Ask Your Question
1

SELinux is blocking lighdm from starting Xfce

asked 2018-03-12 04:21:07 -0600

toddandmargo gravatar image

updated 2018-05-31 05:36:53 -0600

FranciscoD_ gravatar image

Hi All,

Fedora 27, x64

Xfce 4.12

lightdm-1.25.1-5.fc27.x86_64

With SELinux set to Enforcing, I can only log into Xfce as root.

If I set SELinux to Permissive, I can log into anyone.

SEAlert is quite.

In the Audit log, I get:

   # grep lightdm /var/log/audit/audit.log | grep denied

 type=AVC msg=audit(1520843479.104:515): avc:  denied  { create } for  pid=7554 comm="lightdm" name=".xsession-errors" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:samba_share_t:s0 tclass=file permissive=1

    type=AVC msg=audit(1520843479.104:516): avc:  denied  { write open } for  pid=7554 comm="lightdm" path="/home/tony/.xsession-errors" dev="dm-1" ino=54526689 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:samba_share_t:s0 tclass=file permissive=1

SELinux is taking a shine to everyone's, except root's, .xsession-errors.

How do I fix this?

Many thanks, -T

edit retag flag offensive close merge delete

2 Answers

Sort by ยป oldest newest most voted
1

answered 2018-03-12 06:50:28 -0600

villykruse gravatar image

updated 2018-03-12 10:33:00 -0600

The file .xsession-errors is mislabeled. The selinux label should be system_u:object_r:xdm_home_t:s0 as you can check running ls -Z ~/.xsession-errors

Do run

restorecon -r ~/

If that does not fix the problem, somone has been messing with your SElinux settings.

If your real problem is with sharing your home directories via samba, then you might need to run this:

sudo setsebool -P samba_enable_home_dirs on
edit flag offensive delete link more

Comments

I am indeed running two samba shared from /home

$ ls -Z /home/todd/.xsession-errors
system_u:object_r:samba_share_t:s0 /home/todd/.xsession-errors 

# restorecon -r /home/todd

Didn't work

Samba in running sahre from /home

# setsebool -P samba_enable_home_dirs on

Didn't work

# restorecon -Rv /home
# semanage boolean -m samba_enable_home_dirs --on

Didn't work

# semanage boolean -P samba_enable_home_dirs on

Didn't work

/usr/bin/sealert -b

Is quiet

toddandmargo gravatar imagetoddandmargo ( 2018-03-12 17:06:59 -0600 )edit

$ ls -aZ unconfinedu:objectr:sambasharet:s0 . systemu:objectr:homeroott:s0 .. unconfinedu:objectr:sambasharet:s0 .acetoneiso unconfinedu:objectr:sambasharet:s0 .adobe unconfinedu:objectr:sambasharet:s0 apctest.output and bazillions more

Seems to me that all this crap is from my home directory and should not have anything to do with samba

The samba shares are on /home/CDs and /home/OurStuff

toddandmargo gravatar imagetoddandmargo ( 2018-03-12 17:28:20 -0600 )edit

ls -dZ . should show

unconfined_u:object_r:user_home_dir_t:s0 .

Yours show

unconfined_u:object_r:sambashare_t:s0 .

which is wrong.

Running

sudo semanage fcontext -l |grep '^/home/' |grep directory

should show

/home/[^/]+       directory   unconfined_u:object_r:user_home_dir_t:s0 
/home/[^/]+/\.tmp directory   unconfined_u:object_r:user_tmp_t:s0 
/home/[^/]+/tmp   directory   unconfined_u:object_r:user_tmp_t:s0 
/home/lost\+found directory   system_u:object_r:lost_found_t:s0
villykruse gravatar imagevillykruse ( 2018-03-13 00:47:48 -0600 )edit
0

answered 2018-03-13 01:02:42 -0600

toddandmargo gravatar image

Follow up:

With everyone's help, I cleaned up my SELinux homedir's and set Samba's SELinux stuff right.

I still could not log in from lightdm, except to root, when SLElinux was Enforcing.

And SEAlert was completely quiet. And /var/log/audit/audit.log was completely empty.

Then I got sneaky and created a new user in a different root directory (/home2). That worked. Hmmmmmmm.....

So I renamed my $HOME director and recreated and empty one. That worked too. POOP !!!!!!

So I though of trying to trace down who was doing it. Gave up and restored my user's directories from backup. That also worked!

Yippee!

Thank you all for the tips. SELinux baffles me at times.

-T

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2018-03-12 04:21:07 -0600

Seen: 131 times

Last updated: Mar 13