Description of problem: On a fresh F18 install with XFCE, I tried to log in as an account with a staff_u login. SELinux is preventing /usr/sbin/lightdm from using the 'sigchld' accesses on a process. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that lightdm should be allowed sigchld access on processes labeled xdm_t by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep lightdm /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context staff_u:staff_r:staff_ssh_agent_t:s0-s0:c0.c1023 Target Context system_u:system_r:xdm_t:s0-s0:c0.c1023 Target Objects [ process ] Source lightdm Source Path /usr/sbin/lightdm Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.11.1-71.fc18.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name (removed) Platform Linux (removed) 3.7.2-204.fc18.x86_64 #1 SMP Wed Jan 16 16:22:52 UTC 2013 x86_64 x86_64 Alert Count 2 First Seen 2013-01-24 13:36:10 PST Last Seen 2013-01-24 13:40:45 PST Local ID b8212126-df1c-4368-b4d0-06a75f1e2bb5 Raw Audit Messages type=AVC msg=audit(1359063645.610:354): avc: denied { sigchld } for pid=1362 comm="lightdm" scontext=staff_u:staff_r:staff_ssh_agent_t:s0-s0:c0.c1023 tcontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tclass=process Hash: lightdm,staff_ssh_agent_t,xdm_t,process,sigchld audit2allow #============= staff_ssh_agent_t ============== allow staff_ssh_agent_t xdm_t:process sigchld; audit2allow -R #============= staff_ssh_agent_t ============== allow staff_ssh_agent_t xdm_t:process sigchld; Additional info: hashmarkername: setroubleshoot kernel: 3.7.2-204.fc18.x86_64 type: libreport
Garrett, did it happen if you started to use staff_r SELinux role? Or does it repeat?
I logged in as root immediately after installing and added an selinux login for this user, so I haven't logged in as anything other than staff_u:staff_r:staff_t so far. If it matters, I have used sudo to get a staff_u:unconfined_r:unconfined_t root shell a few times. Does that answer your question? I will see if I can get it to show up again today just to be sure. That way I try it on a freshly-booted system, too.
4d299de59999a1e4c5254fac92d11b8d8402d872 checked into git to allow this. We should allow all user programs to sigchld login programs.
Fixed in selinux-policy-3.11.1-74.fc18.noarch
selinux-policy-3.11.1-74.fc18 has been submitted as an update for Fedora 18. https://admin.fedoraproject.org/updates/selinux-policy-3.11.1-74.fc18
Package selinux-policy-3.11.1-74.fc18: * should fix your issue, * was pushed to the Fedora 18 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.11.1-74.fc18' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2013-1693/selinux-policy-3.11.1-74.fc18 then log in and leave karma (feedback).
*** Bug 906164 has been marked as a duplicate of this bug. ***
Works for me. Thanks!
selinux-policy-3.11.1-74.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report.