Re: Heads up: selinux-policy-3.14.1-25.fc28 breaks GDM

2018-05-24 Thread Philip Kovacs 
 I got hit with this too on F28 using negativo17's nvidia driver 
packages.Downgrading selinux-policy-3.14.1-25 / 
selinux-policy-targeted-3.14.1-25 clears it up.There's a fedora update to 
-3.14.1-29 pending:
https://bodhi.fedoraproject.org/updates/FEDORA-2018-a74875b364

Too bad dnf doesn't allow excludepkgs granularity down to the release number, 
i,e,you can set dnf.conf to exclude/skip 3.14.1, but not 3.14.1-25. On 
Thursday, May 24, 2018, 5:42:38 PM EDT, Adam Williamson 
 wrote:  
 
 On Wed, 2018-05-23 at 20:13 -0600, Jerry James wrote:



> [1] Which is totally useless, by the way.  It says "Oh no!  Something went
> wrong!"  (Great.  *WHAT* went wrong?) and informs me that I must logout.  I
> wasn't logged in.  There's a nice logout button there, but it can't be
> pressed.  There is no mouse pointer.  No keyboard shortcut that I can think
> of causes the button to change appearance.  Even if I did manage to press
> it, what exactly would that do?  I'm already not logged in!

I'd file a bug on upstream GNOME for this, against gdm or gnome-shell.
The screen is part of *gnome-shell*, in fact, not GDM. IIRC and AIUI
(put those on my gravestone!), the screen was introduced before gdm
became basically a special case of shell - so the screen was written
assuming it'd be displayed when a *logged-in session* hit a critical
failure. But now gdm *is* just a special case of gnome-shell...it also
shows up when a *gdm instance* hits a critical failure. And obviously,
as you say, makes very little sense in that case. CCing desktop list.
-- 
Adam Williamson
Fedora QA Community Monkey
IRC: adamw | Twitter: AdamW_Fedora | XMPP: adamw AT happyassassin . net
http://www.happyassassin.net
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/message/B3QVO6L7OHSS4UZJM2DNTITEOQX56NT7/
  ___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/message/6KKLUD6QXFL6HQGPU3W4CUC2CYGAXPJI/

Re: Heads up: selinux-policy-3.14.1-25.fc28 breaks GDM

2018-05-24 Thread Adam Williamson 
On Wed, 2018-05-23 at 20:13 -0600, Jerry James wrote:



> [1] Which is totally useless, by the way.  It says "Oh no!  Something went
> wrong!"  (Great.  *WHAT* went wrong?) and informs me that I must logout.  I
> wasn't logged in.  There's a nice logout button there, but it can't be
> pressed.  There is no mouse pointer.  No keyboard shortcut that I can think
> of causes the button to change appearance.  Even if I did manage to press
> it, what exactly would that do?  I'm already not logged in!

I'd file a bug on upstream GNOME for this, against gdm or gnome-shell.
The screen is part of *gnome-shell*, in fact, not GDM. IIRC and AIUI
(put those on my gravestone!), the screen was introduced before gdm
became basically a special case of shell - so the screen was written
assuming it'd be displayed when a *logged-in session* hit a critical
failure. But now gdm *is* just a special case of gnome-shell...it also
shows up when a *gdm instance* hits a critical failure. And obviously,
as you say, makes very little sense in that case. CCing desktop list.
-- 
Adam Williamson
Fedora QA Community Monkey
IRC: adamw | Twitter: AdamW_Fedora | XMPP: adamw AT happyassassin . net
http://www.happyassassin.net
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/message/B3QVO6L7OHSS4UZJM2DNTITEOQX56NT7/

Re: Heads up: selinux-policy-3.14.1-25.fc28 breaks GDM

2018-05-24 Thread Adam Williamson 
On Thu, 2018-05-24 at 08:09 -0600, Jerry James wrote:
> On Thu, May 24, 2018 at 12:39 AM, Heiko Adams  wrote:
> 
> > I can't confirm that. Maybe because I relabel my system after every
> > selinux policy update.
> > 
> 
> As I said in the original message:
> 
>   "I did a full SELinux relabel immediately afterwards.  Nothing relevant
> changed labels."
> 
> Now that I'm at work, I can confirm that my wimpy old work machine with
> Intel graphics is not having any issues.  The problem may be restricted to
> systems using the Nvidia proprietary driver.

Note that the denial is for /dev/nvidiactl , so this seems likely.
-- 
Adam Williamson
Fedora QA Community Monkey
IRC: adamw | Twitter: AdamW_Fedora | XMPP: adamw AT happyassassin . net
http://www.happyassassin.net
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/message/NAEX7XEPVCOYB4JLLBJ2AXSR2N43RCME/

Re: Heads up: selinux-policy-3.14.1-25.fc28 breaks GDM

2018-05-24 Thread John Florian 

On 2018-05-24 10:09, Jerry James wrote:
The problem may be restricted to systems using the Nvidia proprietary 
driver.


I have that driver and was also affected, though am using sddm rather 
than gdm.  My work around was the following local policy:


~~~
module local_sddm 1.0;

require {
    type xdm_t;
    type xserver_misc_device_t;
    class chr_file map;
}

#= xdm_t ==
allow xdm_t xserver_misc_device_t:chr_file map;
~~~
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/message/P2MVSNB5YSBSHGPP367TG6M5FAP33AUJ/

Re: Heads up: selinux-policy-3.14.1-25.fc28 breaks GDM

2018-05-24 Thread Lukas Vrabec 
On 05/24/2018 04:09 PM, Jerry James wrote:
> On Thu, May 24, 2018 at 12:39 AM, Heiko Adams  > wrote:
> 
> I can't confirm that. Maybe because I relabel my system after every
> selinux policy update.
> 
> 
> As I said in the original message:
> 
>   "I did a full SELinux relabel immediately afterwards.  Nothing
> relevant changed labels."
> 
> Now that I'm at work, I can confirm that my wimpy old work machine with
> Intel graphics is not having any issues.  The problem may be restricted
> to systems using the Nvidia proprietary driver.

Following build should fix this issue:
https://koji.fedoraproject.org/koji/buildinfo?buildID=1084439

Thanks.
Lukas.


> -- 
> Jerry James
> http://www.jamezone.org/
> 
> 
> ___
> devel mailing list -- devel@lists.fedoraproject.org
> To unsubscribe send an email to devel-le...@lists.fedoraproject.org
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: 
> https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/message/M2FHUCS3YBQQQCBQKS7BXTXIAZHR2B54/
> 


-- 
Lukas Vrabec
Software Engineer, Security Technologies
Red Hat, Inc.



signature.asc
Description: OpenPGP digital signature
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/message/73PCEZV4B5A4AKUDLZGXMKO5RASAPLJX/

Re: Heads up: selinux-policy-3.14.1-25.fc28 breaks GDM

2018-05-24 Thread Jerry James 
On Thu, May 24, 2018 at 12:39 AM, Heiko Adams  wrote:

> I can't confirm that. Maybe because I relabel my system after every
> selinux policy update.
>

As I said in the original message:

  "I did a full SELinux relabel immediately afterwards.  Nothing relevant
changed labels."

Now that I'm at work, I can confirm that my wimpy old work machine with
Intel graphics is not having any issues.  The problem may be restricted to
systems using the Nvidia proprietary driver.
-- 
Jerry James
http://www.jamezone.org/
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/message/M2FHUCS3YBQQQCBQKS7BXTXIAZHR2B54/

Re: Heads up: selinux-policy-3.14.1-25.fc28 breaks GDM

2018-05-24 Thread Heiko Adams 
I can't confirm that. Maybe because I relabel my system after every selinux 
policy update.
--
Heiko Adams

Am 24. Mai 2018 04:13:25 MESZ schrieb Jerry James :
>I installed the latest batch of updates for F28 tonight.  Since that
>included a new kernel (4.16.10-300.fc28), I rebooted.  The system came
>up
>with the GDM panic screen [1].  I rebooted into the previous kernel
>thinking that something might be wrong with the new one.  Same result. 
>I
>rebooted again and added enforcing=0 to the kernel boot line.  That
>worked.  I did a full SELinux relabel immediately afterwards.  Nothing
>relevant changed labels.
>
>The SELinux Alert Browser says there are no alerts.  Journalctl shows
>this:
>
>systemd[1071]: selinux: avc:  denied  { status } for auid=n/a uid=42
>gid=42
>cmdline="/usr/libexec/gdm-x-session gnome-session --autostart
>/usr/share/gdm/greeter/autostart"
>scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023
>tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
>tclass=system permissive=0
>
>followed a short time later by this:
>
>audit[1405]: AVC avc:  denied  { map } for  pid=1405
>comm="gnome-session-c"
>path="/dev/nvidiactl" dev="devtmpfs" ino=20616
>scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023
>tcontext=system_u:object_r:xserver_misc_device_t:s0
>tclass=chr_file permissive=0
>
>And there are several more minor variations on that last one in the
>logs.
>Just thought everybody should know ASAP.
>
>Footnotes:
>[1] Which is totally useless, by the way.  It says "Oh no!  Something
>went
>wrong!"  (Great.  *WHAT* went wrong?) and informs me that I must
>logout.  I
>wasn't logged in.  There's a nice logout button there, but it can't be
>pressed.  There is no mouse pointer.  No keyboard shortcut that I can
>think
>of causes the button to change appearance.  Even if I did manage to
>press
>it, what exactly would that do?  I'm already not logged in!
>-- 
>Jerry James
>http://www.jamezone.org/
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/message/KLYFIL7QYNSDDQVOVZXQ2IZVO3WLJKQK/

Heads up: selinux-policy-3.14.1-25.fc28 breaks GDM

2018-05-23 Thread Jerry James 
I installed the latest batch of updates for F28 tonight.  Since that
included a new kernel (4.16.10-300.fc28), I rebooted.  The system came up
with the GDM panic screen [1].  I rebooted into the previous kernel
thinking that something might be wrong with the new one.  Same result.  I
rebooted again and added enforcing=0 to the kernel boot line.  That
worked.  I did a full SELinux relabel immediately afterwards.  Nothing
relevant changed labels.

The SELinux Alert Browser says there are no alerts.  Journalctl shows this:

systemd[1071]: selinux: avc:  denied  { status } for auid=n/a uid=42 gid=42
cmdline="/usr/libexec/gdm-x-session gnome-session --autostart
/usr/share/gdm/greeter/autostart"
scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023
tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
tclass=system permissive=0

followed a short time later by this:

audit[1405]: AVC avc:  denied  { map } for  pid=1405 comm="gnome-session-c"
path="/dev/nvidiactl" dev="devtmpfs" ino=20616
scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023
tcontext=system_u:object_r:xserver_misc_device_t:s0
tclass=chr_file permissive=0

And there are several more minor variations on that last one in the logs.
Just thought everybody should know ASAP.

Footnotes:
[1] Which is totally useless, by the way.  It says "Oh no!  Something went
wrong!"  (Great.  *WHAT* went wrong?) and informs me that I must logout.  I
wasn't logged in.  There's a nice logout button there, but it can't be
pressed.  There is no mouse pointer.  No keyboard shortcut that I can think
of causes the button to change appearance.  Even if I did manage to press
it, what exactly would that do?  I'm already not logged in!
-- 
Jerry James
http://www.jamezone.org/
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/message/RRSUFDGD6YVOLP5YSVMSTB6UMS2AAGG7/