Hi All,
Fedora 27, x64
Xfce 4.12
lightdm-1.25.1-5.fc27.x86_64
With SELinux set to Enforcing, I can only log into Xfce as root.
If I set SELinux to Permissive, I can log into anyone.
SEAlert is quite.
In the Audit log, I get:
# grep lightdm /var/log/audit/audit.log | grep denied
type=AVC msg=audit(1520843479.104:515): avc: denied { create } for pid=7554 comm="lightdm" name=".xsession-errors" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:samba_share_t:s0 tclass=file permissive=1
type=AVC msg=audit(1520843479.104:516): avc: denied { write open } for pid=7554 comm="lightdm" path="/home/tony/.xsession-errors" dev="dm-1" ino=54526689 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:samba_share_t:s0 tclass=file permissive=1
SELinux is taking a shine to everyone's, except root's, .xsession-errors.
How do I fix this?
Many thanks, -T
On 03/12/18 17:35, ToddAndMargo wrote:
Hi All,
Fedora 27, x64
Xfce 4.12
lightdm-1.25.1-5.fc27.x86_64
With SELinux set to Enforcing, I can only log into Xfce as root.
If I set SELinux to Permissive, I can log into anyone.
SEAlert is quite.
In the Audit log, I get:
# grep lightdm /var/log/audit/audit.log | grep denied
type=AVC msg=audit(1520843479.104:515): avc: denied { create } for pid=7554 comm="lightdm" name=".xsession-errors" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:samba_share_t:s0 tclass=file permissive=1
type=AVC msg=audit(1520843479.104:516): avc: denied { write open } for pid=7554 comm="lightdm" path="/home/tony/.xsession-errors" dev="dm-1" ino=54526689 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:samba_share_t:s0 tclass=file permissive=1
SELinux is taking a shine to everyone's, except root's, .xsession-errors.
How do I fix this?
What do you have for "ls -Z /home/tony/.xsession-errors"? Mine is...
egreshko@meimei ~]$ ls -Z .xsession-errors unconfined_u:object_r:xdm_home_t:s0 .xsession-errors
You can try "restorecon /home/tony/.xsession-errors". You may have to do that as root.
On 03/12/2018 10:35 AM, ToddAndMargo wrote:
Hi All,
Fedora 27, x64
Xfce 4.12
lightdm-1.25.1-5.fc27.x86_64
With SELinux set to Enforcing, I can only log into Xfce as root.
If I set SELinux to Permissive, I can log into anyone.
SEAlert is quite.
In the Audit log, I get:
# grep lightdm /var/log/audit/audit.log | grep denied
type=AVC msg=audit(1520843479.104:515): avc: denied { create } for pid=7554 comm="lightdm" name=".xsession-errors" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:samba_share_t:s0 tclass=file permissive=1
type=AVC msg=audit(1520843479.104:516): avc: denied { write open } for pid=7554 comm="lightdm" path="/home/tony/.xsession-errors" dev="dm-1" ino=54526689 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:samba_share_t:s0 tclass=file permissive=1
SELinux is taking a shine to everyone's, except root's, .xsession-errors.
How do I fix this?
Hi ToddAndMargo,
Are you sharing your homedir via samba? If yes,
# restorecon -Rv /home # semanage boolean -m samba_enable_home_dirs --on
This will restore all labels in your home dir and enable domains where runs samba processes to access your homedirs.
Lukas.
Many thanks, -T _______________________________________________ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-leave@lists.fedoraproject.org
On 03/12/2018 03:08 AM, Ed Greshko wrote:
On 03/12/18 17:35, ToddAndMargo wrote:
Hi All,
Fedora 27, x64
Xfce 4.12
lightdm-1.25.1-5.fc27.x86_64
With SELinux set to Enforcing, I can only log into Xfce as root.
If I set SELinux to Permissive, I can log into anyone.
SEAlert is quite.
In the Audit log, I get:
# grep lightdm /var/log/audit/audit.log | grep denied
type=AVC msg=audit(1520843479.104:515): avc: denied { create } for pid=7554 comm="lightdm" name=".xsession-errors" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:samba_share_t:s0 tclass=file permissive=1
type=AVC msg=audit(1520843479.104:516): avc: denied { write open } for pid=7554 comm="lightdm" path="/home/tony/.xsession-errors" dev="dm-1" ino=54526689 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:samba_share_t:s0 tclass=file permissive=1
SELinux is taking a shine to everyone's, except root's, .xsession-errors.
How do I fix this?
What do you have for "ls -Z /home/tony/.xsession-errors"? Mine is...
egreshko@meimei ~]$ ls -Z .xsession-errors unconfined_u:object_r:xdm_home_t:s0 .xsession-errors
$ ls -Z /home/tony/.xsession-errors system_u:object_r:samba_share_t:s0 /home/tony/.xsession-errors
You can try "restorecon /home/tony/.xsession-errors". You may have to do that as root.
Will try in a minute
On 03/13/18 05:57, ToddAndMargo wrote:
On 03/12/2018 03:08 AM, Ed Greshko wrote:
You can try "restorecon/home/tony/.xsession-errors". You may have to do that as root.
didn't work. Rats!
You may want to run the troubleshooter to see what it suggests....
/usr/bin/sealert -b
On 03/12/2018 04:20 AM, Lukas Vrabec wrote:
On 03/12/2018 10:35 AM, ToddAndMargo wrote:
Hi All,
Fedora 27, x64
Xfce 4.12
lightdm-1.25.1-5.fc27.x86_64
With SELinux set to Enforcing, I can only log into Xfce as root.
If I set SELinux to Permissive, I can log into anyone.
SEAlert is quite.
In the Audit log, I get:
# grep lightdm /var/log/audit/audit.log | grep denied
type=AVC msg=audit(1520843479.104:515): avc: denied { create } for pid=7554 comm="lightdm" name=".xsession-errors" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:samba_share_t:s0 tclass=file permissive=1
type=AVC msg=audit(1520843479.104:516): avc: denied { write open } for pid=7554 comm="lightdm" path="/home/tony/.xsession-errors" dev="dm-1" ino=54526689 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:samba_share_t:s0 tclass=file permissive=1
SELinux is taking a shine to everyone's, except root's, .xsession-errors.
How do I fix this?
I am indeed running two samba shared from /home
$ ls -Z /home/todd/.xsession-errors system_u:object_r:samba_share_t:s0 /home/todd/.xsession-errors
# restorecon -r /home/todd Didn't work
Samba in running sahre from /home # setsebool -P samba_enable_home_dirs on Didn't work
# restorecon -Rv /home # semanage boolean -m samba_enable_home_dirs --on Didn't work
# semanage boolean -P samba_enable_home_dirs on Didn't work
/usr/bin/sealert -b Is quiet
On 03/12/2018 03:06 PM, ToddAndMargo wrote:
On 03/12/2018 04:20 AM, Lukas Vrabec wrote:
On 03/12/2018 10:35 AM, ToddAndMargo wrote:
Hi All,
Fedora 27, x64
Xfce 4.12
lightdm-1.25.1-5.fc27.x86_64
With SELinux set to Enforcing, I can only log into Xfce as root.
If I set SELinux to Permissive, I can log into anyone.
SEAlert is quite.
In the Audit log, I get:
# grep lightdm /var/log/audit/audit.log | grep denied
type=AVC msg=audit(1520843479.104:515): avc: denied { create } for pid=7554 comm="lightdm" name=".xsession-errors" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:samba_share_t:s0 tclass=file permissive=1
type=AVC msg=audit(1520843479.104:516): avc: denied { write open } for pid=7554 comm="lightdm" path="/home/tony/.xsession-errors" dev="dm-1" ino=54526689 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:samba_share_t:s0 tclass=file permissive=1
SELinux is taking a shine to everyone's, except root's, .xsession-errors.
How do I fix this?
I am indeed running two samba shared from /home
$ ls -Z /home/todd/.xsession-errors system_u:object_r:samba_share_t:s0 /home/todd/.xsession-errors
# restorecon -r /home/todd Didn't work
Samba in running sahre from /home # setsebool -P samba_enable_home_dirs on Didn't work
# restorecon -Rv /home # semanage boolean -m samba_enable_home_dirs --on Didn't work
# semanage boolean -P samba_enable_home_dirs on Didn't work
/usr/bin/sealert -b Is quiet
Any hints in here?
$ ls -aZ unconfined_u:object_r:samba_share_t:s0 . system_u:object_r:home_root_t:s0 .. unconfined_u:object_r:samba_share_t:s0 .acetoneiso unconfined_u:object_r:samba_share_t:s0 .adobe unconfined_u:object_r:samba_share_t:s0 apctest.output unconfined_u:object_r:samba_share_t:s0 .armitage.prop unconfined_u:object_r:samba_share_t:s0 .atom unconfined_u:object_r:samba_share_t:s0 .audacity-data unconfined_u:object_r:samba_share_t:s0 .autoscan-network unconfined_u:object_r:samba_share_t:s0 .avidemux6 unconfined_u:object_r:samba_share_t:s0 .bash_history unconfined_u:object_r:samba_share_t:s0 .bash_logout unconfined_u:object_r:samba_share_t:s0 .bash_profile unconfined_u:object_r:samba_share_t:s0 .bashrc unconfined_u:object_r:samba_share_t:s0 bash.read.yn.prompt.txt unconfined_u:object_r:samba_share_t:s0 .bluefish unconfined_u:object_r:samba_share_t:s0 brave unconfined_u:object_r:samba_share_t:s0 .cache unconfined_u:object_r:samba_share_t:s0 'Calibre Library' unconfined_u:object_r:samba_share_t:s0 .canna unconfined_u:object_r:samba_share_t:s0 'CDBurnerXP Projects' unconfined_u:object_r:samba_share_t:s0 .cddb unconfined_u:object_r:samba_share_t:s0 .cddbslave unconfined_u:object_r:samba_share_t:s0 .config unconfined_u:object_r:samba_share_t:s0 contacts.csv unconfined_u:object_r:samba_share_t:s0 .cpan unconfined_u:object_r:samba_share_t:s0 .cpanm unconfined_u:object_r:samba_share_t:s0 .crash_report_checksum unconfined_u:object_r:samba_share_t:s0 .crash_report_frames unconfined_u:object_r:samba_share_t:s0 .crash_report_preview unconfined_u:object_r:samba_share_t:s0 .crash_reportrc unconfined_u:object_r:samba_share_t:s0 -curl unconfined_u:object_r:samba_share_t:s0 .dbus unconfined_u:object_r:samba_share_t:s0 debug.txt unconfined_u:object_r:samba_share_t:s0 Desktop unconfined_u:object_r:samba_share_t:s0 .Desktop unconfined_u:object_r:samba_share_t:s0 .dia unconfined_u:object_r:samba_share_t:s0 .dmrc unconfined_u:object_r:samba_share_t:s0 Documents unconfined_u:object_r:samba_share_t:s0 Documents.000 unconfined_u:object_r:samba_share_t:s0 done unconfined_u:object_r:samba_share_t:s0 .DownloadManager unconfined_u:object_r:samba_share_t:s0 Downloads unconfined_u:object_r:samba_share_t:s0 .dropbox unconfined_u:object_r:samba_share_t:s0 Dropbox unconfined_u:object_r:samba_share_t:s0 .dropbox-dist unconfined_u:object_r:samba_share_t:s0 .dvdcss unconfined_u:object_r:samba_share_t:s0 DVDFab unconfined_u:object_r:samba_share_t:s0 .dvdrip unconfined_u:object_r:samba_share_t:s0 .dvdriprc unconfined_u:object_r:samba_share_t:s0 dwhelper unconfined_u:object_r:samba_share_t:s0 .eggcups unconfined_u:object_r:samba_share_t:s0 .elinks unconfined_u:object_r:samba_share_t:s0 .emacs unconfined_u:object_r:samba_share_t:s0 .emacs.d unconfined_u:object_r:samba_share_t:s0 eraseme.txt unconfined_u:object_r:samba_share_t:s0 .esd_auth unconfined_u:object_r:samba_share_t:s0 .filezilla unconfined_u:object_r:samba_share_t:s0 .fltk unconfined_u:object_r:samba_share_t:s0 .fontconfig unconfined_u:object_r:samba_share_t:s0 .fonts unconfined_u:object_r:samba_share_t:s0 .fonts.cache-1 unconfined_u:object_r:samba_share_t:s0 .Foxit unconfined_u:object_r:samba_share_t:s0 .freerdp unconfined_u:object_r:samba_share_t:s0 .gconf unconfined_u:object_r:samba_share_t:s0 .gconfd unconfined_u:object_r:samba_share_t:s0 .gftp unconfined_u:object_r:samba_share_t:s0 .gimp-2.6 unconfined_u:object_r:samba_share_t:s0 .gimp-2.8 unconfined_u:object_r:samba_share_t:s0 .gkrellm2 unconfined_u:object_r:samba_share_t:s0 .gksu.lock unconfined_u:object_r:samba_share_t:s0 .gnome unconfined_u:object_r:samba_share_t:s0 .gnome2 unconfined_u:object_r:samba_share_t:s0 .gnome2_private unconfined_u:object_r:samba_share_t:s0 .gnome-commander unconfined_u:object_r:samba_share_t:s0 .gnote unconfined_u:object_r:samba_share_t:s0 .gnupg unconfined_u:object_r:samba_share_t:s0 .google unconfined_u:object_r:samba_share_t:s0 .googleearth unconfined_u:object_r:samba_share_t:s0 .googleearth.000 unconfined_u:object_r:samba_share_t:s0 .gphoto unconfined_u:object_r:samba_share_t:s0 .grip unconfined_u:object_r:samba_share_t:s0 .grip-bladeenc unconfined_u:object_r:samba_share_t:s0 .grip-lame unconfined_u:object_r:samba_share_t:s0 .gstreamer-0.10 unconfined_u:object_r:samba_share_t:s0 .gstreamer-0.8 unconfined_u:object_r:samba_share_t:s0 .gtk-bookmarks unconfined_u:object_r:samba_share_t:s0 .gtkrc unconfined_u:object_r:samba_share_t:s0 .gtkrc-1.2-gnome2 unconfined_u:object_r:samba_share_t:s0 .gtkrc.monospace.12 unconfined_u:object_r:samba_share_t:s0 .gvfs unconfined_u:object_r:samba_share_t:s0 head unconfined_u:object_r:samba_share_t:s0 .hugin unconfined_u:object_r:samba_share_t:s0 .ICEauthority unconfined_u:object_r:samba_share_t:s0 .ICEauthority.000 unconfined_u:object_r:samba_share_t:s0 .icons unconfined_u:object_r:samba_share_t:s0 .inkscape unconfined_u:object_r:samba_share_t:s0 .install4j unconfined_u:object_r:samba_share_t:s0 .iscan_preference unconfined_u:object_r:samba_share_t:s0 .isomaster unconfined_u:object_r:samba_share_t:s0 .java unconfined_u:object_r:samba_share_t:s0 .jhylafax unconfined_u:object_r:samba_share_t:s0 .kchmviewer unconfined_u:object_r:samba_share_t:s0 .kde unconfined_u:object_r:samba_share_t:s0 .kino-history unconfined_u:object_r:samba_share_t:s0 .kinorc unconfined_u:object_r:samba_share_t:s0 kis17.0.0.611en_10755.exe unconfined_u:object_r:samba_share_t:s0 .kompozer unconfined_u:object_r:samba_share_t:s0 .kompozer.net unconfined_u:object_r:samba_share_t:s0 .lesshst unconfined_u:object_r:samba_share_t:s0 .local unconfined_u:object_r:samba_share_t:s0 .loki unconfined_u:object_r:samba_share_t:s0 lwp_cookies.dat unconfined_u:object_r:samba_share_t:s0 Lynx.trace unconfined_u:object_r:samba_share_t:s0 .macromedia unconfined_u:object_r:samba_share_t:s0 .mcop unconfined_u:object_r:samba_share_t:s0 .mcoprc unconfined_u:object_r:samba_share_t:s0 .metacity unconfined_u:object_r:samba_share_t:s0 .mime.types unconfined_u:object_r:samba_share_t:s0 .mozilla unconfined_u:object_r:samba_share_t:s0 .mozilla_10-05-2017 unconfined_u:object_r:samba_share_t:s0 .mozilla_10-08-2017 unconfined_u:object_r:samba_share_t:s0 .mplayer unconfined_u:object_r:samba_share_t:s0 .msf4 unconfined_u:object_r:samba_share_t:s0 Music unconfined_u:object_r:samba_share_t:s0 Music.000 unconfined_u:object_r:samba_share_t:s0 my-lightdm.pp unconfined_u:object_r:samba_share_t:s0 my-lightdm.te unconfined_u:object_r:samba_share_t:s0 my-systemd.pp unconfined_u:object_r:samba_share_t:s0 my-systemd.te unconfined_u:object_r:samba_share_t:s0 .nautilus unconfined_u:object_r:samba_share_t:s0 Net-FTP.pm unconfined_u:object_r:samba_share_t:s0 NewRevIs-10.2.1.23.txt unconfined_u:object_r:samba_share_t:s0 'Nolo Documents Backup' unconfined_u:object_r:samba_share_t:s0 .nv unconfined_u:object_r:samba_share_t:s0 .nvidia-settings-rc unconfined_u:object_r:samba_share_t:s0 .nvu unconfined_u:object_r:samba_share_t:s0 .nx unconfined_u:object_r:samba_share_t:s0 .odbc.ini unconfined_u:object_r:samba_share_t:s0 ogg unconfined_u:object_r:samba_share_t:s0 .oracle_jre_usage unconfined_u:object_r:samba_share_t:s0 .padminrc unconfined_u:object_r:samba_share_t:s0 .parallels_settings unconfined_u:object_r:samba_share_t:s0 parallelsupdate unconfined_u:object_r:samba_share_t:s0 parallels-vm unconfined_u:object_r:samba_share_t:s0 .pcmanfm unconfined_u:object_r:samba_share_t:s0 PcSetup unconfined_u:object_r:samba_share_t:s0 .pdfedit unconfined_u:object_r:samba_share_t:s0 .pdfstudio10 unconfined_u:object_r:samba_share_t:s0 .pdfstudio11 unconfined_u:object_r:samba_share_t:s0 .pdfstudio12 unconfined_u:object_r:samba_share_t:s0 .pdfstudio9 unconfined_u:object_r:samba_share_t:s0 perl5 unconfined_u:object_r:samba_share_t:s0 .perl6 unconfined_u:object_r:samba_share_t:s0 PicasaDocuments unconfined_u:object_r:samba_share_t:s0 Pictures unconfined_u:object_r:samba_share_t:s0 Pictures.000 unconfined_u:object_r:samba_share_t:s0 .pki unconfined_u:object_r:samba_share_t:s0 .ptbt0 unconfined_u:object_r:samba_share_t:s0 .pulse.000 unconfined_u:object_r:samba_share_t:s0 .pulse-cookie unconfined_u:object_r:samba_share_t:s0 .putty unconfined_u:object_r:samba_share_t:s0 .qalculate unconfined_u:object_r:samba_share_t:s0 .qt unconfined_u:object_r:samba_share_t:s0 .rdesktop unconfined_u:object_r:samba_share_t:s0 .recently-used unconfined_u:object_r:samba_share_t:s0 .redhat unconfined_u:object_r:samba_share_t:s0 .remmina unconfined_u:object_r:samba_share_t:s0 .rhn-applet unconfined_u:object_r:samba_share_t:s0 .rhn-applet.conf unconfined_u:object_r:samba_share_t:s0 .rnd unconfined_u:object_r:samba_share_t:s0 rpmbuild unconfined_u:object_r:samba_share_t:s0 .rpmmacros unconfined_u:object_r:samba_share_t:s0 .sane unconfined_u:object_r:samba_share_t:s0 saned.log.txt unconfined_u:object_r:samba_share_t:s0 .Screenr unconfined_u:object_r:samba_share_t:s0 .smplayer unconfined_u:object_r:samba_share_t:s0 .so_sane_state unconfined_u:object_r:samba_share_t:s0 .spicec unconfined_u:object_r:samba_share_t:s0 .spice-vdagent unconfined_u:object_r:samba_share_t:s0 sserife.fon unconfined_u:object_r:samba_share_t:s0 ssh unconfined_u:object_r:samba_share_t:s0 .ssh unconfined_u:object_r:samba_share_t:s0 ssh_hosts unconfined_u:object_r:samba_share_t:s0 .subversion unconfined_u:object_r:samba_share_t:s0 'Super Trouper.ogg' unconfined_u:object_r:samba_share_t:s0 .swp unconfined_u:object_r:samba_share_t:s0 systemd.init.d.new.method.txt unconfined_u:object_r:samba_share_t:s0 'TaxACT 2009' unconfined_u:object_r:samba_share_t:s0 temp unconfined_u:object_r:samba_share_t:s0 Templates unconfined_u:object_r:samba_share_t:s0 .themes unconfined_u:object_r:samba_share_t:s0 .thumbnails unconfined_u:object_r:samba_share_t:s0 .thunderbird unconfined_u:object_r:samba_share_t:s0 tmp unconfined_u:object_r:samba_share_t:s0 tmp2 unconfined_u:object_r:samba_share_t:s0 .Trash unconfined_u:object_r:samba_share_t:s0 'TurboCAD Deluxe 17' unconfined_u:object_r:samba_share_t:s0 .uml unconfined_u:object_r:samba_share_t:s0 Updater5 unconfined_u:object_r:samba_share_t:s0 Video unconfined_u:object_r:samba_share_t:s0 Videos unconfined_u:object_r:samba_share_t:s0 .vim unconfined_u:object_r:samba_share_t:s0 .viminfo unconfined_u:object_r:samba_share_t:s0 .viminfo.000 unconfined_u:object_r:samba_share_t:s0 .viminfo.tmp unconfined_u:object_r:samba_share_t:s0 .viminfz.tmp unconfined_u:object_r:samba_share_t:s0 .vimrc unconfined_u:object_r:samba_share_t:s0 .virt-manager unconfined_u:object_r:samba_share_t:s0 .vlc unconfined_u:object_r:samba_share_t:s0 .vnc unconfined_u:object_r:samba_share_t:s0 .webex unconfined_u:object_r:samba_share_t:s0 .wget-hsts unconfined_u:object_r:samba_share_t:s0 .windows-serial unconfined_u:object_r:samba_share_t:s0 wine unconfined_u:object_r:samba_share_t:s0 .wine unconfined_u:object_r:samba_share_t:s0 .wine.10-16-2015 unconfined_u:object_r:samba_share_t:s0 .wine.adobe unconfined_u:object_r:samba_share_t:s0 .wine.backup unconfined_u:object_r:samba_share_t:s0 .wine.crimson3 unconfined_u:object_r:samba_share_t:s0 .wine.smartsuite unconfined_u:object_r:samba_share_t:s0 .winetmp unconfined_u:object_r:samba_share_t:s0 .winetrickscache unconfined_u:object_r:samba_share_t:s0 x unconfined_u:object_r:samba_share_t:s0 .Xauthority.000 unconfined_u:object_r:samba_share_t:s0 .Xauthority.001 unconfined_u:object_r:samba_share_t:s0 .xcdroast unconfined_u:object_r:samba_share_t:s0 .xchm unconfined_u:object_r:samba_share_t:s0 .Xclients unconfined_u:object_r:samba_share_t:s0 .Xclients-default unconfined_u:object_r:samba_share_t:s0 .xemacs unconfined_u:object_r:samba_share_t:s0 .xfce unconfined_u:object_r:samba_share_t:s0 .xfce4-session.verbose-log unconfined_u:object_r:samba_share_t:s0 .xfce4-session.verbose-log.last unconfined_u:object_r:samba_share_t:s0 .xine unconfined_u:object_r:samba_share_t:s0 .xmms unconfined_u:object_r:samba_share_t:s0 .xscreensaver unconfined_u:object_r:samba_share_t:s0 .xscreensaver-getimage.cache unconfined_u:object_r:samba_share_t:s0 .xsel.log system_u:object_r:samba_share_t:s0 .xsession-errors system_u:object_r:samba_share_t:s0 .xsession-errors.old unconfined_u:object_r:samba_share_t:s0 .yajhfc unconfined_u:object_r:samba_share_t:s0 .zef.001 unconfined_u:object_r:samba_share_t:s0 .zenmap unconfined_u:object_r:samba_share_t:s0 .zshrc
On 03/12/2018 03:13 PM, ToddAndMargo wrote:
On 03/12/2018 03:06 PM, ToddAndMargo wrote:
On 03/12/2018 04:20 AM, Lukas Vrabec wrote:
On 03/12/2018 10:35 AM, ToddAndMargo wrote:
Hi All,
Fedora 27, x64
Xfce 4.12
lightdm-1.25.1-5.fc27.x86_64
With SELinux set to Enforcing, I can only log into Xfce as root.
If I set SELinux to Permissive, I can log into anyone.
SEAlert is quite.
In the Audit log, I get:
# grep lightdm /var/log/audit/audit.log | grep denied
type=AVC msg=audit(1520843479.104:515): avc: denied { create } for pid=7554 comm="lightdm" name=".xsession-errors" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:samba_share_t:s0 tclass=file permissive=1
type=AVC msg=audit(1520843479.104:516): avc: denied { write open } for pid=7554 comm="lightdm" path="/home/tony/.xsession-errors" dev="dm-1" ino=54526689 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:samba_share_t:s0 tclass=file permissive=1
SELinux is taking a shine to everyone's, except root's, .xsession-errors.
How do I fix this?
I am indeed running two samba shared from /home
$ ls -Z /home/todd/.xsession-errors system_u:object_r:samba_share_t:s0 /home/todd/.xsession-errors
# restorecon -r /home/todd Didn't work
Samba in running sahre from /home # setsebool -P samba_enable_home_dirs on Didn't work
# restorecon -Rv /home # semanage boolean -m samba_enable_home_dirs --on Didn't work
# semanage boolean -P samba_enable_home_dirs on Didn't work
/usr/bin/sealert -b Is quiet
Any hints in here?
$ ls -aZ unconfined_u:object_r:samba_share_t:s0 . system_u:object_r:home_root_t:s0 .. unconfined_u:object_r:samba_share_t:s0 .acetoneiso unconfined_u:object_r:samba_share_t:s0 .adobe unconfined_u:object_r:samba_share_t:s0 apctest.output
Seems to me that all this crap is from my home directory and should not have anything to do with samba
The samba shares are on /home/CDs and /home/OurStuff
On 03/13/18 06:13, ToddAndMargo wrote:
/usr/bin/sealert -b Is quiet
If I put the AVC's you mention in the original post in a file....
type=AVC msg=audit(1520843479.104:515): avc: denied { create } for pid=7554 comm="lightdm" name=".xsession-errors" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:samba_share_t:s0 tclass=file permissive=1
type=AVC msg=audit(1520843479.104:516): avc: denied { write open } for pid=7554 comm="lightdm" path="/home/tony/.xsession-errors" dev="dm-1" ino=54526689 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:samba_share_t:s0 tclass=file permissive=1
And run sealert against them I get....
[egreshko@meimei ~]$ sealert -a err 100% done found 2 alerts in err --------------------------------------------------------------------------------
SELinux is preventing lightdm from create access on the file .xsession-errors.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that lightdm should be allowed create access on the .xsession-errors file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'lightdm' --raw | audit2allow -M my-lightdm # semodule -X 300 -i my-lightdm.pp
Additional Information: Source Context system_u:system_r:xdm_t:s0-s0:c0.c1023 Target Context system_u:object_r:samba_share_t:s0 Target Objects .xsession-errors [ file ] Source lightdm Source Path lightdm Port <Unknown> Host <Unknown> Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-283.26.fc27.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name meimei.greshko.com Platform Linux meimei.greshko.com 4.15.7-300.fc27.x86_64 #1 SMP Wed Feb 28 17:53:39 UTC 2018 x86_64 x86_64 Alert Count 1 First Seen 2018-03-12 16:31:19 CST Last Seen 2018-03-12 16:31:19 CST Local ID 4b15d210-1cff-461f-8c2a-8469d09752d2
Raw Audit Messages type=AVC msg=audit(1520843479.104:515): avc: denied { create } for pid=7554 comm="lightdm" name=".xsession-errors" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:samba_share_t:s0 tclass=file permissive=1
Hash: lightdm,xdm_t,samba_share_t,file,create
--------------------------------------------------------------------------------
SELinux is preventing lightdm from 'write, open' accesses on the file /home/tony/.xsession-errors.
***** Plugin restorecon (99.5 confidence) suggests ************************
If you want to fix the label. /home/tony/.xsession-errors default label should be xdm_home_t. Then you can run restorecon. The access attempt may have been stopped due to insufficient permissions to access a parent directory in which case try to change the following command accordingly. Do # /sbin/restorecon -v /home/tony/.xsession-errors
***** Plugin catchall (1.49 confidence) suggests **************************
If you believe that lightdm should be allowed write open access on the .xsession-errors file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'lightdm' --raw | audit2allow -M my-lightdm # semodule -X 300 -i my-lightdm.pp
Additional Information: Source Context system_u:system_r:xdm_t:s0-s0:c0.c1023 Target Context system_u:object_r:samba_share_t:s0 Target Objects /home/tony/.xsession-errors [ file ] Source lightdm Source Path lightdm Port <Unknown> Host <Unknown> Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-283.26.fc27.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name meimei.greshko.com Platform Linux meimei.greshko.com 4.15.7-300.fc27.x86_64 #1 SMP Wed Feb 28 17:53:39 UTC 2018 x86_64 x86_64 Alert Count 1 First Seen 2018-03-12 16:31:19 CST Last Seen 2018-03-12 16:31:19 CST Local ID 82cda10c-f801-4a67-b762-54b27ad752cb
Raw Audit Messages type=AVC msg=audit(1520843479.104:516): avc: denied { write open } for pid=7554 comm="lightdm" path="/home/tony/.xsession-errors" dev="dm-1" ino=54526689 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:samba_share_t:s0 tclass=file permissive=1
Hash: lightdm,xdm_t,samba_share_t,file,write,open
On 03/12/2018 03:49 PM, Ed Greshko wrote:
#/sbin/restorecon -v /home/tony/.xsession-errors # ausearch -c 'lightdm' --raw | audit2allow -M my-lightdm # semodule -X 300 -i my-lightdm.pp
That happened very early on in SEAlert. SEAlert is now quite.
Redoing the above did not help.
Now Samba does not work either.
Follow up:
With everyone's help, I cleaned up my SELinux homedir's and set Samba's SELinux stuff right.
I still could not log in from lightdm, except to root, when SLElinux was Enforcing.
And SEAlert was completely quiet. And /var/log/audit/audit.log was completely empty.
Then I got sneaky and created a new user in a different root directory (/home2). That worked. Hmmmmmmm.....
So I renamed my $HOME director and recreated and empty one. That worked too. POOP !!!!!!
So I though of trying to trace down who was doing it. Gave up and restored my user's directories from backup. That also worked!
Yippee!
Thank you all for the tips. I wrote down about five of them, so I would not forget. SELinux baffles me at times.
-T
On 03/13/18 13:57, ToddAndMargo wrote:
Thank you all for the tips. I wrote down about five of them, so I would not forget. SELinux baffles me at times.
Good to hear all is working now.
One thing I just realized I was remiss in mentioning. There are times where you will have selinux preventing something but you won't get an AVC in the audit.log. This due to a policy which has "dontaudit" enabled. If you run into this situation again you should try the command "semodule -BD" The D means "Temporarily remove dontaudits from policy. Reverts whenever policy is rebuilt". After troubleshooting run "semodule -B" to restore to normal operation.
Sorry to have left that out. I don't run into many selinux issues and forgot about it.
On 03/13/2018 06:57 AM, ToddAndMargo wrote:
Follow up:
With everyone's help, I cleaned up my SELinux homedir's and set Samba's SELinux stuff right.
I still could not log in from lightdm, except to root, when SLElinux was Enforcing.
And SEAlert was completely quiet. And /var/log/audit/audit.log was completely empty.
Then I got sneaky and created a new user in a different root directory (/home2). That worked. Hmmmmmmm.....
So I renamed my $HOME director and recreated and empty one. That worked too. POOP !!!!!!
So I though of trying to trace down who was doing it. Gave up and restored my user's directories from backup. That also worked!
Yippee!
Thank you all for the tips. I wrote down about five of them, so I would not forget. SELinux baffles me at times.
I'm quite lost with your e-mails, but how it's labeled right now in your homedir? It shouldn't be samba_share_t if it's working and also, could you please attach output of:
# semanage export
Thanks, Lukas.
-T
users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-leave@lists.fedoraproject.org
On 03/13/2018 02:39 AM, Lukas Vrabec wrote:
On 03/13/2018 06:57 AM, ToddAndMargo wrote:
Follow up:
With everyone's help, I cleaned up my SELinux homedir's and set Samba's SELinux stuff right.
I still could not log in from lightdm, except to root, when SLElinux was Enforcing.
And SEAlert was completely quiet. And /var/log/audit/audit.log was completely empty.
Then I got sneaky and created a new user in a different root directory (/home2). That worked. Hmmmmmmm.....
So I renamed my $HOME director and recreated and empty one. That worked too. POOP !!!!!!
So I though of trying to trace down who was doing it. Gave up and restored my user's directories from backup. That also worked!
Yippee!
Thank you all for the tips. I wrote down about five of them, so I would not forget. SELinux baffles me at times.
I'm quite lost with your e-mails, but how it's labeled right now in your homedir? It shouldn't be samba_share_t if it's working and also, could you please attach output of:
# semanage export
Thanks, Lukas.
What is the command telling me?
# semanage export boolean -D login -D interface -D user -D port -D node -D fcontext -D module -D boolean -m -1 daemons_use_tty boolean -m -1 named_write_master_zones boolean -m -1 samba_domain_controller boolean -m -1 samba_enable_home_dirs boolean -m -1 samba_export_all_rw fcontext -a -f a -t samba_share_t '/home(/.*)?' fcontext -a -f a -t samba_share_t '/home/CDs(/.*)?' fcontext -a -f a -t samba_share_t '/home/OurStuff(/.*)?' fcontext -a -f a -t chrome_sandbox_exec_t '/usr/lib/chrome-sandbox' fcontext -a -f a -t bin_t '/usr/lib/chromium-browser' fcontext -a -f a -t bin_t '/usr/lib/chromium-browser/chromium-browser.sh' fcontext -a -f a -t rpm_exec_t '/usr/share/dnfdaemon/dnfdaemon-system' fcontext -a -e /home /home/users fcontext -a -e /home /nfshome
On 03/12/2018 11:53 PM, Ed Greshko wrote:
There are times where you will have selinux preventing something but you won't get an AVC in the audit.log. This due to a policy which has "dontaudit" enabled. If you run into this situation again you should try the command "semodule -BD" The D means "Temporarily remove dontaudits from policy. Reverts whenever policy is rebuilt". After troubleshooting run "semodule -B" to restore to normal operation.
Thank you! I wrote it down for the next time!
-
Ed Greshko -
Ed Greshko -
Lukas Vrabec -
ToddAndMargo