Created attachment 593587 [details] selinux warning accounts daemon Description of problem: With selinux enforcing it's not possible to use lightdm at the moment. Version-Release number of selected component (if applicable): Version : 1.2.2-15.fc17
Created attachment 593588 [details] selinux warning accounts daemon 2
Created attachment 593589 [details] xauth link
Created attachment 593590 [details] xauth open
Created attachment 593591 [details] xauth remove name
Created attachment 593592 [details] xauth write
Ok, so with a lot of help from the #selinux channel, namely grift, and a little bit of testing on my side I could now login with lightdm without any problems. chcon -t xdm_exec_t /usr/sbin/lightdm chcon -t xdm_exec_t /usr/sbin/lightdm-gtk-greeter chcon -R -t xserver_log_t /var/log/lightdm chcon -R -t xdm_var_lib_t /var/lib/lightdm chcon -R -t xdm_var_lib_t /var/cache/lightdm semanage fcontext -a -t xdm_var_run_t "/var/run/lightdm(/.*)?" restorecon -R -v /var/run/lightdm chcon -R -t xdm_etc_t /etc/lightdm
Did I choose the wrong component? I don't really know in which part of selinux those commands have to go. If I was wrong, please change the component to the appropriate one. Thanks
seems just selinux-policy is the best fit
*** Bug 834430 has been marked as a duplicate of this bug. ***
to add to comment #6, chcon -t xdm_exec_t /usr/sbin/lightdm-kde-greeter or just use chcon -t xdm_exec_t /usr/sbin/lightdm-*-greeter to match all.
Note for those that apply this temporary fix: semanage fcontext -a -t xdm_var_run_t "/var/run/lightdm(/.*)?" Was added because /run is on a a tmpfs. This as opposed to chcon -R -t xdm_var_run_t /var/run/lightdm is needed because systemd-tmpfilesd or systemd will query the list of system wide file context specifications and restore the contexts of /run accordingly once tmpfs is mounted on /run or so at least i suspect. Be sure to remove this particular file context specification before you update your selinux-policy with this fix applied to avoid possible update failure due to a conflict: "duplicate file context specification" To remove the entry from the system wide list of file context specifications: semanage fcontext -d -t xdm_var_run_t "/var/run/lightdm(/.*)?"
Fixed in selinux-policy-3.10.0-134.fc17
selinux-policy-3.10.0-134.fc17 has been submitted as an update for Fedora 17. https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-134.fc17
fyi, I'd like to be able to deploy/release lightdm for f16 too if possible, but I can understand if you don't want to backport the fixes back that far.
Package selinux-policy-3.10.0-134.fc17: * should fix your issue, * was pushed to the Fedora 17 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-134.fc17' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2012-10008/selinux-policy-3.10.0-134.fc17 then log in and leave karma (feedback).
(In reply to comment #14) > fyi, I'd like to be able to deploy/release lightdm for f16 too if possible, > but I can understand if you don't want to backport the fixes back that far. Backported. Will be in the next F16 release (today/tomorrow).
If the delay that lightdm 1.2.2-15.fc17 has to startup and then to show the desktop is due to this bug then selinux-policy-3.10.0-134.fc17 doesn't fix it.
You can easily test this by temporarily disabling SELinux.
Maybe su -c'systemctl enabled accounts-daemon.service' solves that problem
(In reply to comment #18) > You can easily test this by temporarily disabling SELinux. Confirmed. Disabling selinux makes lightdm start up fine as well as the desktop. Also with selinux running we can't login as root in the terminal, for instance (or run beesu) and with it disabled that works fine again.
This seems to be a different problem, but also a SELinux one. Set Selinux to permissive (not disabled) and then fix the file contexts of your whole system with $ touch /.autorelabel $ reboot
(In reply to comment #21) > This seems to be a different problem, but also a SELinux one. Set Selinux to > permissive (not disabled) and then fix the file contexts of your whole > system with > > $ touch /.autorelabel > $ reboot Just to confirm. Before I disabled selinux I tried booting in permissive mode with setenforce=0 and it didn't work. Do you still want me to do like you said? Thanks.
setenforce 0 is just temporarely and doesn't survive a reboot. Please make your settings in /etc/selinux/conf. > (In reply to comment #22) > Do you still want me to do like > you said? > Thanks. so, yes please :)
So, I'd been running in permissive mode awhile (I was bad), so did the autorelabel thing, back to enforcing. Given that I'd previously followed comment #6 and comment #7 , I followed comment #11 advice as well. No delay here, tested using both gtk and kde greeters.
(In reply to comment #23) > setenforce 0 is just temporarely and doesn't survive a reboot. Please make > your settings in /etc/selinux/conf. > > > (In reply to comment #22) > > Do you still want me to do like > > you said? > > Thanks. > > so, yes please :) Well, it works :-p
selinux-policy-3.10.0-134.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report.
Apparently I hit that again in f19.
Created attachment 788187 [details] lightdm errors
Ok, just checked and the commands from https://bugzilla.redhat.com/show_bug.cgi?id=834427#c6 still work on a newly installed fedora 19 xfce spin.
F17 is no longer supported. Please update to a newer Fedora release.
Sorry to say, but if you read my comments, you could see that this happened on a newly installed f19.
Let's cleanup this bug. Are you getting AVC msgs? re-test in permissive and # ausearch -m avc,user_avc -ts recent
Is the recently attached file not sufficient? If not, I will provide the results later today, when I arrive home.
ausearch -m avc,user_avc -ts recent ---- time->Thu Aug 22 19:35:51 2013 type=USER_AVC msg=audit(1377192951.376:481): pid=404 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_call interface=org.freedesktop.ConsoleKit.Manager member=OpenSessionWithParameters dest=org.freedesktop.ConsoleKit spid=20736 tpid=20738 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:initrc_t:s0 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?' Relogin, after setting setenforce 0
I have to add, that you can see from my attached file, that there were lightdm avcs as well, but apparently they are gone after I made the changes from comment #6.
Which means consolekit is not running as the right label.
# restorecon -R -v /usr/sbin should fix it.