Re: SELinux is blocking lightdm login to Xfce

Ed Greshko <ed.greshko@xxxxxxxxx> · Tue, 13 Mar 2018 06:49:09 +0800

On 03/13/18 06:13, ToddAndMargo wrote:
>>
>> /usr/bin/sealert -b
>> Is quiet

If I put the AVC's you mention in the original post in a file....

type=AVC msg=audit(1520843479.104:515): avc:  denied  { create } for pid=7554
comm="lightdm" name=".xsession-errors"
scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023
tcontext=system_u:object_r:samba_share_t:s0 tclass=file permissive=1

type=AVC msg=audit(1520843479.104:516): avc:  denied  { write open } for  pid=7554
comm="lightdm" path="/home/tony/.xsession-errors" dev="dm-1" ino=54526689
scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023
tcontext=system_u:object_r:samba_share_t:s0 tclass=file permissive=1

And run sealert against them I get....

[egreshko@meimei ~]$ sealert -a err
100% done
found 2 alerts in err
--------------------------------------------------------------------------------

SELinux is preventing lightdm from create access on the file .xsession-errors.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that lightdm should be allowed create access on the .xsession-errors
file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'lightdm' --raw | audit2allow -M my-lightdm
# semodule -X 300 -i my-lightdm.pp

Additional Information:
Source Context                system_u:system_r:xdm_t:s0-s0:c0.c1023
Target Context                system_u:object_r:samba_share_t:s0
Target Objects                .xsession-errors [ file ]
Source                        lightdm
Source Path                   lightdm
Port                          <Unknown>
Host                          <Unknown>
Source RPM Packages          
Target RPM Packages          
Policy RPM                    selinux-policy-3.13.1-283.26.fc27.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     meimei.greshko.com
Platform                      Linux meimei.greshko.com 4.15.7-300.fc27.x86_64 #1
                              SMP Wed Feb 28 17:53:39 UTC 2018 x86_64 x86_64
Alert Count                   1
First Seen                    2018-03-12 16:31:19 CST
Last Seen                     2018-03-12 16:31:19 CST
Local ID                      4b15d210-1cff-461f-8c2a-8469d09752d2

Raw Audit Messages
type=AVC msg=audit(1520843479.104:515): avc:  denied  { create } for pid=7554
comm="lightdm" name=".xsession-errors"
scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023
tcontext=system_u:object_r:samba_share_t:s0 tclass=file permissive=1

Hash: lightdm,xdm_t,samba_share_t,file,create

--------------------------------------------------------------------------------

SELinux is preventing lightdm from 'write, open' accesses on the file
/home/tony/.xsession-errors.

*****  Plugin restorecon (99.5 confidence) suggests   ************************

If you want to fix the label.
/home/tony/.xsession-errors default label should be xdm_home_t.
Then you can run restorecon. The access attempt may have been stopped due to
insufficient permissions to access a parent directory in which case try to change the
following command accordingly.
Do
# /sbin/restorecon -v /home/tony/.xsession-errors

*****  Plugin catchall (1.49 confidence) suggests   **************************

If you believe that lightdm should be allowed write open access on the
.xsession-errors file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'lightdm' --raw | audit2allow -M my-lightdm
# semodule -X 300 -i my-lightdm.pp

Additional Information:
Source Context                system_u:system_r:xdm_t:s0-s0:c0.c1023
Target Context                system_u:object_r:samba_share_t:s0
Target Objects                /home/tony/.xsession-errors [ file ]
Source                        lightdm
Source Path                   lightdm
Port                          <Unknown>
Host                          <Unknown>
Source RPM Packages          
Target RPM Packages          
Policy RPM                    selinux-policy-3.13.1-283.26.fc27.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     meimei.greshko.com
Platform                      Linux meimei.greshko.com 4.15.7-300.fc27.x86_64 #1
                              SMP Wed Feb 28 17:53:39 UTC 2018 x86_64 x86_64
Alert Count                   1
First Seen                    2018-03-12 16:31:19 CST
Last Seen                     2018-03-12 16:31:19 CST
Local ID                      82cda10c-f801-4a67-b762-54b27ad752cb

Raw Audit Messages
type=AVC msg=audit(1520843479.104:516): avc:  denied  { write open } for  pid=7554
comm="lightdm" path="/home/tony/.xsession-errors" dev="dm-1" ino=54526689
scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023
tcontext=system_u:object_r:samba_share_t:s0 tclass=file permissive=1

Hash: lightdm,xdm_t,samba_share_t,file,write,open
-- 
Conjecture is just a conclusion based on incomplete information. It isn't a fact.

Attachment:
signature.asc

Description: OpenPGP digital signature
_______________________________________________
users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx