Bug#683756: [DSE-Dev] Bug#683756: selinux in permissive mode breaks gdm and X
Hi Ron, Am 05.09.2012 02:32, schrieb Ron Murray: I did some work on the remaining machine today. First I enabled debugging on the gdm3 daemon, set up an strace, and started gdm. As before, gdm3 respawned multiple times in short order before I stopped it. Only serious thing I could find was this, in one of the Xorg logs: Are you absolutely sure the context for gdm3 is correct at the machine where it doesn't work? You wrote that you relabeled and rebooted and that would restore the (wrong) context. Unfortunately (I'm not sure if this is a bug - it is intended but I don't like it) reenabling selinux after having it disabled triggers an autorelabel. This is what happened for me: I had selinux disabled, changed the context for gdm3, rebooted with selinux=1 security=selinux, the system did a relabeling on the boot, and I got a broken gdm3 right again. You then have to log into a VT (e.g. ctrl+alt+f1) and correct the label from the command line. Then you can reboot once again (which now will hopefully _not_ relabel) and after that it worked for me. An alternative would be to add the correct label to the local configuration but given that a fixed package should be just around the corner, a temporary workaround seems okay. This workaround is necessary for systems running unstable until the fix for this bug hits unstable and will be necessary for systems running testing until the fixed package migrates. Cheers, Mika -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#683756: [DSE-Dev] Bug#683756: selinux in permissive mode breaks gdm and X
On Sep 5, 2012, at 5:11, deb...@mikapflueger.de wrote: Hi Ron Are you absolutely sure the context for gdm3 is correct at the machine where it doesn't work? You wrote that you relabeled and rebooted and that would restore the (wrong) context. Unfortunately (I'm not sure if this is a bug - it is intended but I don't like it) reenabling selinux after having it disabled triggers an autorelabel. This is what happened for me: I had selinux disabled, changed the context for gdm3, rebooted with selinux=1 security=selinux, the system did a relabeling on the boot, and I got a broken gdm3 right again. You then have to log into a VT (e.g. ctrl+alt+f1) and correct the label from the command line. Then you can reboot once again (which now will hopefully _not_ relabel) and after that it worked for me. Yes, I'm sure the context is correct. I was initially fooled by the context-change-on-relabel 'feature', but when gdm gets stuck on that, it doesn't respawn. When I fixed the context and rebooted, gdm continually respawned as it had done before, and the segfault and backtrack appeared in the log. I think we're talking about a different bug now (probably in libextmod). A better workaround, I found, is to restore libextmod.so to its correct place, and add this to xorg.conf: Section Module SubSection extmod Option omit SELinux EndSubSection EndSection That, at least, retains the other ext mod functions. .Ron -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#683756: [DSE-Dev] Bug#683756: selinux in permissive mode breaks gdm and X
Hi, Am Wed, 29 Aug 2012 14:23:29 +0200 schrieb Laurent Bigonville bi...@debian.org: Le Wed, 29 Aug 2012 16:45:02 +0530, piruthiviraj natarajan piruthivi...@gmail.com a écrit : You want us to change the type bin_t into what? I assumed that you want to relabel the type and I tried relabelling #chcon -t xdm_exec_t /usr/sbin/gdm3 but it didn't work. Still stuck with a black screen. I had to disable the selinux at boot to login to X. Now I am at #ls -Z /usr/sbin/gdm3 system_u:object_r:xdm_exec_t:s0 /usr/sbin/gdm3 That should fix the described issue if selinux is in permissive mode, not enforcing mode. We are still far to have GNOME working in enforcing mode. Yes, you found the culprit. Thanks a lot! I just couldn't imagine the label having any influence on the functionality in permissive mode. Well, I still don't really understand, but it works. (-: Cheers + thanks, Mika signature.asc Description: PGP signature
