Re: SELinux is blocking lightdm login to Xfce
On 03/12/2018 11:53 PM, Ed Greshko wrote: There are times where you will have selinux preventing something but you won't get an AVC in the audit.log. This due to a policy which has "dontaudit" enabled. If you run into this situation again you should try the command "semodule -BD" The D means "Temporarily remove dontaudits from policy. Reverts whenever policy is rebuilt". After troubleshooting run "semodule -B" to restore to normal operation. Thank you! I wrote it down for the next time! ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org
Re: SELinux is blocking lightdm login to Xfce
On 03/13/2018 02:39 AM, Lukas Vrabec wrote: On 03/13/2018 06:57 AM, ToddAndMargo wrote: Follow up: With everyone's help, I cleaned up my SELinux homedir's and set Samba's SELinux stuff right. I still could not log in from lightdm, except to root, when SLElinux was Enforcing. And SEAlert was completely quiet. And /var/log/audit/audit.log was completely empty. Then I got sneaky and created a new user in a different root directory (/home2). That worked. Hmmm. So I renamed my $HOME director and recreated and empty one. That worked too. POOP !! So I though of trying to trace down who was doing it. Gave up and restored my user's directories from backup. That also worked! Yippee! Thank you all for the tips. I wrote down about five of them, so I would not forget. SELinux baffles me at times. I'm quite lost with your e-mails, but how it's labeled right now in your homedir? It shouldn't be samba_share_t if it's working and also, could you please attach output of: # semanage export Thanks, Lukas. What is the command telling me? # semanage export boolean -D login -D interface -D user -D port -D node -D fcontext -D module -D boolean -m -1 daemons_use_tty boolean -m -1 named_write_master_zones boolean -m -1 samba_domain_controller boolean -m -1 samba_enable_home_dirs boolean -m -1 samba_export_all_rw fcontext -a -f a -t samba_share_t '/home(/.*)?' fcontext -a -f a -t samba_share_t '/home/CDs(/.*)?' fcontext -a -f a -t samba_share_t '/home/OurStuff(/.*)?' fcontext -a -f a -t chrome_sandbox_exec_t '/usr/lib/chrome-sandbox' fcontext -a -f a -t bin_t '/usr/lib/chromium-browser' fcontext -a -f a -t bin_t '/usr/lib/chromium-browser/chromium-browser.sh' fcontext -a -f a -t rpm_exec_t '/usr/share/dnfdaemon/dnfdaemon-system' fcontext -a -e /home /home/users fcontext -a -e /home /nfshome ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org
Re: SELinux is blocking lightdm login to Xfce
On 03/13/2018 06:57 AM, ToddAndMargo wrote: > Follow up: > > With everyone's help, I cleaned up my SELinux homedir's > and set Samba's SELinux stuff right. > > I still could not log in from lightdm, except to root, > when SLElinux was Enforcing. > > And SEAlert was completely quiet. And > /var/log/audit/audit.log > was completely empty. > > Then I got sneaky and created a new user in a different > root directory (/home2). That worked. Hmmm. > > So I renamed my $HOME director and recreated and empty > one. That worked too. POOP !! > > So I though of trying to trace down who was doing it. Gave > up and restored my user's directories from backup. That also > worked! > > Yippee! > > Thank you all for the tips. I wrote down about five of them, > so I would not forget. SELinux baffles me at times. > I'm quite lost with your e-mails, but how it's labeled right now in your homedir? It shouldn't be samba_share_t if it's working and also, could you please attach output of: # semanage export Thanks, Lukas. > -T > > ___ > users mailing list -- users@lists.fedoraproject.org > To unsubscribe send an email to users-le...@lists.fedoraproject.org -- Lukas Vrabec Software Engineer, Security Technologies Red Hat, Inc. 0x633F6955.asc Description: application/pgp-keys signature.asc Description: OpenPGP digital signature ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org
Re: SELinux is blocking lightdm login to Xfce
On 03/13/18 13:57, ToddAndMargo wrote: > Thank you all for the tips. I wrote down about five of them, > so I would not forget. SELinux baffles me at times. Good to hear all is working now. One thing I just realized I was remiss in mentioning. There are times where you will have selinux preventing something but you won't get an AVC in the audit.log. This due to a policy which has "dontaudit" enabled. If you run into this situation again you should try the command "semodule -BD" The D means "Temporarily remove dontaudits from policy. Reverts whenever policy is rebuilt". After troubleshooting run "semodule -B" to restore to normal operation. Sorry to have left that out. I don't run into many selinux issues and forgot about it. -- Conjecture is just a conclusion based on incomplete information. It isn't a fact. signature.asc Description: OpenPGP digital signature ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org
Re: SELinux is blocking lightdm login to Xfce
Follow up: With everyone's help, I cleaned up my SELinux homedir's and set Samba's SELinux stuff right. I still could not log in from lightdm, except to root, when SLElinux was Enforcing. And SEAlert was completely quiet. And /var/log/audit/audit.log was completely empty. Then I got sneaky and created a new user in a different root directory (/home2). That worked. Hmmm. So I renamed my $HOME director and recreated and empty one. That worked too. POOP !! So I though of trying to trace down who was doing it. Gave up and restored my user's directories from backup. That also worked! Yippee! Thank you all for the tips. I wrote down about five of them, so I would not forget. SELinux baffles me at times. -T ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org
Re: SELinux is blocking lightdm login to Xfce
On 03/12/2018 04:04 PM, ToddAndMargo wrote: Now Samba does not work either. Samba is back to working. My firewall was blocking it, as I somehow lost my systemd script for custom.firewall.service. But all is better now. ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org
Re: SELinux is blocking lightdm login to Xfce
On 03/12/2018 03:49 PM, Ed Greshko wrote: #/sbin/restorecon -v /home/tony/.xsession-errors # ausearch -c 'lightdm' --raw | audit2allow -M my-lightdm # semodule -X 300 -i my-lightdm.pp That happened very early on in SEAlert. SEAlert is now quite. Redoing the above did not help. Now Samba does not work either. ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org
Re: SELinux is blocking lightdm login to Xfce
On 03/13/18 06:13, ToddAndMargo wrote: >> >> /usr/bin/sealert -b >> Is quiet If I put the AVC's you mention in the original post in a file type=AVC msg=audit(1520843479.104:515): avc: denied { create } for pid=7554 comm="lightdm" name=".xsession-errors" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:samba_share_t:s0 tclass=file permissive=1 type=AVC msg=audit(1520843479.104:516): avc: denied { write open } for pid=7554 comm="lightdm" path="/home/tony/.xsession-errors" dev="dm-1" ino=54526689 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:samba_share_t:s0 tclass=file permissive=1 And run sealert against them I get [egreshko@meimei ~]$ sealert -a err 100% done found 2 alerts in err SELinux is preventing lightdm from create access on the file .xsession-errors. * Plugin catchall (100. confidence) suggests ** If you believe that lightdm should be allowed create access on the .xsession-errors file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'lightdm' --raw | audit2allow -M my-lightdm # semodule -X 300 -i my-lightdm.pp Additional Information: Source Context system_u:system_r:xdm_t:s0-s0:c0.c1023 Target Context system_u:object_r:samba_share_t:s0 Target Objects .xsession-errors [ file ] Source lightdm Source Path lightdm Port Host Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-283.26.fc27.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name meimei.greshko.com Platform Linux meimei.greshko.com 4.15.7-300.fc27.x86_64 #1 SMP Wed Feb 28 17:53:39 UTC 2018 x86_64 x86_64 Alert Count 1 First Seen 2018-03-12 16:31:19 CST Last Seen 2018-03-12 16:31:19 CST Local ID 4b15d210-1cff-461f-8c2a-8469d09752d2 Raw Audit Messages type=AVC msg=audit(1520843479.104:515): avc: denied { create } for pid=7554 comm="lightdm" name=".xsession-errors" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:samba_share_t:s0 tclass=file permissive=1 Hash: lightdm,xdm_t,samba_share_t,file,create SELinux is preventing lightdm from 'write, open' accesses on the file /home/tony/.xsession-errors. * Plugin restorecon (99.5 confidence) suggests If you want to fix the label. /home/tony/.xsession-errors default label should be xdm_home_t. Then you can run restorecon. The access attempt may have been stopped due to insufficient permissions to access a parent directory in which case try to change the following command accordingly. Do # /sbin/restorecon -v /home/tony/.xsession-errors * Plugin catchall (1.49 confidence) suggests ** If you believe that lightdm should be allowed write open access on the .xsession-errors file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'lightdm' --raw | audit2allow -M my-lightdm # semodule -X 300 -i my-lightdm.pp Additional Information: Source Context system_u:system_r:xdm_t:s0-s0:c0.c1023 Target Context system_u:object_r:samba_share_t:s0 Target Objects /home/tony/.xsession-errors [ file ] Source lightdm Source Path lightdm Port Host Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-283.26.fc27.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name meimei.greshko.com Platform Linux meimei.greshko.com 4.15.7-300.fc27.x86_64 #1 SMP Wed Feb 28 17:53:39 UTC 2018 x86_64 x86_64 Alert Count 1 First Seen 2018-03-12 16:31:19 CST Last Seen 2018-03-12 16:31:19 CST Local ID 82cda10c-f801-4a67-b762-54b27ad752cb Raw Audit Messages type=AVC msg=audit(1520843479.104:516): avc: denied { write open } for pid=7554 comm="lightdm" path="/home/tony/.xsession-errors" dev="dm-1" ino=54526689 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:samba_share_t:s0 tclass=file
Re: SELinux is blocking lightdm login to Xfce
On 03/12/2018 03:13 PM, ToddAndMargo wrote: On 03/12/2018 03:06 PM, ToddAndMargo wrote: On 03/12/2018 04:20 AM, Lukas Vrabec wrote: On 03/12/2018 10:35 AM, ToddAndMargo wrote: Hi All, Fedora 27, x64 Xfce 4.12 lightdm-1.25.1-5.fc27.x86_64 With SELinux set to Enforcing, I can only log into Xfce as root. If I set SELinux to Permissive, I can log into anyone. SEAlert is quite. In the Audit log, I get: # grep lightdm /var/log/audit/audit.log | grep denied type=AVC msg=audit(1520843479.104:515): avc: denied { create } for pid=7554 comm="lightdm" name=".xsession-errors" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:samba_share_t:s0 tclass=file permissive=1 type=AVC msg=audit(1520843479.104:516): avc: denied { write open } for pid=7554 comm="lightdm" path="/home/tony/.xsession-errors" dev="dm-1" ino=54526689 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:samba_share_t:s0 tclass=file permissive=1 SELinux is taking a shine to everyone's, except root's, .xsession-errors. How do I fix this? I am indeed running two samba shared from /home $ ls -Z /home/todd/.xsession-errors system_u:object_r:samba_share_t:s0 /home/todd/.xsession-errors # restorecon -r /home/todd Didn't work Samba in running sahre from /home # setsebool -P samba_enable_home_dirs on Didn't work # restorecon -Rv /home # semanage boolean -m samba_enable_home_dirs --on Didn't work # semanage boolean -P samba_enable_home_dirs on Didn't work /usr/bin/sealert -b Is quiet Any hints in here? $ ls -aZ unconfined_u:object_r:samba_share_t:s0 . system_u:object_r:home_root_t:s0 .. unconfined_u:object_r:samba_share_t:s0 .acetoneiso unconfined_u:object_r:samba_share_t:s0 .adobe unconfined_u:object_r:samba_share_t:s0 apctest.output Seems to me that all this crap is from my home directory and should not have anything to do with samba The samba shares are on /home/CDs and /home/OurStuff ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org
Re: SELinux is blocking lightdm login to Xfce
On 03/12/2018 03:06 PM, ToddAndMargo wrote: On 03/12/2018 04:20 AM, Lukas Vrabec wrote: On 03/12/2018 10:35 AM, ToddAndMargo wrote: Hi All, Fedora 27, x64 Xfce 4.12 lightdm-1.25.1-5.fc27.x86_64 With SELinux set to Enforcing, I can only log into Xfce as root. If I set SELinux to Permissive, I can log into anyone. SEAlert is quite. In the Audit log, I get: # grep lightdm /var/log/audit/audit.log | grep denied type=AVC msg=audit(1520843479.104:515): avc: denied { create } for pid=7554 comm="lightdm" name=".xsession-errors" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:samba_share_t:s0 tclass=file permissive=1 type=AVC msg=audit(1520843479.104:516): avc: denied { write open } for pid=7554 comm="lightdm" path="/home/tony/.xsession-errors" dev="dm-1" ino=54526689 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:samba_share_t:s0 tclass=file permissive=1 SELinux is taking a shine to everyone's, except root's, .xsession-errors. How do I fix this? I am indeed running two samba shared from /home $ ls -Z /home/todd/.xsession-errors system_u:object_r:samba_share_t:s0 /home/todd/.xsession-errors # restorecon -r /home/todd Didn't work Samba in running sahre from /home # setsebool -P samba_enable_home_dirs on Didn't work # restorecon -Rv /home # semanage boolean -m samba_enable_home_dirs --on Didn't work # semanage boolean -P samba_enable_home_dirs on Didn't work /usr/bin/sealert -b Is quiet Any hints in here? $ ls -aZ unconfined_u:object_r:samba_share_t:s0 . system_u:object_r:home_root_t:s0 .. unconfined_u:object_r:samba_share_t:s0 .acetoneiso unconfined_u:object_r:samba_share_t:s0 .adobe unconfined_u:object_r:samba_share_t:s0 apctest.output unconfined_u:object_r:samba_share_t:s0 .armitage.prop unconfined_u:object_r:samba_share_t:s0 .atom unconfined_u:object_r:samba_share_t:s0 .audacity-data unconfined_u:object_r:samba_share_t:s0 .autoscan-network unconfined_u:object_r:samba_share_t:s0 .avidemux6 unconfined_u:object_r:samba_share_t:s0 .bash_history unconfined_u:object_r:samba_share_t:s0 .bash_logout unconfined_u:object_r:samba_share_t:s0 .bash_profile unconfined_u:object_r:samba_share_t:s0 .bashrc unconfined_u:object_r:samba_share_t:s0 bash.read.yn.prompt.txt unconfined_u:object_r:samba_share_t:s0 .bluefish unconfined_u:object_r:samba_share_t:s0 brave unconfined_u:object_r:samba_share_t:s0 .cache unconfined_u:object_r:samba_share_t:s0 'Calibre Library' unconfined_u:object_r:samba_share_t:s0 .canna unconfined_u:object_r:samba_share_t:s0 'CDBurnerXP Projects' unconfined_u:object_r:samba_share_t:s0 .cddb unconfined_u:object_r:samba_share_t:s0 .cddbslave unconfined_u:object_r:samba_share_t:s0 .config unconfined_u:object_r:samba_share_t:s0 contacts.csv unconfined_u:object_r:samba_share_t:s0 .cpan unconfined_u:object_r:samba_share_t:s0 .cpanm unconfined_u:object_r:samba_share_t:s0 .crash_report_checksum unconfined_u:object_r:samba_share_t:s0 .crash_report_frames unconfined_u:object_r:samba_share_t:s0 .crash_report_preview unconfined_u:object_r:samba_share_t:s0 .crash_reportrc unconfined_u:object_r:samba_share_t:s0 -curl unconfined_u:object_r:samba_share_t:s0 .dbus unconfined_u:object_r:samba_share_t:s0 debug.txt unconfined_u:object_r:samba_share_t:s0 Desktop unconfined_u:object_r:samba_share_t:s0 .Desktop unconfined_u:object_r:samba_share_t:s0 .dia unconfined_u:object_r:samba_share_t:s0 .dmrc unconfined_u:object_r:samba_share_t:s0 Documents unconfined_u:object_r:samba_share_t:s0 Documents.000 unconfined_u:object_r:samba_share_t:s0 done unconfined_u:object_r:samba_share_t:s0 .DownloadManager unconfined_u:object_r:samba_share_t:s0 Downloads unconfined_u:object_r:samba_share_t:s0 .dropbox unconfined_u:object_r:samba_share_t:s0 Dropbox unconfined_u:object_r:samba_share_t:s0 .dropbox-dist unconfined_u:object_r:samba_share_t:s0 .dvdcss unconfined_u:object_r:samba_share_t:s0 DVDFab unconfined_u:object_r:samba_share_t:s0 .dvdrip unconfined_u:object_r:samba_share_t:s0 .dvdriprc unconfined_u:object_r:samba_share_t:s0 dwhelper unconfined_u:object_r:samba_share_t:s0 .eggcups unconfined_u:object_r:samba_share_t:s0 .elinks unconfined_u:object_r:samba_share_t:s0 .emacs unconfined_u:object_r:samba_share_t:s0 .emacs.d unconfined_u:object_r:samba_share_t:s0 eraseme.txt unconfined_u:object_r:samba_share_t:s0 .esd_auth unconfined_u:object_r:samba_share_t:s0 .filezilla unconfined_u:object_r:samba_share_t:s0 .fltk unconfined_u:object_r:samba_share_t:s0 .fontconfig unconfined_u:object_r:samba_share_t:s0 .fonts unconfined_u:object_r:samba_share_t:s0 .fonts.cache-1 unconfined_u:object_r:samba_share_t:s0 .Foxit unconfined_u:object_r:samba_share_t:s0 .freerdp unconfined_u:object_r:samba_share_t:s0 .gconf unconfined_u:object_r:samba_share_t:s0 .gconfd unconfined_u:object_r:samba_share_t:s0 .gftp unconfined_u:object_r:samba_share_t:s0 .gimp-2.6 unconfined_u:object_r:samba_share_t:s0
Re: SELinux is blocking lightdm login to Xfce
On 03/12/2018 04:20 AM, Lukas Vrabec wrote: On 03/12/2018 10:35 AM, ToddAndMargo wrote: Hi All, Fedora 27, x64 Xfce 4.12 lightdm-1.25.1-5.fc27.x86_64 With SELinux set to Enforcing, I can only log into Xfce as root. If I set SELinux to Permissive, I can log into anyone. SEAlert is quite. In the Audit log, I get: # grep lightdm /var/log/audit/audit.log | grep denied type=AVC msg=audit(1520843479.104:515): avc: denied { create } for pid=7554 comm="lightdm" name=".xsession-errors" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:samba_share_t:s0 tclass=file permissive=1 type=AVC msg=audit(1520843479.104:516): avc: denied { write open } for pid=7554 comm="lightdm" path="/home/tony/.xsession-errors" dev="dm-1" ino=54526689 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:samba_share_t:s0 tclass=file permissive=1 SELinux is taking a shine to everyone's, except root's, .xsession-errors. How do I fix this? I am indeed running two samba shared from /home $ ls -Z /home/todd/.xsession-errors system_u:object_r:samba_share_t:s0 /home/todd/.xsession-errors # restorecon -r /home/todd Didn't work Samba in running sahre from /home # setsebool -P samba_enable_home_dirs on Didn't work # restorecon -Rv /home # semanage boolean -m samba_enable_home_dirs --on Didn't work # semanage boolean -P samba_enable_home_dirs on Didn't work /usr/bin/sealert -b Is quiet ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org
Re: SELinux is blocking lightdm login to Xfce
On 03/12/2018 04:20 AM, Lukas Vrabec wrote: Are you sharing your homedir via samba? If yes, I am # restorecon -Rv /home # semanage boolean -m samba_enable_home_dirs --on Didn't work. Rats! ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org
Re: SELinux is blocking lightdm login to Xfce
On 03/13/18 05:57, ToddAndMargo wrote: > On 03/12/2018 03:08 AM, Ed Greshko wrote: >> You can try "restorecon/home/tony/.xsession-errors". You may have to do >> that as >> root. > > didn't work. Rats! You may want to run the troubleshooter to see what it suggests /usr/bin/sealert -b -- Conjecture is just a conclusion based on incomplete information. It isn't a fact. signature.asc Description: OpenPGP digital signature ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org
Re: SELinux is blocking lightdm login to Xfce
On 03/13/18 05:54, ToddAndMargo wrote: > Will try in a minute OK, but you may need to follow the more inclusive solution provided by Lukas if you are using samba. -- Conjecture is just a conclusion based on incomplete information. It isn't a fact. signature.asc Description: OpenPGP digital signature ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org
Re: SELinux is blocking lightdm login to Xfce
On 03/12/2018 03:08 AM, Ed Greshko wrote: You can try "restorecon/home/tony/.xsession-errors". You may have to do that as root. didn't work. Rats! ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org
Re: SELinux is blocking lightdm login to Xfce
On 03/12/2018 03:08 AM, Ed Greshko wrote: On 03/12/18 17:35, ToddAndMargo wrote: Hi All, Fedora 27, x64 Xfce 4.12 lightdm-1.25.1-5.fc27.x86_64 With SELinux set to Enforcing, I can only log into Xfce as root. If I set SELinux to Permissive, I can log into anyone. SEAlert is quite. In the Audit log, I get: # grep lightdm /var/log/audit/audit.log | grep denied type=AVC msg=audit(1520843479.104:515): avc: denied { create } for pid=7554 comm="lightdm" name=".xsession-errors" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:samba_share_t:s0 tclass=file permissive=1 type=AVC msg=audit(1520843479.104:516): avc: denied { write open } for pid=7554 comm="lightdm" path="/home/tony/.xsession-errors" dev="dm-1" ino=54526689 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:samba_share_t:s0 tclass=file permissive=1 SELinux is taking a shine to everyone's, except root's, .xsession-errors. How do I fix this? What do you have for "ls -Z /home/tony/.xsession-errors"? Mine is... egreshko@meimei ~]$ ls -Z .xsession-errors unconfined_u:object_r:xdm_home_t:s0 .xsession-errors $ ls -Z /home/tony/.xsession-errors system_u:object_r:samba_share_t:s0 /home/tony/.xsession-errors You can try "restorecon /home/tony/.xsession-errors". You may have to do that as root. Will try in a minute ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org
Re: SELinux is blocking lightdm login to Xfce
On 03/12/2018 10:35 AM, ToddAndMargo wrote: > Hi All, > > Fedora 27, x64 > > Xfce 4.12 > > lightdm-1.25.1-5.fc27.x86_64 > > With SELinux set to Enforcing, I can only log into Xfce as root. > > If I set SELinux to Permissive, I can log into anyone. > > SEAlert is quite. > > In the Audit log, I get: > > # grep lightdm /var/log/audit/audit.log | grep denied > > type=AVC msg=audit(1520843479.104:515): avc: denied { create } for > pid=7554 comm="lightdm" name=".xsession-errors" > scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 > tcontext=system_u:object_r:samba_share_t:s0 tclass=file permissive=1 > > type=AVC msg=audit(1520843479.104:516): avc: denied { write open } for > pid=7554 comm="lightdm" path="/home/tony/.xsession-errors" dev="dm-1" > ino=54526689 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 > tcontext=system_u:object_r:samba_share_t:s0 tclass=file permissive=1 > > SELinux is taking a shine to everyone's, except root's, > .xsession-errors. > > How do I fix this? > Hi ToddAndMargo, Are you sharing your homedir via samba? If yes, # restorecon -Rv /home # semanage boolean -m samba_enable_home_dirs --on This will restore all labels in your home dir and enable domains where runs samba processes to access your homedirs. Lukas. > Many thanks, > -T > ___ > users mailing list -- users@lists.fedoraproject.org > To unsubscribe send an email to users-le...@lists.fedoraproject.org -- Lukas Vrabec Software Engineer, Security Technologies Red Hat, Inc. 0x633F6955.asc Description: application/pgp-keys signature.asc Description: OpenPGP digital signature ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org
Re: SELinux is blocking lightdm login to Xfce
On 03/12/18 17:35, ToddAndMargo wrote: > Hi All, > > Fedora 27, x64 > > Xfce 4.12 > > lightdm-1.25.1-5.fc27.x86_64 > > With SELinux set to Enforcing, I can only log into Xfce as root. > > If I set SELinux to Permissive, I can log into anyone. > > SEAlert is quite. > > In the Audit log, I get: > > # grep lightdm /var/log/audit/audit.log | grep denied > > type=AVC msg=audit(1520843479.104:515): avc: denied { create } for pid=7554 > comm="lightdm" name=".xsession-errors" > scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 > tcontext=system_u:object_r:samba_share_t:s0 tclass=file permissive=1 > > type=AVC msg=audit(1520843479.104:516): avc: denied { write open } for > pid=7554 > comm="lightdm" path="/home/tony/.xsession-errors" dev="dm-1" ino=54526689 > scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 > tcontext=system_u:object_r:samba_share_t:s0 tclass=file permissive=1 > > SELinux is taking a shine to everyone's, except root's, > .xsession-errors. > > How do I fix this? What do you have for "ls -Z /home/tony/.xsession-errors"? Mine is... egreshko@meimei ~]$ ls -Z .xsession-errors unconfined_u:object_r:xdm_home_t:s0 .xsession-errors You can try "restorecon /home/tony/.xsession-errors". You may have to do that as root. -- Conjecture is just a conclusion based on incomplete information. It isn't a fact. signature.asc Description: OpenPGP digital signature ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org