Ask Your Question

SELinux is blocking lighdm from starting Xfce

asked 2018-03-12 09:21:07 +0000

toddandmargo gravatar image

Hi All,

Fedora 27, x64

Xfce 4.12


With SELinux set to Enforcing, I can only log into Xfce as root.

If I set SELinux to Permissive, I can log into anyone.

SEAlert is quite.

In the Audit log, I get:

   # grep lightdm /var/log/audit/audit.log | grep denied

 type=AVC msg=audit(1520843479.104:515): avc:  denied  { create } for  pid=7554 comm="lightdm" name=".xsession-errors" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:samba_share_t:s0 tclass=file permissive=1

    type=AVC msg=audit(1520843479.104:516): avc:  denied  { write open } for  pid=7554 comm="lightdm" path="/home/tony/.xsession-errors" dev="dm-1" ino=54526689 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:samba_share_t:s0 tclass=file permissive=1

SELinux is taking a shine to everyone's, except root's, .xsession-errors.

How do I fix this?

Many thanks, -T

edit retag flag offensive close merge delete

2 answers

Sort by ยป oldest newest most voted

answered 2018-03-12 11:50:28 +0000

villykruse gravatar image

updated 2018-03-12 15:33:00 +0000

The file .xsession-errors is mislabeled. The selinux label should be system_u:object_r:xdm_home_t:s0 as you can check running ls -Z ~/.xsession-errors

Do run

restorecon -r ~/

If that does not fix the problem, somone has been messing with your SElinux settings.

If your real problem is with sharing your home directories via samba, then you might need to run this:

sudo setsebool -P samba_enable_home_dirs on
edit flag offensive delete link more


I am indeed running two samba shared from /home

$ ls -Z /home/todd/.xsession-errors
system_u:object_r:samba_share_t:s0 /home/todd/.xsession-errors 

# restorecon -r /home/todd

Didn't work

Samba in running sahre from /home

# setsebool -P samba_enable_home_dirs on

Didn't work

# restorecon -Rv /home
# semanage boolean -m samba_enable_home_dirs --on

Didn't work

# semanage boolean -P samba_enable_home_dirs on

Didn't work

/usr/bin/sealert -b

Is quiet

toddandmargo ( 2018-03-12 22:06:59 +0000 )edit

$ ls -aZ unconfinedu:objectr:sambasharet:s0 . systemu:objectr:homeroott:s0 .. unconfinedu:objectr:sambasharet:s0 .acetoneiso unconfinedu:objectr:sambasharet:s0 .adobe unconfinedu:objectr:sambasharet:s0 apctest.output and bazillions more

Seems to me that all this crap is from my home directory and should not have anything to do with samba

The samba shares are on /home/CDs and /home/OurStuff

toddandmargo ( 2018-03-12 22:28:20 +0000 )edit

ls -dZ . should show

unconfined_u:object_r:user_home_dir_t:s0 .

Yours show

unconfined_u:object_r:sambashare_t:s0 .

which is wrong.


sudo semanage fcontext -l |grep '^/home/' |grep directory

should show

/home/[^/]+       directory   unconfined_u:object_r:user_home_dir_t:s0 
/home/[^/]+/\.tmp directory   unconfined_u:object_r:user_tmp_t:s0 
/home/[^/]+/tmp   directory   unconfined_u:object_r:user_tmp_t:s0 
/home/lost\+found directory   system_u:object_r:lost_found_t:s0
villykruse ( 2018-03-13 05:47:48 +0000 )edit

answered 2018-03-13 06:02:42 +0000

toddandmargo gravatar image

Follow up:

With everyone's help, I cleaned up my SELinux homedir's and set Samba's SELinux stuff right.

I still could not log in from lightdm, except to root, when SLElinux was Enforcing.

And SEAlert was completely quiet. And /var/log/audit/audit.log was completely empty.

Then I got sneaky and created a new user in a different root directory (/home2). That worked. Hmmmmmmm.....

So I renamed my $HOME director and recreated and empty one. That worked too. POOP !!!!!!

So I though of trying to trace down who was doing it. Gave up and restored my user's directories from backup. That also worked!


Thank you all for the tips. SELinux baffles me at times.


edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

[hide preview]

Use your votes!

  • Use the 30 daily voting points that you get!
  • Up-vote well framed questions that provide enough information to enable people provide answers.
  • Thank your helpers by up-voting their comments and answers. If a question you asked has been answered, accept the best answer by clicking on the checkbox on the left side of the answer.
  • Down-voting might cost you karma, but you should consider doing so for incorrect or clearly detrimental questions and answers.

Question Tools

1 follower


Asked: 2018-03-12 09:21:07 +0000

Seen: 53 times

Last updated: Mar 13