Loading...

XML

Word

Printable

Type: Bug
Resolution: Unresolved
Priority: Normal
Fix Version/s: None
Component/s: None
Labels:
- openrc
- selinux

Epic Link:
Security

replication of:

Versions info

# X -version
X.Org X Server 1.20.5
X Protocol Version 11, Revision 0
Build Operating System: Linux 4.19.67_p2-r1-debian-sources-lts x86_64 Gentoo
Current Operating System: Linux pc 4.19.67_p2-r1-debian-sources-lts #1 SMP Fri Sep 27 13:23:14 CEST 2019 x86_64
Kernel command line: BOOT_IMAGE=/kernel-debian-sources-lts-x86_64-4.19.67_p2-r1 real_root=/dev/sdc6 rootfstype=ext4 rand_id=FI38EHQ7 pci=nocrs security=selinux enforcing=1
Build Date: 11 October 2019  06:19:53P

# emerge -pv selinux-xserver openrc lightdm xdm
sec-policy/selinux-xserver-9999::security-kit
sys-apps/openrc-0.41.2-r1::core-kit  USE="bash-completion ncurses pam (selinux) unicode -audit -debug -netifrc -newnet (-prefix) -static-libs -zsh-completion"
x11-misc/lightdm-1.30.0::desktop-kit  USE="gnome gtk -audit -introspection -non_root -qt5 -vala"
x11-apps/xdm-1.1.11-r3::xorg-kit  USE="ipv6 pam -consolekit -xdm-auth"

Description
Display manager (tested with lightdm and xdm) does not show when started by OpenRC - instead blank screen with command prompt is shown

this fails

# rc-update | grep xdm
                  xdm |      default

# ps -elyZ | grep 4498
LABEL                           S   UID   PID  PPID  C PRI  NI   RSS    SZ WCHAN  TTY          TIME CMD
system_u:system_r:xdm_t         S     0  4498     1  0  80   0 10348 58760 x64_sy ?        00:00:00 lightdm
system_u:system_r:xserver_t     S     0  4552  4498  0  80   0 49740 42172 -      tty7     00:00:00 X
system_u:system_r:xdm_t         S     0  4619  4498  0  80   0  7888 39623 -      ?        00:00:00 lightdm
system_u:system_r:xdm_t         S     0  4657  4498  0  80   0  5540  2678 -      ?        00:00:00 lightdm

# init 2
# init 3

this works

# /etc/init.d/xdm restart
# ps -elyZ | grep 4798
LABEL                           S   UID   PID  PPID  C PRI  NI   RSS    SZ WCHAN  TTY          TIME CMD
system_u:system_r:xdm_t         S     0  4798     1  0  80   0 10368 77183 x64_sy ?        00:00:00 lightdm
system_u:system_r:xserver_t     S     0  4813  4798  4  80   0 49484 42112 -      tty7     00:00:00 X
system_u:system_r:xdm_t         S     0  4823  4798  0  80   0  7808 39623 -      ?        00:00:00 lightdm
system_u:system_r:xdm_t         S     0  4860  4798  0  80   0  5448  2678 -      ?        00:00:00 lightdm

# init 2
# init 3

EDIT
~~nothing useful is seen neither in dmesg nor audit.log nor /var/log/lightdm~~
to get useful logs run semodule -DB here is the diff between /etc/init.d/xdm restart and init 3:

# diff <(cat root.audit2why | grep xserver_t) <(cat initrc.audit2why | grep xserver_t)
2a3
> allow xserver_t self:capability chown;

Steps to reproduce

machine with OpenRC and SELinux set into enforcing mode with strict policy
add xdm into default runlevel
reboot the machine

Expected result
display manager (e.g. lightdm) shows

Actual result
blank screen with command prompt

EDIT
Quick fix

selocal --add "allow xserver_t self:capability chown;" --comment "fix for initrc to launch xserver"
selocal --build --load

relates to

FL-7578 SELinux - command prompt instead of xdm on debian-sources-5.7.10

Closed

FL-6772 wrong SELinux context for /dev/nvidiactl and /dev/nvidia0

Closed

Assignee:: Unassigned

Reporter:: mrl5

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Created:: 20/Oct/19 7:54 AM

Updated:: 16/Aug/23 9:15 PM

Details

Description

Attachments

Issue Links

Activity

People

Dates