[Bug 1212672] New: Gnome desktop: Cannot enable auto login for user via settings
https://bugzilla.suse.com/show_bug.cgi?id=1212672 Bug ID: 1212672 Summary: Gnome desktop: Cannot enable auto login for user via settings Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: x86-64 OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: MicroOS Assignee: kubic-bugs@opensuse.org Reporter: wolfram.fischer1979+opensuse@gmail.com QA Contact: qa-bugs@suse.de Target Milestone: --- Found By: --- Blocker: --- User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0 Build Identifier: I cannot enable auto login for the user in the Gnome settings (application) which makes GDM login the user automatically. Reproducible: Always Steps to Reproduce: 1.Open Gnome settings 2.Navigate to Users 3.Enter root password to be able to toggle auto login for the user 4.Toggle auto login for the user Actual Results: The auto login setting for the user _seems_ to be activated, as long as one is on the user settings page. If the settings page is changed away from user settings and returned to the user settings, the auto login setting for the user is _not_ activated. The auto login is not activated, which can be checked with a simple reboot. Expected Results: The setting to automate auto login should be enabled -- You are receiving this mail because: You are the assignee for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1212672 https://bugzilla.suse.com/show_bug.cgi?id=1212672#c1 Felix Sieges <felix.sieges@fau.de> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |felix.sieges@fau.de --- Comment #1 from Felix Sieges <felix.sieges@fau.de> --- ## Issue Description I have the same issue, the steps to reproduce are the same as in the original bug report. I have investigated the issue a bit further. ## Possible root cause When the slider to toggle the auto login is activated the following line is written in `/var/log/audit.log` ```
sudo ausearch -m AVC -ts recent
time->Sat Jul 15 12:50:20 2023 type=AVC msg=audit(1689418220.429:134): avc: denied { write } for pid=916 comm="accounts-daemon" name="sysconfig" dev="overlay" ino=20523 scontext=system_u:system_r:accountsd_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=0 ``` That indicates, that the accounts-daemon attempts to do a write operation in the `/etc` directory but the operation is denies by SELinux. audit2allow gives the following information. ``` type=AVC msg=audit(1689361409.674:276): avc: denied { write } for pid=941 comm=accounts-daemon name=sysconfig dev=overlay ino=282 scontext=system_u:system_r:accountsd_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=0 Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. ``` ## Proposed fix This could be fixed by enabling the following se-linux rule: ``` #============= accountsd_t ============== allow accountsd_t etc_t:dir write; ``` However this policy could potentially be more restrictive and I'd propose that it should be investigated further by someone with more knowledge about MicroOS and SELinux. -- You are receiving this mail because: You are the assignee for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1212672 https://bugzilla.suse.com/show_bug.cgi?id=1212672#c2 --- Comment #2 from Felix Sieges <felix.sieges@fau.de> --- I have investigated the issue a bit further. The accounts-daemon (which is labeled with `accountsd_t`) tries to write to the file "/etc/sysconfig/displaymanager"
ls -Z /etc/sysconfig/displaymanager system_u:object_r:etc_t:s0 /etc/sysconfig/displaymanager
this file is labeled with etc_t which the accountsd_t class is not allowed access to, see: https://manpages.opensuse.org/Tumbleweed/selinux-policy-devel/accountsd_seli... In order for accountsd to be able to write to "/etc/sysconfig/displaymanager" it needs to be allowed to write to "/etc/sysconfig/" and "/etc/sysconfig/displaymanager". For example and to test it, changing the label of "/etc/sysconfig/" to "xdm_etc_t", because accountsd_t is allowed the "write" operation to files labeled with this class, leads to the following message:
sudo ausearch -m "AVC" -ts recent time->Sat Jul 15 13:35:11 2023 type=AVC msg=audit(1689420911.338:243): avc: denied { unlink } for pid=951 > comm="accounts-daemon" name="displaymanager" dev="overlay" ino=33811 > scontext=system_u:system_r:accountsd_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=0
which indicates that it need to write to the file "/etc/sysconfig/displaymanager" -- You are receiving this mail because: You are the assignee for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1212672 https://bugzilla.suse.com/show_bug.cgi?id=1212672#c3 Richard Brown <rbrown@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Component|MicroOS |Security Assignee|kubic-bugs@opensuse.org |security-team@suse.de CC| |rbrown@suse.com --- Comment #3 from Richard Brown <rbrown@suse.com> --- Not a MicroOS specific issue - this is broken on Tumbleweed also, and needs a general SELinux policy fix -- You are receiving this mail because: You are the assignee for the bug.
participants (1)
-
bugzilla_noreply@suse.com