Re: SELinux is blocking lightdm login to Xfce
On 03/12/2018 11:53 PM, Ed Greshko wrote: There are times where you will have selinux preventing something but you won't get an AVC in the audit.log. This due to a policy which has "dontaudit" enabled. If you run into this situation again you should try the command "semodule -BD" The D means "Temporarily remove dontaudits from policy. Reverts whenever policy is rebuilt". After troubleshooting run "semodule -B" to restore to normal operation. Thank you! I wrote it down for the next time! ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org
Re: SELinux is blocking lightdm login to Xfce
On 03/13/2018 02:39 AM, Lukas Vrabec wrote: On 03/13/2018 06:57 AM, ToddAndMargo wrote: Follow up: With everyone's help, I cleaned up my SELinux homedir's and set Samba's SELinux stuff right. I still could not log in from lightdm, except to root, when SLElinux was Enforcing. And SEAlert was completely quiet. And /var/log/audit/audit.log was completely empty. Then I got sneaky and created a new user in a different root directory (/home2). That worked. Hmmm. So I renamed my $HOME director and recreated and empty one. That worked too. POOP !! So I though of trying to trace down who was doing it. Gave up and restored my user's directories from backup. That also worked! Yippee! Thank you all for the tips. I wrote down about five of them, so I would not forget. SELinux baffles me at times. I'm quite lost with your e-mails, but how it's labeled right now in your homedir? It shouldn't be samba_share_t if it's working and also, could you please attach output of: # semanage export Thanks, Lukas. What is the command telling me? # semanage export boolean -D login -D interface -D user -D port -D node -D fcontext -D module -D boolean -m -1 daemons_use_tty boolean -m -1 named_write_master_zones boolean -m -1 samba_domain_controller boolean -m -1 samba_enable_home_dirs boolean -m -1 samba_export_all_rw fcontext -a -f a -t samba_share_t '/home(/.*)?' fcontext -a -f a -t samba_share_t '/home/CDs(/.*)?' fcontext -a -f a -t samba_share_t '/home/OurStuff(/.*)?' fcontext -a -f a -t chrome_sandbox_exec_t '/usr/lib/chrome-sandbox' fcontext -a -f a -t bin_t '/usr/lib/chromium-browser' fcontext -a -f a -t bin_t '/usr/lib/chromium-browser/chromium-browser.sh' fcontext -a -f a -t rpm_exec_t '/usr/share/dnfdaemon/dnfdaemon-system' fcontext -a -e /home /home/users fcontext -a -e /home /nfshome ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org
Re: SELinux is blocking lightdm login to Xfce
On 03/13/2018 06:57 AM, ToddAndMargo wrote: > Follow up: > > With everyone's help, I cleaned up my SELinux homedir's > and set Samba's SELinux stuff right. > > I still could not log in from lightdm, except to root, > when SLElinux was Enforcing. > > And SEAlert was completely quiet. And > /var/log/audit/audit.log > was completely empty. > > Then I got sneaky and created a new user in a different > root directory (/home2). That worked. Hmmm. > > So I renamed my $HOME director and recreated and empty > one. That worked too. POOP !! > > So I though of trying to trace down who was doing it. Gave > up and restored my user's directories from backup. That also > worked! > > Yippee! > > Thank you all for the tips. I wrote down about five of them, > so I would not forget. SELinux baffles me at times. > I'm quite lost with your e-mails, but how it's labeled right now in your homedir? It shouldn't be samba_share_t if it's working and also, could you please attach output of: # semanage export Thanks, Lukas. > -T > > ___ > users mailing list -- users@lists.fedoraproject.org > To unsubscribe send an email to users-le...@lists.fedoraproject.org -- Lukas Vrabec Software Engineer, Security Technologies Red Hat, Inc. 0x633F6955.asc Description: application/pgp-keys signature.asc Description: OpenPGP digital signature ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org
Re: SELinux is blocking lightdm login to Xfce
On 03/13/18 13:57, ToddAndMargo wrote: > Thank you all for the tips. I wrote down about five of them, > so I would not forget. SELinux baffles me at times. Good to hear all is working now. One thing I just realized I was remiss in mentioning. There are times where you will have selinux preventing something but you won't get an AVC in the audit.log. This due to a policy which has "dontaudit" enabled. If you run into this situation again you should try the command "semodule -BD" The D means "Temporarily remove dontaudits from policy. Reverts whenever policy is rebuilt". After troubleshooting run "semodule -B" to restore to normal operation. Sorry to have left that out. I don't run into many selinux issues and forgot about it. -- Conjecture is just a conclusion based on incomplete information. It isn't a fact. signature.asc Description: OpenPGP digital signature ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org
Re: SELinux is blocking lightdm login to Xfce
Follow up: With everyone's help, I cleaned up my SELinux homedir's and set Samba's SELinux stuff right. I still could not log in from lightdm, except to root, when SLElinux was Enforcing. And SEAlert was completely quiet. And /var/log/audit/audit.log was completely empty. Then I got sneaky and created a new user in a different root directory (/home2). That worked. Hmmm. So I renamed my $HOME director and recreated and empty one. That worked too. POOP !! So I though of trying to trace down who was doing it. Gave up and restored my user's directories from backup. That also worked! Yippee! Thank you all for the tips. I wrote down about five of them, so I would not forget. SELinux baffles me at times. -T ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org
Re: SELinux is blocking lightdm login to Xfce
On 03/12/2018 04:04 PM, ToddAndMargo wrote: Now Samba does not work either. Samba is back to working. My firewall was blocking it, as I somehow lost my systemd script for custom.firewall.service. But all is better now. ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org
Re: SELinux is blocking lightdm login to Xfce
On 03/12/2018 03:49 PM, Ed Greshko wrote: #/sbin/restorecon -v /home/tony/.xsession-errors # ausearch -c 'lightdm' --raw | audit2allow -M my-lightdm # semodule -X 300 -i my-lightdm.pp That happened very early on in SEAlert. SEAlert is now quite. Redoing the above did not help. Now Samba does not work either. ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org
Re: SELinux is blocking lightdm login to Xfce
On 03/13/18 06:13, ToddAndMargo wrote:
>>
>> /usr/bin/sealert -b
>> Is quiet
If I put the AVC's you mention in the original post in a file
type=AVC msg=audit(1520843479.104:515): avc: denied { create } for pid=7554
comm="lightdm" name=".xsession-errors"
scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023
tcontext=system_u:object_r:samba_share_t:s0 tclass=file permissive=1
type=AVC msg=audit(1520843479.104:516): avc: denied { write open } for
pid=7554
comm="lightdm" path="/home/tony/.xsession-errors" dev="dm-1" ino=54526689
scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023
tcontext=system_u:object_r:samba_share_t:s0 tclass=file permissive=1
And run sealert against them I get
[egreshko@meimei ~]$ sealert -a err
100% done
found 2 alerts in err
SELinux is preventing lightdm from create access on the file .xsession-errors.
* Plugin catchall (100. confidence) suggests **
If you believe that lightdm should be allowed create access on the
.xsession-errors
file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'lightdm' --raw | audit2allow -M my-lightdm
# semodule -X 300 -i my-lightdm.pp
Additional Information:
Source Context system_u:system_r:xdm_t:s0-s0:c0.c1023
Target Context system_u:object_r:samba_share_t:s0
Target Objects .xsession-errors [ file ]
Source lightdm
Source Path lightdm
Port
Host
Source RPM Packages
Target RPM Packages
Policy RPM selinux-policy-3.13.1-283.26.fc27.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name meimei.greshko.com
Platform Linux meimei.greshko.com 4.15.7-300.fc27.x86_64 #1
SMP Wed Feb 28 17:53:39 UTC 2018 x86_64 x86_64
Alert Count 1
First Seen 2018-03-12 16:31:19 CST
Last Seen 2018-03-12 16:31:19 CST
Local ID 4b15d210-1cff-461f-8c2a-8469d09752d2
Raw Audit Messages
type=AVC msg=audit(1520843479.104:515): avc: denied { create } for pid=7554
comm="lightdm" name=".xsession-errors"
scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023
tcontext=system_u:object_r:samba_share_t:s0 tclass=file permissive=1
Hash: lightdm,xdm_t,samba_share_t,file,create
SELinux is preventing lightdm from 'write, open' accesses on the file
/home/tony/.xsession-errors.
* Plugin restorecon (99.5 confidence) suggests
If you want to fix the label.
/home/tony/.xsession-errors default label should be xdm_home_t.
Then you can run restorecon. The access attempt may have been stopped due to
insufficient permissions to access a parent directory in which case try to
change the
following command accordingly.
Do
# /sbin/restorecon -v /home/tony/.xsession-errors
* Plugin catchall (1.49 confidence) suggests **
If you believe that lightdm should be allowed write open access on the
.xsession-errors file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'lightdm' --raw | audit2allow -M my-lightdm
# semodule -X 300 -i my-lightdm.pp
Additional Information:
Source Context system_u:system_r:xdm_t:s0-s0:c0.c1023
Target Context system_u:object_r:samba_share_t:s0
Target Objects /home/tony/.xsession-errors [ file ]
Source lightdm
Source Path lightdm
Port
Host
Source RPM Packages
Target RPM Packages
Policy RPM selinux-policy-3.13.1-283.26.fc27.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name meimei.greshko.com
Platform Linux meimei.greshko.com 4.15.7-300.fc27.x86_64 #1
SMP Wed Feb 28 17:53:39 UTC 2018 x86_64 x86_64
Alert Count 1
First Seen 2018-03-12 16:31:19 CST
Last Seen 2018-03-12 16:31:19 CST
Local ID 82cda10c-f801-4a67-b762-54b27ad752cb
Raw Audit Messages
type=AVC msg=audit(1520843479.104:516): avc: denied { write open } for
pid=7554
comm="lightdm" path="/home/tony/.xsession-errors" dev="dm-1" ino=54526689
scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023
tcontext=system_u:object_r:samba_share_t:s0 tclass=file
Re: SELinux is blocking lightdm login to Xfce
On 03/12/2018 03:13 PM, ToddAndMargo wrote:
On 03/12/2018 03:06 PM, ToddAndMargo wrote:
On 03/12/2018 04:20 AM, Lukas Vrabec wrote:
On 03/12/2018 10:35 AM, ToddAndMargo wrote:
Hi All,
Fedora 27, x64
Xfce 4.12
lightdm-1.25.1-5.fc27.x86_64
With SELinux set to Enforcing, I can only log into Xfce as root.
If I set SELinux to Permissive, I can log into anyone.
SEAlert is quite.
In the Audit log, I get:
# grep lightdm /var/log/audit/audit.log | grep denied
type=AVC msg=audit(1520843479.104:515): avc: denied { create } for
pid=7554 comm="lightdm" name=".xsession-errors"
scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023
tcontext=system_u:object_r:samba_share_t:s0 tclass=file permissive=1
type=AVC msg=audit(1520843479.104:516): avc: denied { write open }
for
pid=7554 comm="lightdm" path="/home/tony/.xsession-errors" dev="dm-1"
ino=54526689 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023
tcontext=system_u:object_r:samba_share_t:s0 tclass=file permissive=1
SELinux is taking a shine to everyone's, except root's,
.xsession-errors.
How do I fix this?
I am indeed running two samba shared from /home
$ ls -Z /home/todd/.xsession-errors
system_u:object_r:samba_share_t:s0 /home/todd/.xsession-errors
# restorecon -r /home/todd
Didn't work
Samba in running sahre from /home
# setsebool -P samba_enable_home_dirs on
Didn't work
# restorecon -Rv /home
# semanage boolean -m samba_enable_home_dirs --on
Didn't work
# semanage boolean -P samba_enable_home_dirs on
Didn't work
/usr/bin/sealert -b
Is quiet
Any hints in here?
$ ls -aZ
unconfined_u:object_r:samba_share_t:s0 .
system_u:object_r:home_root_t:s0 ..
unconfined_u:object_r:samba_share_t:s0 .acetoneiso
unconfined_u:object_r:samba_share_t:s0 .adobe
unconfined_u:object_r:samba_share_t:s0 apctest.output
Seems to me that all this crap is from my home directory
and should not have anything to do with samba
The samba shares are on /home/CDs and /home/OurStuff
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org
Re: SELinux is blocking lightdm login to Xfce
On 03/12/2018 03:06 PM, ToddAndMargo wrote:
On 03/12/2018 04:20 AM, Lukas Vrabec wrote:
On 03/12/2018 10:35 AM, ToddAndMargo wrote:
Hi All,
Fedora 27, x64
Xfce 4.12
lightdm-1.25.1-5.fc27.x86_64
With SELinux set to Enforcing, I can only log into Xfce as root.
If I set SELinux to Permissive, I can log into anyone.
SEAlert is quite.
In the Audit log, I get:
# grep lightdm /var/log/audit/audit.log | grep denied
type=AVC msg=audit(1520843479.104:515): avc: denied { create } for
pid=7554 comm="lightdm" name=".xsession-errors"
scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023
tcontext=system_u:object_r:samba_share_t:s0 tclass=file permissive=1
type=AVC msg=audit(1520843479.104:516): avc: denied { write open } for
pid=7554 comm="lightdm" path="/home/tony/.xsession-errors" dev="dm-1"
ino=54526689 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023
tcontext=system_u:object_r:samba_share_t:s0 tclass=file permissive=1
SELinux is taking a shine to everyone's, except root's,
.xsession-errors.
How do I fix this?
I am indeed running two samba shared from /home
$ ls -Z /home/todd/.xsession-errors
system_u:object_r:samba_share_t:s0 /home/todd/.xsession-errors
# restorecon -r /home/todd
Didn't work
Samba in running sahre from /home
# setsebool -P samba_enable_home_dirs on
Didn't work
# restorecon -Rv /home
# semanage boolean -m samba_enable_home_dirs --on
Didn't work
# semanage boolean -P samba_enable_home_dirs on
Didn't work
/usr/bin/sealert -b
Is quiet
Any hints in here?
$ ls -aZ
unconfined_u:object_r:samba_share_t:s0 .
system_u:object_r:home_root_t:s0 ..
unconfined_u:object_r:samba_share_t:s0 .acetoneiso
unconfined_u:object_r:samba_share_t:s0 .adobe
unconfined_u:object_r:samba_share_t:s0 apctest.output
unconfined_u:object_r:samba_share_t:s0 .armitage.prop
unconfined_u:object_r:samba_share_t:s0 .atom
unconfined_u:object_r:samba_share_t:s0 .audacity-data
unconfined_u:object_r:samba_share_t:s0 .autoscan-network
unconfined_u:object_r:samba_share_t:s0 .avidemux6
unconfined_u:object_r:samba_share_t:s0 .bash_history
unconfined_u:object_r:samba_share_t:s0 .bash_logout
unconfined_u:object_r:samba_share_t:s0 .bash_profile
unconfined_u:object_r:samba_share_t:s0 .bashrc
unconfined_u:object_r:samba_share_t:s0 bash.read.yn.prompt.txt
unconfined_u:object_r:samba_share_t:s0 .bluefish
unconfined_u:object_r:samba_share_t:s0 brave
unconfined_u:object_r:samba_share_t:s0 .cache
unconfined_u:object_r:samba_share_t:s0 'Calibre Library'
unconfined_u:object_r:samba_share_t:s0 .canna
unconfined_u:object_r:samba_share_t:s0 'CDBurnerXP Projects'
unconfined_u:object_r:samba_share_t:s0 .cddb
unconfined_u:object_r:samba_share_t:s0 .cddbslave
unconfined_u:object_r:samba_share_t:s0 .config
unconfined_u:object_r:samba_share_t:s0 contacts.csv
unconfined_u:object_r:samba_share_t:s0 .cpan
unconfined_u:object_r:samba_share_t:s0 .cpanm
unconfined_u:object_r:samba_share_t:s0 .crash_report_checksum
unconfined_u:object_r:samba_share_t:s0 .crash_report_frames
unconfined_u:object_r:samba_share_t:s0 .crash_report_preview
unconfined_u:object_r:samba_share_t:s0 .crash_reportrc
unconfined_u:object_r:samba_share_t:s0 -curl
unconfined_u:object_r:samba_share_t:s0 .dbus
unconfined_u:object_r:samba_share_t:s0 debug.txt
unconfined_u:object_r:samba_share_t:s0 Desktop
unconfined_u:object_r:samba_share_t:s0 .Desktop
unconfined_u:object_r:samba_share_t:s0 .dia
unconfined_u:object_r:samba_share_t:s0 .dmrc
unconfined_u:object_r:samba_share_t:s0 Documents
unconfined_u:object_r:samba_share_t:s0 Documents.000
unconfined_u:object_r:samba_share_t:s0 done
unconfined_u:object_r:samba_share_t:s0 .DownloadManager
unconfined_u:object_r:samba_share_t:s0 Downloads
unconfined_u:object_r:samba_share_t:s0 .dropbox
unconfined_u:object_r:samba_share_t:s0 Dropbox
unconfined_u:object_r:samba_share_t:s0 .dropbox-dist
unconfined_u:object_r:samba_share_t:s0 .dvdcss
unconfined_u:object_r:samba_share_t:s0 DVDFab
unconfined_u:object_r:samba_share_t:s0 .dvdrip
unconfined_u:object_r:samba_share_t:s0 .dvdriprc
unconfined_u:object_r:samba_share_t:s0 dwhelper
unconfined_u:object_r:samba_share_t:s0 .eggcups
unconfined_u:object_r:samba_share_t:s0 .elinks
unconfined_u:object_r:samba_share_t:s0 .emacs
unconfined_u:object_r:samba_share_t:s0 .emacs.d
unconfined_u:object_r:samba_share_t:s0 eraseme.txt
unconfined_u:object_r:samba_share_t:s0 .esd_auth
unconfined_u:object_r:samba_share_t:s0 .filezilla
unconfined_u:object_r:samba_share_t:s0 .fltk
unconfined_u:object_r:samba_share_t:s0 .fontconfig
unconfined_u:object_r:samba_share_t:s0 .fonts
unconfined_u:object_r:samba_share_t:s0 .fonts.cache-1
unconfined_u:object_r:samba_share_t:s0 .Foxit
unconfined_u:object_r:samba_share_t:s0 .freerdp
unconfined_u:object_r:samba_share_t:s0 .gconf
unconfined_u:object_r:samba_share_t:s0 .gconfd
unconfined_u:object_r:samba_share_t:s0 .gftp
unconfined_u:object_r:samba_share_t:s0 .gimp-2.6
unconfined_u:object_r:samba_share_t:s0
Re: SELinux is blocking lightdm login to Xfce
On 03/12/2018 04:20 AM, Lukas Vrabec wrote:
On 03/12/2018 10:35 AM, ToddAndMargo wrote:
Hi All,
Fedora 27, x64
Xfce 4.12
lightdm-1.25.1-5.fc27.x86_64
With SELinux set to Enforcing, I can only log into Xfce as root.
If I set SELinux to Permissive, I can log into anyone.
SEAlert is quite.
In the Audit log, I get:
# grep lightdm /var/log/audit/audit.log | grep denied
type=AVC msg=audit(1520843479.104:515): avc: denied { create } for
pid=7554 comm="lightdm" name=".xsession-errors"
scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023
tcontext=system_u:object_r:samba_share_t:s0 tclass=file permissive=1
type=AVC msg=audit(1520843479.104:516): avc: denied { write open } for
pid=7554 comm="lightdm" path="/home/tony/.xsession-errors" dev="dm-1"
ino=54526689 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023
tcontext=system_u:object_r:samba_share_t:s0 tclass=file permissive=1
SELinux is taking a shine to everyone's, except root's,
.xsession-errors.
How do I fix this?
I am indeed running two samba shared from /home
$ ls -Z /home/todd/.xsession-errors
system_u:object_r:samba_share_t:s0 /home/todd/.xsession-errors
# restorecon -r /home/todd
Didn't work
Samba in running sahre from /home
# setsebool -P samba_enable_home_dirs on
Didn't work
# restorecon -Rv /home
# semanage boolean -m samba_enable_home_dirs --on
Didn't work
# semanage boolean -P samba_enable_home_dirs on
Didn't work
/usr/bin/sealert -b
Is quiet
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org
Re: SELinux is blocking lightdm login to Xfce
On 03/12/2018 04:20 AM, Lukas Vrabec wrote: Are you sharing your homedir via samba? If yes, I am # restorecon -Rv /home # semanage boolean -m samba_enable_home_dirs --on Didn't work. Rats! ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org
Re: SELinux is blocking lightdm login to Xfce
On 03/13/18 05:57, ToddAndMargo wrote: > On 03/12/2018 03:08 AM, Ed Greshko wrote: >> You can try "restorecon/home/tony/.xsession-errors". You may have to do >> that as >> root. > > didn't work. Rats! You may want to run the troubleshooter to see what it suggests /usr/bin/sealert -b -- Conjecture is just a conclusion based on incomplete information. It isn't a fact. signature.asc Description: OpenPGP digital signature ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org
Re: SELinux is blocking lightdm login to Xfce
On 03/13/18 05:54, ToddAndMargo wrote: > Will try in a minute OK, but you may need to follow the more inclusive solution provided by Lukas if you are using samba. -- Conjecture is just a conclusion based on incomplete information. It isn't a fact. signature.asc Description: OpenPGP digital signature ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org
Re: SELinux is blocking lightdm login to Xfce
On 03/12/2018 03:08 AM, Ed Greshko wrote: You can try "restorecon/home/tony/.xsession-errors". You may have to do that as root. didn't work. Rats! ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org
Re: SELinux is blocking lightdm login to Xfce
On 03/12/2018 03:08 AM, Ed Greshko wrote:
On 03/12/18 17:35, ToddAndMargo wrote:
Hi All,
Fedora 27, x64
Xfce 4.12
lightdm-1.25.1-5.fc27.x86_64
With SELinux set to Enforcing, I can only log into Xfce as root.
If I set SELinux to Permissive, I can log into anyone.
SEAlert is quite.
In the Audit log, I get:
# grep lightdm /var/log/audit/audit.log | grep denied
type=AVC msg=audit(1520843479.104:515): avc: denied { create } for pid=7554
comm="lightdm" name=".xsession-errors"
scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023
tcontext=system_u:object_r:samba_share_t:s0 tclass=file permissive=1
type=AVC msg=audit(1520843479.104:516): avc: denied { write open } for
pid=7554
comm="lightdm" path="/home/tony/.xsession-errors" dev="dm-1" ino=54526689
scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023
tcontext=system_u:object_r:samba_share_t:s0 tclass=file permissive=1
SELinux is taking a shine to everyone's, except root's,
.xsession-errors.
How do I fix this?
What do you have for "ls -Z /home/tony/.xsession-errors"? Mine is...
egreshko@meimei ~]$ ls -Z .xsession-errors
unconfined_u:object_r:xdm_home_t:s0 .xsession-errors
$ ls -Z /home/tony/.xsession-errors
system_u:object_r:samba_share_t:s0 /home/tony/.xsession-errors
You can try "restorecon /home/tony/.xsession-errors". You may have to do that
as root.
Will try in a minute
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org
Re: SELinux is blocking lightdm login to Xfce
On 03/12/2018 10:35 AM, ToddAndMargo wrote:
> Hi All,
>
> Fedora 27, x64
>
> Xfce 4.12
>
> lightdm-1.25.1-5.fc27.x86_64
>
> With SELinux set to Enforcing, I can only log into Xfce as root.
>
> If I set SELinux to Permissive, I can log into anyone.
>
> SEAlert is quite.
>
> In the Audit log, I get:
>
> # grep lightdm /var/log/audit/audit.log | grep denied
>
> type=AVC msg=audit(1520843479.104:515): avc: denied { create } for
> pid=7554 comm="lightdm" name=".xsession-errors"
> scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:samba_share_t:s0 tclass=file permissive=1
>
> type=AVC msg=audit(1520843479.104:516): avc: denied { write open } for
> pid=7554 comm="lightdm" path="/home/tony/.xsession-errors" dev="dm-1"
> ino=54526689 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:samba_share_t:s0 tclass=file permissive=1
>
> SELinux is taking a shine to everyone's, except root's,
> .xsession-errors.
>
> How do I fix this?
>
Hi ToddAndMargo,
Are you sharing your homedir via samba? If yes,
# restorecon -Rv /home
# semanage boolean -m samba_enable_home_dirs --on
This will restore all labels in your home dir and enable domains where
runs samba processes to access your homedirs.
Lukas.
> Many thanks,
> -T
> ___
> users mailing list -- users@lists.fedoraproject.org
> To unsubscribe send an email to users-le...@lists.fedoraproject.org
--
Lukas Vrabec
Software Engineer, Security Technologies
Red Hat, Inc.
0x633F6955.asc
Description: application/pgp-keys
signature.asc
Description: OpenPGP digital signature
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org
Re: SELinux is blocking lightdm login to Xfce
On 03/12/18 17:35, ToddAndMargo wrote:
> Hi All,
>
> Fedora 27, x64
>
> Xfce 4.12
>
> lightdm-1.25.1-5.fc27.x86_64
>
> With SELinux set to Enforcing, I can only log into Xfce as root.
>
> If I set SELinux to Permissive, I can log into anyone.
>
> SEAlert is quite.
>
> In the Audit log, I get:
>
> # grep lightdm /var/log/audit/audit.log | grep denied
>
> type=AVC msg=audit(1520843479.104:515): avc: denied { create } for pid=7554
> comm="lightdm" name=".xsession-errors"
> scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:samba_share_t:s0 tclass=file permissive=1
>
> type=AVC msg=audit(1520843479.104:516): avc: denied { write open } for
> pid=7554
> comm="lightdm" path="/home/tony/.xsession-errors" dev="dm-1" ino=54526689
> scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:samba_share_t:s0 tclass=file permissive=1
>
> SELinux is taking a shine to everyone's, except root's,
> .xsession-errors.
>
> How do I fix this?
What do you have for "ls -Z /home/tony/.xsession-errors"? Mine is...
egreshko@meimei ~]$ ls -Z .xsession-errors
unconfined_u:object_r:xdm_home_t:s0 .xsession-errors
You can try "restorecon /home/tony/.xsession-errors". You may have to do that
as root.
--
Conjecture is just a conclusion based on incomplete information. It isn't a
fact.
signature.asc
Description: OpenPGP digital signature
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org
