 12:11:34 EDT
This seems to be a different problem, but also a SELinux one. Set Selinux to permissive (not disabled) and then fix the file contexts of your whole system with

$ touch /.autorelabel
$ reboot
Comment 22 Sergio 2012-06-29 12:14:11 EDT
(In reply to comment #21)
> This seems to be a different problem, but also a SELinux one. Set Selinux to
> permissive (not disabled) and then fix the file contexts of your whole
> system with
> 
> $ touch /.autorelabel
> $ reboot

Just to confirm. Before I disabled selinux I tried booting in permissive mode with setenforce=0 and it didn't work. Do you still want me to do like you said?
Thanks.
Comment 23 Gregor Tätzner 2012-06-29 12:24:22 EDT
setenforce 0 is just temporarely and doesn't survive a reboot. Please make your settings in /etc/selinux/conf.

> (In reply to comment #22)
> Do you still want me to do like
> you said?
> Thanks.

so, yes please :)
Comment 24 Rex Dieter 2012-06-29 12:31:36 EDT
So, I'd been running in permissive mode awhile (I was bad), so did the autorelabel thing, back to enforcing.  Given that I'd previously followed comment #6 and comment #7 ,  I followed comment #11 advice as well.

No delay here, tested using both gtk and kde greeters.
Comment 25 Sergio 2012-06-29 13:16:38 EDT
(In reply to comment #23)
> setenforce 0 is just temporarely and doesn't survive a reboot. Please make
> your settings in /etc/selinux/conf.
> 
> > (In reply to comment #22)
> > Do you still want me to do like
> > you said?
> > Thanks.
> 
> so, yes please :)

Well, it works :-p
Comment 26 Fedora Update System 2012-06-30 17:52:20 EDT
selinux-policy-3.10.0-134.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 27 hannes 2013-08-19 15:23:41 EDT
Apparently I hit that again in f19.
Comment 28 hannes 2013-08-19 15:25:04 EDT
Created attachment 788187 [details]
lightdm errors
Comment 29 hannes 2013-08-19 15:30:44 EDT
Ok, just checked and the commands from https://bugzilla.redhat.com/show_bug.cgi?id=834427#c6 still work on a newly installed fedora 19 xfce spin.
Comment 30 Miroslav Grepl 2013-08-20 08:38:13 EDT
F17 is no longer supported. Please update to a newer Fedora release.
Comment 31 hannes 2013-08-20 08:42:44 EDT
Sorry to say, but if you read my comments, you could see that this happened on a newly installed f19.
Comment 32 Miroslav Grepl 2013-08-22 09:31:18 EDT
Let's cleanup this bug. Are you getting AVC msgs?

re-test in permissive and

# ausearch -m avc,user_avc -ts recent
Comment 33 hannes 2013-08-22 10:20:43 EDT
Is the recently attached file not sufficient? If not, I will provide the results later today, when I arrive home.
Comment 34 hannes 2013-08-22 13:37:15 EDT
ausearch -m avc,user_avc -ts recent
----
time->Thu Aug 22 19:35:51 2013
type=USER_AVC msg=audit(1377192951.376:481): pid=404 uid=81 auid=4294967295 ses=4294967295  subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_call interface=org.freedesktop.ConsoleKit.Manager member=OpenSessionWithParameters dest=org.freedesktop.ConsoleKit spid=20736 tpid=20738 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:initrc_t:s0 tclass=dbus  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'


Relogin, after setting setenforce 0
Comment 35 hannes 2013-08-23 04:05:31 EDT
I have to add, that you can see from my attached file, that there were lightdm avcs as well, but apparently they are gone after I made the changes from comment #6.
Comment 36 Daniel Walsh 2013-08-26 12:19:19 EDT
Which means consolekit is not running as the right label.
Comment 37 Miroslav Grepl 2013-08-29 03:00:17 EDT
# restorecon -R -v /usr/sbin

should fix it.

Note You need to log in before you can comment on or make changes to this bug.