[Bug 1206686] New: [SELinux] greetd doesn’t start … xdm_t suspected
https://bugzilla.suse.com/show_bug.cgi?id=1206686 Bug ID: 1206686 Summary: [SELinux] greetd doesn���t start ��� xdm_t suspected Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: security-team@suse.de Reporter: mcepl@suse.com QA Contact: qa-bugs@suse.de Found By: --- Blocker: --- Created attachment 863684 --> https://bugzilla.suse.com/attachment.cgi?id=863684&action=edit journalctl -xb output Not sure what is the relationship with bug 1182554, but this seems more like a SELinux problem. When booting with greetd.service enabled and display-manager.service (aka GDM) disabled, I get attached journalctl output and ausearch shows problems. Any thoughts on what���s going on, please? -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1206686 https://bugzilla.suse.com/show_bug.cgi?id=1206686#c1 --- Comment #1 from Matej Cepl <mcepl@suse.com> --- Created attachment 863685 --> https://bugzilla.suse.com/attachment.cgi?id=863685&action=edit ausearch output -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1206686 https://bugzilla.suse.com/show_bug.cgi?id=1206686#c2 --- Comment #2 from Matej Cepl <mcepl@suse.com> --- xdm_t type is set permissive. -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1206686 https://bugzilla.suse.com/show_bug.cgi?id=1206686#c3 Johannes Segitz <jsegitz@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |jsegitz@suse.com Assignee|security-team@suse.de |jsegitz@suse.com --- Comment #3 from Johannes Segitz <jsegitz@suse.com> --- I created a basic greetd config for sway and this works for me. Please share you greetd config so I can reproduce this -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1206686 https://bugzilla.suse.com/show_bug.cgi?id=1206686#c4 Filippo Bonazzi <filippo.bonazzi@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |filippo.bonazzi@suse.com, | |mcepl@suse.com Flags| |needinfo?(mcepl@suse.com) --- Comment #4 from Filippo Bonazzi <filippo.bonazzi@suse.com> --- Hi Matej, I'm running greetd with sway and a configuration based on openSUSEway on both my machine (permissive) and a VM (enforcing), and I don't see any such denials - and greetd works fine on both. Can you share what system/greetd/selinux configuration is giving you trouble? -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1206686 Filippo Bonazzi <filippo.bonazzi@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Assignee|jsegitz@suse.com |filippo.bonazzi@suse.com -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1206686 https://bugzilla.suse.com/show_bug.cgi?id=1206686#c5 Filippo Bonazzi <filippo.bonazzi@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution|--- |NORESPONSE --- Comment #5 from Filippo Bonazzi <filippo.bonazzi@suse.com> --- Closing due to inactivity, feel free to reopen if necessary -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1206686 https://bugzilla.suse.com/show_bug.cgi?id=1206686#c6 Matej Cepl <mcepl@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Flags|needinfo?(mcepl@suse.com) | --- Comment #6 from Matej Cepl <mcepl@suse.com> --- Created attachment 865057 --> https://bugzilla.suse.com/attachment.cgi?id=865057&action=edit Output of ausearch -m AVC -ts today It seems to me obvious that /usr/bin/sway system_u:system_r:xdm_t:s0-s0:c0.c1023 matej 2754 49.9 0.8 3204384 131368 tty2 Sl+ Feb21 586:47 /usr/bin/sway doesn���t do well in this log from the workstation with greetd and sway. Workstation is currently permissive, but I will switch it soon to enforcing with the permissive domain xdm_t. -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1206686 https://bugzilla.suse.com/show_bug.cgi?id=1206686#c7 Matej Cepl <mcepl@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |REOPENED Resolution|NORESPONSE |--- --- Comment #7 from Matej Cepl <mcepl@suse.com> --- (somehow the bug has not switched to REOPENED by adding an attachment) -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1206686 https://bugzilla.suse.com/show_bug.cgi?id=1206686#c8 Filippo Bonazzi <filippo.bonazzi@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|REOPENED |RESOLVED Resolution|--- |INVALID --- Comment #8 from Filippo Bonazzi <filippo.bonazzi@suse.com> --- After in-person debug session we figured the issue out. The problem was the same described in https://github.com/openSUSE/openSUSEway/issues/96 and completely unrelated to SELinux. I am going to close this bug, we are going to continue investigation into SELinux denials and we will open further SELinux bugs if we find any. -- You are receiving this mail because: You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@suse.com