SELinux is blocking lightdm login to Xfce

classic Classic list List threaded Threaded
19 messages Options
Reply | Threaded
Open this post in threaded view
|

SELinux is blocking lightdm login to Xfce

ToddAndMargo
Hi All,

Fedora 27, x64

Xfce 4.12

lightdm-1.25.1-5.fc27.x86_64

With SELinux set to Enforcing, I can only log into Xfce as root.

If I set SELinux to Permissive, I can log into anyone.

SEAlert is quite.

In the Audit log, I get:

    # grep lightdm /var/log/audit/audit.log | grep denied

type=AVC msg=audit(1520843479.104:515): avc:  denied  { create } for
pid=7554 comm="lightdm" name=".xsession-errors"
scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023
tcontext=system_u:object_r:samba_share_t:s0 tclass=file permissive=1

type=AVC msg=audit(1520843479.104:516): avc:  denied  { write open } for
  pid=7554 comm="lightdm" path="/home/tony/.xsession-errors" dev="dm-1"
ino=54526689 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023
tcontext=system_u:object_r:samba_share_t:s0 tclass=file permissive=1

SELinux is taking a shine to everyone's, except root's,
.xsession-errors.

How do I fix this?

Many thanks,
-T
_______________________________________________
users mailing list -- [hidden email]
To unsubscribe send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: SELinux is blocking lightdm login to Xfce

Ed Greshko
On 03/12/18 17:35, ToddAndMargo wrote:

> Hi All,
>
> Fedora 27, x64
>
> Xfce 4.12
>
> lightdm-1.25.1-5.fc27.x86_64
>
> With SELinux set to Enforcing, I can only log into Xfce as root.
>
> If I set SELinux to Permissive, I can log into anyone.
>
> SEAlert is quite.
>
> In the Audit log, I get:
>
>    # grep lightdm /var/log/audit/audit.log | grep denied
>
> type=AVC msg=audit(1520843479.104:515): avc:  denied  { create } for pid=7554
> comm="lightdm" name=".xsession-errors"
> scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:samba_share_t:s0 tclass=file permissive=1
>
> type=AVC msg=audit(1520843479.104:516): avc:  denied  { write open } for  pid=7554
> comm="lightdm" path="/home/tony/.xsession-errors" dev="dm-1" ino=54526689
> scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:samba_share_t:s0 tclass=file permissive=1
>
> SELinux is taking a shine to everyone's, except root's,
> .xsession-errors.
>
> How do I fix this?
What do you have for "ls -Z /home/tony/.xsession-errors"?  Mine is...

egreshko@meimei ~]$ ls -Z .xsession-errors
unconfined_u:object_r:xdm_home_t:s0 .xsession-errors

You can try "restorecon /home/tony/.xsession-errors".  You may have to do that as root.

--
Conjecture is just a conclusion based on incomplete information. It isn't a fact.


_______________________________________________
users mailing list -- [hidden email]
To unsubscribe send an email to [hidden email]

signature.asc (235 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: SELinux is blocking lightdm login to Xfce

Lukas Vrabec
In reply to this post by ToddAndMargo
On 03/12/2018 10:35 AM, ToddAndMargo wrote:

> Hi All,
>
> Fedora 27, x64
>
> Xfce 4.12
>
> lightdm-1.25.1-5.fc27.x86_64
>
> With SELinux set to Enforcing, I can only log into Xfce as root.
>
> If I set SELinux to Permissive, I can log into anyone.
>
> SEAlert is quite.
>
> In the Audit log, I get:
>
>    # grep lightdm /var/log/audit/audit.log | grep denied
>
> type=AVC msg=audit(1520843479.104:515): avc:  denied  { create } for
> pid=7554 comm="lightdm" name=".xsession-errors"
> scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:samba_share_t:s0 tclass=file permissive=1
>
> type=AVC msg=audit(1520843479.104:516): avc:  denied  { write open } for
>  pid=7554 comm="lightdm" path="/home/tony/.xsession-errors" dev="dm-1"
> ino=54526689 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:samba_share_t:s0 tclass=file permissive=1
>
> SELinux is taking a shine to everyone's, except root's,
> .xsession-errors.
>
> How do I fix this?
>
Hi ToddAndMargo,

Are you sharing your homedir via samba? If yes,

# restorecon -Rv /home
# semanage boolean -m samba_enable_home_dirs --on

This will restore all labels in your home dir and enable domains where
runs samba processes to access your homedirs.

Lukas.


> Many thanks,
> -T
> _______________________________________________
> users mailing list -- [hidden email]
> To unsubscribe send an email to [hidden email]


--
Lukas Vrabec
Software Engineer, Security Technologies
Red Hat, Inc.

_______________________________________________
users mailing list -- [hidden email]
To unsubscribe send an email to [hidden email]

0x633F6955.asc (5K) Download Attachment
signature.asc (499 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: SELinux is blocking lightdm login to Xfce

ToddAndMargo
In reply to this post by Ed Greshko
On 03/12/2018 03:08 AM, Ed Greshko wrote:

> On 03/12/18 17:35, ToddAndMargo wrote:
>> Hi All,
>>
>> Fedora 27, x64
>>
>> Xfce 4.12
>>
>> lightdm-1.25.1-5.fc27.x86_64
>>
>> With SELinux set to Enforcing, I can only log into Xfce as root.
>>
>> If I set SELinux to Permissive, I can log into anyone.
>>
>> SEAlert is quite.
>>
>> In the Audit log, I get:
>>
>>     # grep lightdm /var/log/audit/audit.log | grep denied
>>
>> type=AVC msg=audit(1520843479.104:515): avc:  denied  { create } for pid=7554
>> comm="lightdm" name=".xsession-errors"
>> scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023
>> tcontext=system_u:object_r:samba_share_t:s0 tclass=file permissive=1
>>
>> type=AVC msg=audit(1520843479.104:516): avc:  denied  { write open } for  pid=7554
>> comm="lightdm" path="/home/tony/.xsession-errors" dev="dm-1" ino=54526689
>> scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023
>> tcontext=system_u:object_r:samba_share_t:s0 tclass=file permissive=1
>>
>> SELinux is taking a shine to everyone's, except root's,
>> .xsession-errors.
>>
>> How do I fix this?
>
> What do you have for "ls -Z /home/tony/.xsession-errors"?  Mine is...
>
> egreshko@meimei ~]$ ls -Z .xsession-errors
> unconfined_u:object_r:xdm_home_t:s0 .xsession-errors

$ ls -Z /home/tony/.xsession-errors
system_u:object_r:samba_share_t:s0 /home/tony/.xsession-errors

>
> You can try "restorecon /home/tony/.xsession-errors".  You may have to do that as root.

Will try in a minute
_______________________________________________
users mailing list -- [hidden email]
To unsubscribe send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: SELinux is blocking lightdm login to Xfce

ToddAndMargo
In reply to this post by Ed Greshko
On 03/12/2018 03:08 AM, Ed Greshko wrote:
> You can try "restorecon/home/tony/.xsession-errors".  You may have to do that as root.

didn't work.  Rats!
_______________________________________________
users mailing list -- [hidden email]
To unsubscribe send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: SELinux is blocking lightdm login to Xfce

Ed Greshko
In reply to this post by ToddAndMargo
On 03/13/18 05:54, ToddAndMargo wrote:
> Will try in a minute


OK, but you may need to follow the more inclusive solution provided by Lukas if you
are using samba.

--
Conjecture is just a conclusion based on incomplete information. It isn't a fact.


_______________________________________________
users mailing list -- [hidden email]
To unsubscribe send an email to [hidden email]

signature.asc (235 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: SELinux is blocking lightdm login to Xfce

Ed Greshko
In reply to this post by ToddAndMargo
On 03/13/18 05:57, ToddAndMargo wrote:
> On 03/12/2018 03:08 AM, Ed Greshko wrote:
>> You can try "restorecon/home/tony/.xsession-errors".  You may have to do that as
>> root.
>
> didn't work.  Rats!

You may want to run the troubleshooter to see what it suggests....

/usr/bin/sealert -b


--
Conjecture is just a conclusion based on incomplete information. It isn't a fact.


_______________________________________________
users mailing list -- [hidden email]
To unsubscribe send an email to [hidden email]

signature.asc (235 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: SELinux is blocking lightdm login to Xfce

ToddAndMargo
In reply to this post by Lukas Vrabec
On 03/12/2018 04:20 AM, Lukas Vrabec wrote:
> Are you sharing your homedir via samba? If yes,

I am

> # restorecon -Rv /home
> # semanage boolean -m samba_enable_home_dirs --on

Didn't work.  Rats!
_______________________________________________
users mailing list -- [hidden email]
To unsubscribe send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: SELinux is blocking lightdm login to Xfce

ToddAndMargo
In reply to this post by Lukas Vrabec
On 03/12/2018 04:20 AM, Lukas Vrabec wrote:

> On 03/12/2018 10:35 AM, ToddAndMargo wrote:
>> Hi All,
>>
>> Fedora 27, x64
>>
>> Xfce 4.12
>>
>> lightdm-1.25.1-5.fc27.x86_64
>>
>> With SELinux set to Enforcing, I can only log into Xfce as root.
>>
>> If I set SELinux to Permissive, I can log into anyone.
>>
>> SEAlert is quite.
>>
>> In the Audit log, I get:
>>
>>     # grep lightdm /var/log/audit/audit.log | grep denied
>>
>> type=AVC msg=audit(1520843479.104:515): avc:  denied  { create } for
>> pid=7554 comm="lightdm" name=".xsession-errors"
>> scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023
>> tcontext=system_u:object_r:samba_share_t:s0 tclass=file permissive=1
>>
>> type=AVC msg=audit(1520843479.104:516): avc:  denied  { write open } for
>>   pid=7554 comm="lightdm" path="/home/tony/.xsession-errors" dev="dm-1"
>> ino=54526689 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023
>> tcontext=system_u:object_r:samba_share_t:s0 tclass=file permissive=1
>>
>> SELinux is taking a shine to everyone's, except root's,
>> .xsession-errors.
>>
>> How do I fix this?


I am indeed running two samba shared from /home

$ ls -Z /home/todd/.xsession-errors
system_u:object_r:samba_share_t:s0 /home/todd/.xsession-errors

# restorecon -r /home/todd
Didn't work

Samba in running sahre from /home
# setsebool -P samba_enable_home_dirs on
Didn't work

# restorecon -Rv /home
# semanage boolean -m samba_enable_home_dirs --on
Didn't work

# semanage boolean -P samba_enable_home_dirs on
Didn't work

/usr/bin/sealert -b
Is quiet

_______________________________________________
users mailing list -- [hidden email]
To unsubscribe send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: SELinux is blocking lightdm login to Xfce

ToddAndMargo
On 03/12/2018 03:06 PM, ToddAndMargo wrote:

> On 03/12/2018 04:20 AM, Lukas Vrabec wrote:
>> On 03/12/2018 10:35 AM, ToddAndMargo wrote:
>>> Hi All,
>>>
>>> Fedora 27, x64
>>>
>>> Xfce 4.12
>>>
>>> lightdm-1.25.1-5.fc27.x86_64
>>>
>>> With SELinux set to Enforcing, I can only log into Xfce as root.
>>>
>>> If I set SELinux to Permissive, I can log into anyone.
>>>
>>> SEAlert is quite.
>>>
>>> In the Audit log, I get:
>>>
>>>     # grep lightdm /var/log/audit/audit.log | grep denied
>>>
>>> type=AVC msg=audit(1520843479.104:515): avc:  denied  { create } for
>>> pid=7554 comm="lightdm" name=".xsession-errors"
>>> scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023
>>> tcontext=system_u:object_r:samba_share_t:s0 tclass=file permissive=1
>>>
>>> type=AVC msg=audit(1520843479.104:516): avc:  denied  { write open } for
>>>   pid=7554 comm="lightdm" path="/home/tony/.xsession-errors" dev="dm-1"
>>> ino=54526689 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023
>>> tcontext=system_u:object_r:samba_share_t:s0 tclass=file permissive=1
>>>
>>> SELinux is taking a shine to everyone's, except root's,
>>> .xsession-errors.
>>>
>>> How do I fix this?
>
>
> I am indeed running two samba shared from /home
>
> $ ls -Z /home/todd/.xsession-errors
> system_u:object_r:samba_share_t:s0 /home/todd/.xsession-errors
>
> # restorecon -r /home/todd
> Didn't work
>
> Samba in running sahre from /home
> # setsebool -P samba_enable_home_dirs on
> Didn't work
>
> # restorecon -Rv /home
> # semanage boolean -m samba_enable_home_dirs --on
> Didn't work
>
> # semanage boolean -P samba_enable_home_dirs on
> Didn't work
>
> /usr/bin/sealert -b
> Is quiet

Any hints in here?

$ ls -aZ
unconfined_u:object_r:samba_share_t:s0  .
       system_u:object_r:home_root_t:s0  ..
unconfined_u:object_r:samba_share_t:s0  .acetoneiso
unconfined_u:object_r:samba_share_t:s0  .adobe
unconfined_u:object_r:samba_share_t:s0  apctest.output
unconfined_u:object_r:samba_share_t:s0  .armitage.prop
unconfined_u:object_r:samba_share_t:s0  .atom
unconfined_u:object_r:samba_share_t:s0  .audacity-data
unconfined_u:object_r:samba_share_t:s0  .autoscan-network
unconfined_u:object_r:samba_share_t:s0  .avidemux6
unconfined_u:object_r:samba_share_t:s0  .bash_history
unconfined_u:object_r:samba_share_t:s0  .bash_logout
unconfined_u:object_r:samba_share_t:s0  .bash_profile
unconfined_u:object_r:samba_share_t:s0  .bashrc
unconfined_u:object_r:samba_share_t:s0  bash.read.yn.prompt.txt
unconfined_u:object_r:samba_share_t:s0  .bluefish
unconfined_u:object_r:samba_share_t:s0  brave
unconfined_u:object_r:samba_share_t:s0  .cache
unconfined_u:object_r:samba_share_t:s0 'Calibre Library'
unconfined_u:object_r:samba_share_t:s0  .canna
unconfined_u:object_r:samba_share_t:s0 'CDBurnerXP Projects'
unconfined_u:object_r:samba_share_t:s0  .cddb
unconfined_u:object_r:samba_share_t:s0  .cddbslave
unconfined_u:object_r:samba_share_t:s0  .config
unconfined_u:object_r:samba_share_t:s0  contacts.csv
unconfined_u:object_r:samba_share_t:s0  .cpan
unconfined_u:object_r:samba_share_t:s0  .cpanm
unconfined_u:object_r:samba_share_t:s0  .crash_report_checksum
unconfined_u:object_r:samba_share_t:s0  .crash_report_frames
unconfined_u:object_r:samba_share_t:s0  .crash_report_preview
unconfined_u:object_r:samba_share_t:s0  .crash_reportrc
unconfined_u:object_r:samba_share_t:s0  -curl
unconfined_u:object_r:samba_share_t:s0  .dbus
unconfined_u:object_r:samba_share_t:s0  debug.txt
unconfined_u:object_r:samba_share_t:s0  Desktop
unconfined_u:object_r:samba_share_t:s0  .Desktop
unconfined_u:object_r:samba_share_t:s0  .dia
unconfined_u:object_r:samba_share_t:s0  .dmrc
unconfined_u:object_r:samba_share_t:s0  Documents
unconfined_u:object_r:samba_share_t:s0  Documents.000
unconfined_u:object_r:samba_share_t:s0  done
unconfined_u:object_r:samba_share_t:s0  .DownloadManager
unconfined_u:object_r:samba_share_t:s0  Downloads
unconfined_u:object_r:samba_share_t:s0  .dropbox
unconfined_u:object_r:samba_share_t:s0  Dropbox
unconfined_u:object_r:samba_share_t:s0  .dropbox-dist
unconfined_u:object_r:samba_share_t:s0  .dvdcss
unconfined_u:object_r:samba_share_t:s0  DVDFab
unconfined_u:object_r:samba_share_t:s0  .dvdrip
unconfined_u:object_r:samba_share_t:s0  .dvdriprc
unconfined_u:object_r:samba_share_t:s0  dwhelper
unconfined_u:object_r:samba_share_t:s0  .eggcups
unconfined_u:object_r:samba_share_t:s0  .elinks
unconfined_u:object_r:samba_share_t:s0  .emacs
unconfined_u:object_r:samba_share_t:s0  .emacs.d
unconfined_u:object_r:samba_share_t:s0  eraseme.txt
unconfined_u:object_r:samba_share_t:s0  .esd_auth
unconfined_u:object_r:samba_share_t:s0  .filezilla
unconfined_u:object_r:samba_share_t:s0  .fltk
unconfined_u:object_r:samba_share_t:s0  .fontconfig
unconfined_u:object_r:samba_share_t:s0  .fonts
unconfined_u:object_r:samba_share_t:s0  .fonts.cache-1
unconfined_u:object_r:samba_share_t:s0  .Foxit
unconfined_u:object_r:samba_share_t:s0  .freerdp
unconfined_u:object_r:samba_share_t:s0  .gconf
unconfined_u:object_r:samba_share_t:s0  .gconfd
unconfined_u:object_r:samba_share_t:s0  .gftp
unconfined_u:object_r:samba_share_t:s0  .gimp-2.6
unconfined_u:object_r:samba_share_t:s0  .gimp-2.8
unconfined_u:object_r:samba_share_t:s0  .gkrellm2
unconfined_u:object_r:samba_share_t:s0  .gksu.lock
unconfined_u:object_r:samba_share_t:s0  .gnome
unconfined_u:object_r:samba_share_t:s0  .gnome2
unconfined_u:object_r:samba_share_t:s0  .gnome2_private
unconfined_u:object_r:samba_share_t:s0  .gnome-commander
unconfined_u:object_r:samba_share_t:s0  .gnote
unconfined_u:object_r:samba_share_t:s0  .gnupg
unconfined_u:object_r:samba_share_t:s0  .google
unconfined_u:object_r:samba_share_t:s0  .googleearth
unconfined_u:object_r:samba_share_t:s0  .googleearth.000
unconfined_u:object_r:samba_share_t:s0  .gphoto
unconfined_u:object_r:samba_share_t:s0  .grip
unconfined_u:object_r:samba_share_t:s0  .grip-bladeenc
unconfined_u:object_r:samba_share_t:s0  .grip-lame
unconfined_u:object_r:samba_share_t:s0  .gstreamer-0.10
unconfined_u:object_r:samba_share_t:s0  .gstreamer-0.8
unconfined_u:object_r:samba_share_t:s0  .gtk-bookmarks
unconfined_u:object_r:samba_share_t:s0  .gtkrc
unconfined_u:object_r:samba_share_t:s0  .gtkrc-1.2-gnome2
unconfined_u:object_r:samba_share_t:s0  .gtkrc.monospace.12
unconfined_u:object_r:samba_share_t:s0  .gvfs
unconfined_u:object_r:samba_share_t:s0  head
unconfined_u:object_r:samba_share_t:s0  .hugin
unconfined_u:object_r:samba_share_t:s0  .ICEauthority
unconfined_u:object_r:samba_share_t:s0  .ICEauthority.000
unconfined_u:object_r:samba_share_t:s0  .icons
unconfined_u:object_r:samba_share_t:s0  .inkscape
unconfined_u:object_r:samba_share_t:s0  .install4j
unconfined_u:object_r:samba_share_t:s0  .iscan_preference
unconfined_u:object_r:samba_share_t:s0  .isomaster
unconfined_u:object_r:samba_share_t:s0  .java
unconfined_u:object_r:samba_share_t:s0  .jhylafax
unconfined_u:object_r:samba_share_t:s0  .kchmviewer
unconfined_u:object_r:samba_share_t:s0  .kde
unconfined_u:object_r:samba_share_t:s0  .kino-history
unconfined_u:object_r:samba_share_t:s0  .kinorc
unconfined_u:object_r:samba_share_t:s0  kis17.0.0.611en_10755.exe
unconfined_u:object_r:samba_share_t:s0  .kompozer
unconfined_u:object_r:samba_share_t:s0  .kompozer.net
unconfined_u:object_r:samba_share_t:s0  .lesshst
unconfined_u:object_r:samba_share_t:s0  .local
unconfined_u:object_r:samba_share_t:s0  .loki
unconfined_u:object_r:samba_share_t:s0  lwp_cookies.dat
unconfined_u:object_r:samba_share_t:s0  Lynx.trace
unconfined_u:object_r:samba_share_t:s0  .macromedia
unconfined_u:object_r:samba_share_t:s0  .mcop
unconfined_u:object_r:samba_share_t:s0  .mcoprc
unconfined_u:object_r:samba_share_t:s0  .metacity
unconfined_u:object_r:samba_share_t:s0  .mime.types
unconfined_u:object_r:samba_share_t:s0  .mozilla
unconfined_u:object_r:samba_share_t:s0  .mozilla_10-05-2017
unconfined_u:object_r:samba_share_t:s0  .mozilla_10-08-2017
unconfined_u:object_r:samba_share_t:s0  .mplayer
unconfined_u:object_r:samba_share_t:s0  .msf4
unconfined_u:object_r:samba_share_t:s0  Music
unconfined_u:object_r:samba_share_t:s0  Music.000
unconfined_u:object_r:samba_share_t:s0  my-lightdm.pp
unconfined_u:object_r:samba_share_t:s0  my-lightdm.te
unconfined_u:object_r:samba_share_t:s0  my-systemd.pp
unconfined_u:object_r:samba_share_t:s0  my-systemd.te
unconfined_u:object_r:samba_share_t:s0  .nautilus
unconfined_u:object_r:samba_share_t:s0  Net-FTP.pm
unconfined_u:object_r:samba_share_t:s0  NewRevIs-10.2.1.23.txt
unconfined_u:object_r:samba_share_t:s0 'Nolo Documents Backup'
unconfined_u:object_r:samba_share_t:s0  .nv
unconfined_u:object_r:samba_share_t:s0  .nvidia-settings-rc
unconfined_u:object_r:samba_share_t:s0  .nvu
unconfined_u:object_r:samba_share_t:s0  .nx
unconfined_u:object_r:samba_share_t:s0  .odbc.ini
unconfined_u:object_r:samba_share_t:s0  ogg
unconfined_u:object_r:samba_share_t:s0  .oracle_jre_usage
unconfined_u:object_r:samba_share_t:s0  .padminrc
unconfined_u:object_r:samba_share_t:s0  .parallels_settings
unconfined_u:object_r:samba_share_t:s0  parallelsupdate
unconfined_u:object_r:samba_share_t:s0  parallels-vm
unconfined_u:object_r:samba_share_t:s0  .pcmanfm
unconfined_u:object_r:samba_share_t:s0  PcSetup
unconfined_u:object_r:samba_share_t:s0  .pdfedit
unconfined_u:object_r:samba_share_t:s0  .pdfstudio10
unconfined_u:object_r:samba_share_t:s0  .pdfstudio11
unconfined_u:object_r:samba_share_t:s0  .pdfstudio12
unconfined_u:object_r:samba_share_t:s0  .pdfstudio9
unconfined_u:object_r:samba_share_t:s0  perl5
unconfined_u:object_r:samba_share_t:s0  .perl6
unconfined_u:object_r:samba_share_t:s0  PicasaDocuments
unconfined_u:object_r:samba_share_t:s0  Pictures
unconfined_u:object_r:samba_share_t:s0  Pictures.000
unconfined_u:object_r:samba_share_t:s0  .pki
unconfined_u:object_r:samba_share_t:s0  .ptbt0
unconfined_u:object_r:samba_share_t:s0  .pulse.000
unconfined_u:object_r:samba_share_t:s0  .pulse-cookie
unconfined_u:object_r:samba_share_t:s0  .putty
unconfined_u:object_r:samba_share_t:s0  .qalculate
unconfined_u:object_r:samba_share_t:s0  .qt
unconfined_u:object_r:samba_share_t:s0  .rdesktop
unconfined_u:object_r:samba_share_t:s0  .recently-used
unconfined_u:object_r:samba_share_t:s0  .redhat
unconfined_u:object_r:samba_share_t:s0  .remmina
unconfined_u:object_r:samba_share_t:s0  .rhn-applet
unconfined_u:object_r:samba_share_t:s0  .rhn-applet.conf
unconfined_u:object_r:samba_share_t:s0  .rnd
unconfined_u:object_r:samba_share_t:s0  rpmbuild
unconfined_u:object_r:samba_share_t:s0  .rpmmacros
unconfined_u:object_r:samba_share_t:s0  .sane
unconfined_u:object_r:samba_share_t:s0  saned.log.txt
unconfined_u:object_r:samba_share_t:s0  .Screenr
unconfined_u:object_r:samba_share_t:s0  .smplayer
unconfined_u:object_r:samba_share_t:s0  .so_sane_state
unconfined_u:object_r:samba_share_t:s0  .spicec
unconfined_u:object_r:samba_share_t:s0  .spice-vdagent
unconfined_u:object_r:samba_share_t:s0  sserife.fon
unconfined_u:object_r:samba_share_t:s0  ssh
unconfined_u:object_r:samba_share_t:s0  .ssh
unconfined_u:object_r:samba_share_t:s0  ssh_hosts
unconfined_u:object_r:samba_share_t:s0  .subversion
unconfined_u:object_r:samba_share_t:s0 'Super Trouper.ogg'
unconfined_u:object_r:samba_share_t:s0  .swp
unconfined_u:object_r:samba_share_t:s0  systemd.init.d.new.method.txt
unconfined_u:object_r:samba_share_t:s0 'TaxACT 2009'
unconfined_u:object_r:samba_share_t:s0  temp
unconfined_u:object_r:samba_share_t:s0  Templates
unconfined_u:object_r:samba_share_t:s0  .themes
unconfined_u:object_r:samba_share_t:s0  .thumbnails
unconfined_u:object_r:samba_share_t:s0  .thunderbird
unconfined_u:object_r:samba_share_t:s0  tmp
unconfined_u:object_r:samba_share_t:s0  tmp2
unconfined_u:object_r:samba_share_t:s0  .Trash
unconfined_u:object_r:samba_share_t:s0 'TurboCAD Deluxe 17'
unconfined_u:object_r:samba_share_t:s0  .uml
unconfined_u:object_r:samba_share_t:s0  Updater5
unconfined_u:object_r:samba_share_t:s0  Video
unconfined_u:object_r:samba_share_t:s0  Videos
unconfined_u:object_r:samba_share_t:s0  .vim
unconfined_u:object_r:samba_share_t:s0  .viminfo
unconfined_u:object_r:samba_share_t:s0  .viminfo.000
unconfined_u:object_r:samba_share_t:s0  .viminfo.tmp
unconfined_u:object_r:samba_share_t:s0  .viminfz.tmp
unconfined_u:object_r:samba_share_t:s0  .vimrc
unconfined_u:object_r:samba_share_t:s0  .virt-manager
unconfined_u:object_r:samba_share_t:s0  .vlc
unconfined_u:object_r:samba_share_t:s0  .vnc
unconfined_u:object_r:samba_share_t:s0  .webex
unconfined_u:object_r:samba_share_t:s0  .wget-hsts
unconfined_u:object_r:samba_share_t:s0  .windows-serial
unconfined_u:object_r:samba_share_t:s0  wine
unconfined_u:object_r:samba_share_t:s0  .wine
unconfined_u:object_r:samba_share_t:s0  .wine.10-16-2015
unconfined_u:object_r:samba_share_t:s0  .wine.adobe
unconfined_u:object_r:samba_share_t:s0  .wine.backup
unconfined_u:object_r:samba_share_t:s0  .wine.crimson3
unconfined_u:object_r:samba_share_t:s0  .wine.smartsuite
unconfined_u:object_r:samba_share_t:s0  .winetmp
unconfined_u:object_r:samba_share_t:s0  .winetrickscache
unconfined_u:object_r:samba_share_t:s0  x
unconfined_u:object_r:samba_share_t:s0  .Xauthority.000
unconfined_u:object_r:samba_share_t:s0  .Xauthority.001
unconfined_u:object_r:samba_share_t:s0  .xcdroast
unconfined_u:object_r:samba_share_t:s0  .xchm
unconfined_u:object_r:samba_share_t:s0  .Xclients
unconfined_u:object_r:samba_share_t:s0  .Xclients-default
unconfined_u:object_r:samba_share_t:s0  .xemacs
unconfined_u:object_r:samba_share_t:s0  .xfce
unconfined_u:object_r:samba_share_t:s0  .xfce4-session.verbose-log
unconfined_u:object_r:samba_share_t:s0  .xfce4-session.verbose-log.last
unconfined_u:object_r:samba_share_t:s0  .xine
unconfined_u:object_r:samba_share_t:s0  .xmms
unconfined_u:object_r:samba_share_t:s0  .xscreensaver
unconfined_u:object_r:samba_share_t:s0  .xscreensaver-getimage.cache
unconfined_u:object_r:samba_share_t:s0  .xsel.log
     system_u:object_r:samba_share_t:s0  .xsession-errors
     system_u:object_r:samba_share_t:s0  .xsession-errors.old
unconfined_u:object_r:samba_share_t:s0  .yajhfc
unconfined_u:object_r:samba_share_t:s0  .zef.001
unconfined_u:object_r:samba_share_t:s0  .zenmap
unconfined_u:object_r:samba_share_t:s0  .zshrc

_______________________________________________
users mailing list -- [hidden email]
To unsubscribe send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: SELinux is blocking lightdm login to Xfce

ToddAndMargo
On 03/12/2018 03:13 PM, ToddAndMargo wrote:

> On 03/12/2018 03:06 PM, ToddAndMargo wrote:
>> On 03/12/2018 04:20 AM, Lukas Vrabec wrote:
>>> On 03/12/2018 10:35 AM, ToddAndMargo wrote:
>>>> Hi All,
>>>>
>>>> Fedora 27, x64
>>>>
>>>> Xfce 4.12
>>>>
>>>> lightdm-1.25.1-5.fc27.x86_64
>>>>
>>>> With SELinux set to Enforcing, I can only log into Xfce as root.
>>>>
>>>> If I set SELinux to Permissive, I can log into anyone.
>>>>
>>>> SEAlert is quite.
>>>>
>>>> In the Audit log, I get:
>>>>
>>>>     # grep lightdm /var/log/audit/audit.log | grep denied
>>>>
>>>> type=AVC msg=audit(1520843479.104:515): avc:  denied  { create } for
>>>> pid=7554 comm="lightdm" name=".xsession-errors"
>>>> scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023
>>>> tcontext=system_u:object_r:samba_share_t:s0 tclass=file permissive=1
>>>>
>>>> type=AVC msg=audit(1520843479.104:516): avc:  denied  { write open }
>>>> for
>>>>   pid=7554 comm="lightdm" path="/home/tony/.xsession-errors" dev="dm-1"
>>>> ino=54526689 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023
>>>> tcontext=system_u:object_r:samba_share_t:s0 tclass=file permissive=1
>>>>
>>>> SELinux is taking a shine to everyone's, except root's,
>>>> .xsession-errors.
>>>>
>>>> How do I fix this?
>>
>>
>> I am indeed running two samba shared from /home
>>
>> $ ls -Z /home/todd/.xsession-errors
>> system_u:object_r:samba_share_t:s0 /home/todd/.xsession-errors
>>
>> # restorecon -r /home/todd
>> Didn't work
>>
>> Samba in running sahre from /home
>> # setsebool -P samba_enable_home_dirs on
>> Didn't work
>>
>> # restorecon -Rv /home
>> # semanage boolean -m samba_enable_home_dirs --on
>> Didn't work
>>
>> # semanage boolean -P samba_enable_home_dirs on
>> Didn't work
>>
>> /usr/bin/sealert -b
>> Is quiet
>
> Any hints in here?
>
> $ ls -aZ
> unconfined_u:object_r:samba_share_t:s0  .
>        system_u:object_r:home_root_t:s0  ..
> unconfined_u:object_r:samba_share_t:s0  .acetoneiso
> unconfined_u:object_r:samba_share_t:s0  .adobe
> unconfined_u:object_r:samba_share_t:s0  apctest.output

Seems to me that all this crap is from my home directory
and should not have anything to do with samba

The samba shares are on /home/CDs and /home/OurStuff



_______________________________________________
users mailing list -- [hidden email]
To unsubscribe send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: SELinux is blocking lightdm login to Xfce

Ed Greshko-2
In reply to this post by ToddAndMargo
On 03/13/18 06:13, ToddAndMargo wrote:
>>
>> /usr/bin/sealert -b
>> Is quiet


If I put the AVC's you mention in the original post in a file....


type=AVC msg=audit(1520843479.104:515): avc:  denied  { create } for pid=7554
comm="lightdm" name=".xsession-errors"
scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023
tcontext=system_u:object_r:samba_share_t:s0 tclass=file permissive=1

type=AVC msg=audit(1520843479.104:516): avc:  denied  { write open } for  pid=7554
comm="lightdm" path="/home/tony/.xsession-errors" dev="dm-1" ino=54526689
scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023
tcontext=system_u:object_r:samba_share_t:s0 tclass=file permissive=1

And run sealert against them I get....

[egreshko@meimei ~]$ sealert -a err
100% done
found 2 alerts in err
--------------------------------------------------------------------------------

SELinux is preventing lightdm from create access on the file .xsession-errors.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that lightdm should be allowed create access on the .xsession-errors
file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'lightdm' --raw | audit2allow -M my-lightdm
# semodule -X 300 -i my-lightdm.pp


Additional Information:
Source Context                system_u:system_r:xdm_t:s0-s0:c0.c1023
Target Context                system_u:object_r:samba_share_t:s0
Target Objects                .xsession-errors [ file ]
Source                        lightdm
Source Path                   lightdm
Port                          <Unknown>
Host                          <Unknown>
Source RPM Packages          
Target RPM Packages          
Policy RPM                    selinux-policy-3.13.1-283.26.fc27.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     meimei.greshko.com
Platform                      Linux meimei.greshko.com 4.15.7-300.fc27.x86_64 #1
                              SMP Wed Feb 28 17:53:39 UTC 2018 x86_64 x86_64
Alert Count                   1
First Seen                    2018-03-12 16:31:19 CST
Last Seen                     2018-03-12 16:31:19 CST
Local ID                      4b15d210-1cff-461f-8c2a-8469d09752d2

Raw Audit Messages
type=AVC msg=audit(1520843479.104:515): avc:  denied  { create } for pid=7554
comm="lightdm" name=".xsession-errors"
scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023
tcontext=system_u:object_r:samba_share_t:s0 tclass=file permissive=1


Hash: lightdm,xdm_t,samba_share_t,file,create

--------------------------------------------------------------------------------

SELinux is preventing lightdm from 'write, open' accesses on the file
/home/tony/.xsession-errors.

*****  Plugin restorecon (99.5 confidence) suggests   ************************

If you want to fix the label.
/home/tony/.xsession-errors default label should be xdm_home_t.
Then you can run restorecon. The access attempt may have been stopped due to
insufficient permissions to access a parent directory in which case try to change the
following command accordingly.
Do
# /sbin/restorecon -v /home/tony/.xsession-errors

*****  Plugin catchall (1.49 confidence) suggests   **************************

If you believe that lightdm should be allowed write open access on the
.xsession-errors file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'lightdm' --raw | audit2allow -M my-lightdm
# semodule -X 300 -i my-lightdm.pp


Additional Information:
Source Context                system_u:system_r:xdm_t:s0-s0:c0.c1023
Target Context                system_u:object_r:samba_share_t:s0
Target Objects                /home/tony/.xsession-errors [ file ]
Source                        lightdm
Source Path                   lightdm
Port                          <Unknown>
Host                          <Unknown>
Source RPM Packages          
Target RPM Packages          
Policy RPM                    selinux-policy-3.13.1-283.26.fc27.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     meimei.greshko.com
Platform                      Linux meimei.greshko.com 4.15.7-300.fc27.x86_64 #1
                              SMP Wed Feb 28 17:53:39 UTC 2018 x86_64 x86_64
Alert Count                   1
First Seen                    2018-03-12 16:31:19 CST
Last Seen                     2018-03-12 16:31:19 CST
Local ID                      82cda10c-f801-4a67-b762-54b27ad752cb

Raw Audit Messages
type=AVC msg=audit(1520843479.104:516): avc:  denied  { write open } for  pid=7554
comm="lightdm" path="/home/tony/.xsession-errors" dev="dm-1" ino=54526689
scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023
tcontext=system_u:object_r:samba_share_t:s0 tclass=file permissive=1





Hash: lightdm,xdm_t,samba_share_t,file,write,open
--
Conjecture is just a conclusion based on incomplete information. It isn't a fact.


_______________________________________________
users mailing list -- [hidden email]
To unsubscribe send an email to [hidden email]

signature.asc (849 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: SELinux is blocking lightdm login to Xfce

ToddAndMargo
On 03/12/2018 03:49 PM, Ed Greshko wrote:
> #/sbin/restorecon -v /home/tony/.xsession-errors
> # ausearch -c 'lightdm' --raw | audit2allow -M my-lightdm
> # semodule -X 300 -i my-lightdm.pp


That happened very early on in SEAlert.  SEAlert is
now quite.

Redoing the above did not help.

Now Samba does not work either.

_______________________________________________
users mailing list -- [hidden email]
To unsubscribe send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: SELinux is blocking lightdm login to Xfce

ToddAndMargo
On 03/12/2018 04:04 PM, ToddAndMargo wrote:
> Now Samba does not work either.

Samba is back to working.  My firewall was blocking
it, as I somehow lost my systemd script for custom.firewall.service.
But all is better now.

_______________________________________________
users mailing list -- [hidden email]
To unsubscribe send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: SELinux is blocking lightdm login to Xfce

ToddAndMargo
In reply to this post by ToddAndMargo
Follow up:

With everyone's help, I cleaned up my SELinux homedir's
and set Samba's SELinux stuff right.

I still could not log in from lightdm, except to root,
when SLElinux was Enforcing.

And SEAlert was completely quiet.  And
      /var/log/audit/audit.log
was completely empty.

Then I got sneaky and created a new user in a different
root directory (/home2).  That worked.  Hmmmmmmm.....

So I renamed my $HOME director and recreated and empty
one.  That worked too.  POOP !!!!!!

So I though of trying to trace down who was doing it.  Gave
up and restored my user's directories from backup. That also
worked!

Yippee!

Thank you all for the tips.  I wrote down about five of them,
so I would not forget.  SELinux baffles me at times.

-T

_______________________________________________
users mailing list -- [hidden email]
To unsubscribe send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: SELinux is blocking lightdm login to Xfce

Ed Greshko
On 03/13/18 13:57, ToddAndMargo wrote:
> Thank you all for the tips.  I wrote down about five of them,
> so I would not forget.  SELinux baffles me at times.


Good to hear all is working now.

One thing I just realized I was remiss in mentioning.  There are times where you will
have selinux preventing something but you won't get an AVC in the audit.log.  This
due to a policy which has "dontaudit" enabled.   If you run into this situation again
you should try the command "semodule -BD"  The D means
"Temporarily  remove dontaudits from policy.  Reverts whenever policy is rebuilt". 
After troubleshooting run "semodule -B" to restore to normal operation.

Sorry to have left that out.  I don't run into many selinux issues and forgot about it.

--
Conjecture is just a conclusion based on incomplete information. It isn't a fact.


_______________________________________________
users mailing list -- [hidden email]
To unsubscribe send an email to [hidden email]

signature.asc (235 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: SELinux is blocking lightdm login to Xfce

Lukas Vrabec
In reply to this post by ToddAndMargo
On 03/13/2018 06:57 AM, ToddAndMargo wrote:

> Follow up:
>
> With everyone's help, I cleaned up my SELinux homedir's
> and set Samba's SELinux stuff right.
>
> I still could not log in from lightdm, except to root,
> when SLElinux was Enforcing.
>
> And SEAlert was completely quiet.  And
>      /var/log/audit/audit.log
> was completely empty.
>
> Then I got sneaky and created a new user in a different
> root directory (/home2).  That worked.  Hmmmmmmm.....
>
> So I renamed my $HOME director and recreated and empty
> one.  That worked too.  POOP !!!!!!
>
> So I though of trying to trace down who was doing it.  Gave
> up and restored my user's directories from backup. That also
> worked!
>
> Yippee!
>
> Thank you all for the tips.  I wrote down about five of them,
> so I would not forget.  SELinux baffles me at times.
>
I'm quite lost with your e-mails, but how it's labeled right now in your
homedir? It shouldn't be samba_share_t if it's working and also, could
you please attach output of:

# semanage export

Thanks,
Lukas.

> -T
>
> _______________________________________________
> users mailing list -- [hidden email]
> To unsubscribe send an email to [hidden email]


--
Lukas Vrabec
Software Engineer, Security Technologies
Red Hat, Inc.

_______________________________________________
users mailing list -- [hidden email]
To unsubscribe send an email to [hidden email]

0x633F6955.asc (5K) Download Attachment
signature.asc (499 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: SELinux is blocking lightdm login to Xfce

ToddAndMargo
On 03/13/2018 02:39 AM, Lukas Vrabec wrote:

> On 03/13/2018 06:57 AM, ToddAndMargo wrote:
>> Follow up:
>>
>> With everyone's help, I cleaned up my SELinux homedir's
>> and set Samba's SELinux stuff right.
>>
>> I still could not log in from lightdm, except to root,
>> when SLElinux was Enforcing.
>>
>> And SEAlert was completely quiet.  And
>>       /var/log/audit/audit.log
>> was completely empty.
>>
>> Then I got sneaky and created a new user in a different
>> root directory (/home2).  That worked.  Hmmmmmmm.....
>>
>> So I renamed my $HOME director and recreated and empty
>> one.  That worked too.  POOP !!!!!!
>>
>> So I though of trying to trace down who was doing it.  Gave
>> up and restored my user's directories from backup. That also
>> worked!
>>
>> Yippee!
>>
>> Thank you all for the tips.  I wrote down about five of them,
>> so I would not forget.  SELinux baffles me at times.
>>
>
> I'm quite lost with your e-mails, but how it's labeled right now in your
> homedir? It shouldn't be samba_share_t if it's working and also, could
> you please attach output of:
>
> # semanage export
>
> Thanks,
> Lukas.

What is the command telling me?


# semanage export
boolean -D
login -D
interface -D
user -D
port -D
node -D
fcontext -D
module -D
boolean -m -1 daemons_use_tty
boolean -m -1 named_write_master_zones
boolean -m -1 samba_domain_controller
boolean -m -1 samba_enable_home_dirs
boolean -m -1 samba_export_all_rw
fcontext -a -f a -t samba_share_t '/home(/.*)?'
fcontext -a -f a -t samba_share_t '/home/CDs(/.*)?'
fcontext -a -f a -t samba_share_t '/home/OurStuff(/.*)?'
fcontext -a -f a -t chrome_sandbox_exec_t '/usr/lib/chrome-sandbox'
fcontext -a -f a -t bin_t '/usr/lib/chromium-browser'
fcontext -a -f a -t bin_t '/usr/lib/chromium-browser/chromium-browser.sh'
fcontext -a -f a -t rpm_exec_t '/usr/share/dnfdaemon/dnfdaemon-system'
fcontext -a -e /home /home/users
fcontext -a -e /home /nfshome
_______________________________________________
users mailing list -- [hidden email]
To unsubscribe send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: SELinux is blocking lightdm login to Xfce

ToddAndMargo
In reply to this post by Ed Greshko
On 03/12/2018 11:53 PM, Ed Greshko wrote:
>   There are times where you will
> have selinux preventing something but you won't get an AVC in the audit.log.  This
> due to a policy which has "dontaudit" enabled.   If you run into this situation again
> you should try the command "semodule -BD"  The D means
> "Temporarily  remove dontaudits from policy.  Reverts whenever policy is rebuilt".
> After troubleshooting run "semodule -B" to restore to normal operation.

Thank you!  I wrote it down for the next time!
_______________________________________________
users mailing list -- [hidden email]
To unsubscribe send an email to [hidden email]