1886196 – selinux-policy-3.14.7-5.fc34 breaks desktop login for GNOME and KDE

Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.

Bug 1886196 - selinux-policy-3.14.7-5.fc34 breaks desktop login for GNOME and KDE

Summary: selinux-policy-3.14.7-5.fc34 breaks desktop login for GNOME and KDE

Keywords:
Status:	CLOSED RAWHIDE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	rawhide
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Zdenek Pytela
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:	openqa
Duplicates (4):	1886946 1888442 1888634 1889521 (view as bug list)
Depends On:
Blocks:	F34BetaBlocker
TreeView+	depends on / blocked

Reported:	2020-10-07 21:17 UTC by Adam Williamson
Modified:	2020-10-24 17:26 UTC (History)
CC List:	17 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2020-10-24 17:26:38 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Adam Williamson 2020-10-07 21:17:04 UTC

In Fedora-Rawhide-20201007.n.0 , openQA tests for KDE and Workstation live images and Silverblue all failed. They all seem to be caused by selinux-policy-3.14.7-5.fc34 (which appeared in that compose), because I see relevant AVCs in the system logs, and I also tested booting the Workstation and KDE live images with 'enforcing=0' and they both booted normally.

With SELinux in enforcing mode, the live images both boot to a login screen instead of directly to a working desktop, as they should. It's not possible to log in (at least in GNOME, didn't check KDE) - attempting just cycles back to the login screen. The installed Silverblue system boots to gnome-initial-setup and then when that is complete, to a kind of half-finished GNOME desktop - the user menu is present but the Activities menu is not.

AVCs from the boots in enforcing mode:

Workstation live
================

Oct 07 21:12:25 localhost-live audit[1403]: AVC avc:  denied  { transition } for  pid=1403 comm="gdm-session-wor" path="/usr/bin/gnome-keyring-daemon" dev="dm-0" ino=263929 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process permissive=0
Oct 07 21:12:25 localhost-live audit[1404]: AVC avc:  denied  { transition } for  pid=1404 comm="gdm-session-wor" path="/etc/gdm/PreSession/Default" dev="dm-0" ino=170104 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process permissive=0
Oct 07 21:12:25 localhost-live audit[1405]: AVC avc:  denied  { transition } for  pid=1405 comm="gdm-session-wor" path="/usr/libexec/gdm-wayland-session" dev="dm-0" ino=168361 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process permissive=0

KDE live
========

Oct 07 21:07:48 localhost-live audit[1285]: AVC avc:  denied  { transition } for  pid=1285 comm="sddm-helper" path="/usr/bin/gnome-keyring-daemon" dev="dm-0" ino=262094 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process permissive=0
Oct 07 21:07:48 localhost-live audit[1286]: AVC avc:  denied  { transition } for  pid=1286 comm="sddm-helper" path="/etc/sddm/wayland-session" dev="dm-0" ino=184819 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process permissive=0

Booting with enforcing=0 shows fewer AVCs (just the first in each case, I think), so I figure the subsequent ones are for fallbacks or something.

This seems a clear F34 Beta blocker per Basic criterion "Release-blocking live images must boot to the expected boot menu, and then to a desktop or to a login prompt where it is clear how to log in to a desktop" - at least in GNOME (only case I tested) you can't log into the desktop.

Comment 1 Adam Williamson 2020-10-07 21:24:50 UTC

Also breaks log in to a freshly installed regular system (after entering password system just returns to login manager), and systems upgraded from F32 or F33.

Comment 2 Adam Williamson 2020-10-08 17:20:45 UTC

CCing GNOME / Silverblue and KDE folks for info.

Comment 3 Adam Williamson 2020-10-10 00:01:24 UTC

*** Bug 1886946 has been marked as a duplicate of this bug. ***

Comment 4 David Hicks 2020-10-10 11:21:34 UTC

Confirmed on Fedora Rawhide after a recent upgrade.

Revelant log extract with SELinux in enforcing mode:

Oct 10 21:21:51 computer gdm-password][2565]: gkr-pam: unable to locate daemon control file
Oct 10 21:21:51 computer audit[2565]: USER_AUTH pid=2565 uid=0 auid=1234 ses=1234 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='op=PAM:authentication grantors=pam_succeed_if,pam_localuser,pam_unix,pam_gnome_keyring acct="d>
Oct 10 21:21:51 computer gdm-password][2565]: gkr-pam: stashed password to try later in open session
...
Oct 10 21:21:51 computer gdm-password][2565]: pam_unix(gdm-password:session): session opened for user david(uid=1000) by (uid=0)
Oct 10 21:21:51 computer audit[2593]: AVC avc:  denied  { transition } for  pid=2593 comm="gdm-session-wor" path="/usr/bin/gnome-keyring-daemon" dev="dm-0" ino=1234 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u>
Oct 10 21:21:51 computer systemd[2578]: Reached target Timers.
Oct 10 21:21:51 computer systemd[2578]: Starting D-Bus User Message Bus Socket.
Oct 10 21:21:51 computer audit[2565]: USER_START pid=2565 uid=0 auid=1000 ses=2 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='op=PAM:session_open grantors=pam_selinux,pam_loginuid,pam_selinux,pam_keyinit,pam_namespace,pam_keyinit,pam_>
Oct 10 21:21:51 computer gdm-password][2593]: gkr-pam: couldn't run gnome-keyring-daemon: Permission denied
Oct 10 21:21:51 computer systemd[2578]: Listening on Multimedia System.
Oct 10 21:21:51 computer gdm-password][2565]: gkr-pam: gnome-keyring-daemon didn't start properly
Oct 10 21:21:51 computer systemd[2578]: Listening on Sound System.
Oct 10 21:21:51 computer systemd[2578]: Listening on D-Bus User Message Bus Socket.
Oct 10 21:21:51 computer systemd[2578]: Reached target Sockets.
Oct 10 21:21:51 computer systemd[2578]: Reached target Basic System.
Oct 10 21:21:51 computer systemd[2578]: Reached target Main User Target.
Oct 10 21:21:51 computer systemd[2578]: Startup finished in 200ms.
Oct 10 21:21:51 computer systemd[1]: Started User Manager for UID 1000.
Oct 10 21:21:51 computer systemd[1]: Started Session 2 of user david.
Oct 10 21:21:51 computer audit[2601]: AVC avc:  denied  { transition } for  pid=2601 comm="gdm-session-wor" path="/etc/gdm/PreSession/Default" dev="dm-0" ino=1234 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:u>
Oct 10 21:21:51 computer gdm-password][2565]: Gdm: Unable to run script: Failed to execute child process “/etc/gdm/PreSession/Default” (Permission denied)
Oct 10 21:21:51 computer kernel: rfkill: input handler enabled
Oct 10 21:21:51 computer audit[2602]: AVC avc:  denied  { transition } for  pid=2602 comm="gdm-session-wor" path="/usr/libexec/gdm-wayland-session" dev="dm-0" ino=1234 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfine>
Oct 10 21:21:52 computer gdm-password][2565]: pam_unix(gdm-password:session): session closed for user david
Oct 10 21:21:52 computer audit[2565]: USER_END pid=2565 uid=0 auid=1000 ses=2 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='op=PAM:session_close grantors=pam_selinux,pam_loginuid,pam_selinux,pam_keyinit,pam_namespace,pam_keyinit,pam_l>
Oct 10 21:21:52 computer audit[2565]: CRED_DISP pid=2565 uid=0 auid=1000 ses=2 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_localuser,pam_unix,pam_gnome_keyring acct="david" exe="/usr/libexec/gdm-session-w>
Oct 10 21:21:52 computer kernel: rfkill: input handler disabled
Oct 10 21:21:52 computer gdm[1999]: Gdm: GdmDisplay: Session never registered, failing
Oct 10 21:21:52 computer systemd[1]: session-2.scope: Succeeded.
Oct 10 21:21:52 computer systemd-logind[1801]: Session 2 logged out. Waiting for processes to exit.
Oct 10 21:21:52 computer systemd-logind[1801]: Removed session 2.




In SELinux permissive mode (working):

Oct 10 21:28:08 computer gdm-password][2540]: gkr-pam: unable to locate daemon control file
Oct 10 21:28:08 computer audit[2540]: USER_AUTH pid=2540 uid=0 auid=1234 ses=1234 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='op=PAM:authentication grantors=pam_succeed_if,pam_localuser,pam_unix,pam_gnome_keyring acct="d>
Oct 10 21:28:08 computer gdm-password][2540]: gkr-pam: stashed password to try later in open session
...
Oct 10 21:28:09 computer systemd[2554]: pam_unix(systemd-user:session): session opened for user david(uid=1000) by (uid=0)
Oct 10 21:28:09 computer audit[2554]: USER_START pid=2554 uid=0 auid=1000 ses=3 subj=system_u:system_r:init_t:s0 msg='op=PAM:session_open grantors=pam_selinux,pam_selinux,pam_loginuid,pam_keyinit,pam_limits,pam_systemd,pam_unix acct="dav>
Oct 10 21:28:09 computer systemd[2565]: Not generating service for XDG autostart app-gnome\x2dkeyring\x2dsecrets-autostart.service, startup phases are not supported.
...
Oct 10 21:28:09 computer audit[2569]: AVC avc:  denied  { transition } for  pid=2569 comm="gdm-session-wor" path="/usr/bin/gnome-keyring-daemon" dev="dm-0" ino=1234 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u>
Oct 10 21:28:09 computer systemd[2554]: Listening on Multimedia System.
Oct 10 21:28:09 computer gdm-password][2540]: pam_unix(gdm-password:session): session opened for user david(uid=1000) by (uid=0)
Oct 10 21:28:09 computer systemd[2554]: Listening on Sound System.
Oct 10 21:28:09 computer systemd[2554]: Listening on D-Bus User Message Bus Socket.
Oct 10 21:28:09 computer systemd[2554]: Reached target Sockets.
Oct 10 21:28:09 computer systemd[2554]: Reached target Basic System.
Oct 10 21:28:09 computer systemd[2554]: Reached target Main User Target.
Oct 10 21:28:09 computer systemd[2554]: Startup finished in 194ms.
Oct 10 21:28:09 computer systemd[1]: Started User Manager for UID 1000.
Oct 10 21:28:09 computer systemd[1]: Started Session 2 of user david.
Oct 10 21:28:09 computer gdm-password][2540]: gkr-pam: gnome-keyring-daemon started properly and unlocked keyring

Comment 5 Zdenek Pytela 2020-10-15 15:48:46 UTC

Adam, David,

Does this problem appear only with kernel 5.9?

Comment 6 Adam Williamson 2020-10-15 15:51:49 UTC

I don't know off the top of my head. The thing that changed and caused the problem was selinux, though, not the kernel. The kernel didn't change between Fedora-Rawhide-20201006.n.1 (which worked) and Fedora-Rawhide-20201007.n.0 (which was the first time the bug showed up), the thing that changed was selinux-policy.

Can we please have this fixed? It is blocking all other Rawhide testing in openQA at present.

Comment 7 Zdenek Pytela 2020-10-15 15:55:06 UTC

*** Bug 1888634 has been marked as a duplicate of this bug. ***

Comment 8 Zdenek Pytela 2020-10-15 15:55:10 UTC

*** Bug 1888442 has been marked as a duplicate of this bug. ***

Comment 9 David Hicks 2020-10-15 23:52:33 UTC

Zdenek, I'm still seeing the same problem occur with an up-to-date Rawhide repository. SELinux in permissive mode works OK, and this login loop still occurs when SELinux is in enforcing mode. Relevant packages installed are:
- selinux-policy.noarch 3.14.7-5.fc34
- gdm.x86_64 1:3.38.1-1.fc34
- kernel.x86_64 5.10.0-0.rc0.20201014gitb5fc7a89e58b.41.fc34
- gnome-keyring.x86_64 3.36.0-4.fc33
- gnome-keyring-pam.x86_64 3.36.0-4.fc33

Oct 16 10:23:11 computer audit[1234]: AVC avc:  denied  { transition } for  pid=1234 comm="gdm-session-wor" path="/usr/bin/gnome-keyring-daemon" dev="dm-0" ino=1234 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u>
...
Oct 16 10:23:11 computer gdm-password][1234]: gkr-pam: couldn't run gnome-keyring-daemon: Permission denied
...
Oct 16 10:23:11 computer gdm-password][1234]: gkr-pam: gnome-keyring-daemon didn't start properly
...
Oct 16 10:23:11 computer audit[1234]: AVC avc:  denied  { transition } for  pid=1234 comm="gdm-session-wor" path="/etc/gdm/PreSession/Default" dev="dm-0" ino=1234 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:u>
Oct 16 10:23:11 computer gdm-password][1234]: Gdm: Unable to run script: Failed to execute child process “/etc/gdm/PreSession/Default” (Permission denied)
Oct 16 10:23:11 computer kernel: rfkill: input handler enabled
Oct 16 10:23:11 computer audit[1234]: AVC avc:  denied  { transition } for  pid=1234 comm="gdm-session-wor" path="/usr/libexec/gdm-wayland-session" dev="dm-0" ino=1234 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfine>
Oct 16 10:23:11 computer gdm-password][1234]: pam_unix(gdm-password:session): session closed for user johndoe
O
...
Oct 16 10:23:11 computer gdm[1234]: Gdm: GdmDisplay: Session never registered, failing

Comment 10 Mamoru TASAKA 2020-10-16 13:58:23 UTC

So https://github.com/fedora-selinux/selinux-policy/commit/f28692cd4a5d8d380a2c78e6a208119ce46d9722 seems the bad commit.

For LXDE rawhide, selinux-policy-3.14.7-5.fc34 with the above commit reverted works fine.

Comment 11 Mamoru TASAKA 2020-10-16 14:26:10 UTC

Fedora-Workstation-Live-Rawhide-20201014.n.0 live image (downloaded from near mirror server) seems fine with selinux-policy-3.14.7-5.fc34 with the above commit reverted.

Comment 12 Zdenek Pytela 2020-10-19 08:38:19 UTC

Thanks everybody for your help, new builds will be ready soon.

Comment 13 Zdenek Pytela 2020-10-20 07:00:58 UTC

*** Bug 1889521 has been marked as a duplicate of this bug. ***

Comment 14 AndyBetts 2020-10-20 13:59:50 UTC

This bug appears to be still a problem for this image https://kojipkgs.fedoraproject.org/compose/rawhide/Fedora-Rawhide-20201020.n.0/compose/Spins/x86_64/iso/Fedora-KDE-Live-x86_64-Rawhide-20201020.n.0.iso

The system boots up. However, it is unable to login and start the installation.

Comment 15 Adam Williamson 2020-10-20 15:34:31 UTC

Yeah, it won't be fixed until there is a new selinux-policy build in the compose.

Comment 16 AndyBetts 2020-10-20 15:43:19 UTC

(In reply to Adam Williamson from comment #15)
> Yeah, it won't be fixed until there is a new selinux-policy build in the
> compose.

Do we know when that will happen?

Comment 17 Mamoru TASAKA 2020-10-20 16:03:18 UTC

(In reply to AndyBetts from comment #16)
> (In reply to Adam Williamson from comment #15)
> > Yeah, it won't be fixed until there is a new selinux-policy build in the
> > compose.
> 
> Do we know when that will happen?

Now I would expect soon: https://github.com/fedora-selinux/selinux-policy/pull/458

Comment 18 Zdenek Pytela 2020-10-20 16:35:23 UTC

Either we will resolve it soon or revert the commit which led to the current state.

Comment 19 Zdenek Pytela 2020-10-23 10:29:46 UTC

There is a new rawhide build
https://koji.fedoraproject.org/koji/taskinfo?taskID=54035777

with the commit reverted, but there already is a different solution on the way.

I'd like to close this bz if somebody else confirms the logging in working.

Comment 20 Adam Williamson 2020-10-23 15:16:35 UTC

We'll be able to tell from the openQA results for the new Rawhide compose (20201023.n.0 doesn't have the new build, next compose should).

Comment 21 David Hicks 2020-10-24 11:24:24 UTC

Confirming that selinux-policy-3.14.7-6.fc34.noarch fixed the issue for me (Rawhide repository).

Comment 22 Adam Williamson 2020-10-24 17:26:38 UTC

yes, openQA tests confirm this too.

Note You need to log in before you can comment on or make changes to this bug.