[DSE-Dev] Bug#781779: selinux-policy-default: not possible to login via GUI when SELinux is set to enforcing

Andreas Florath andre at florath.net
Thu Apr 2 21:50:15 UTC 2015 

Package: selinux-policy-default
Version: 2:2.20140421-9
Severity: grave
Justification: renders package unusable

Dear Maintainer,

after enabling SELinux it is not possible to use graphical login anymore.
Instead of the desktop the following message appears:
"Oh no! Something has gone wrong.
A problem has occurred and the system can't recover. All extensions have been
disabled as a precaution."
Beneath there is a 'Logout' button.

When setting 'setenforce 0' it is possible to login (again).

Because there are so many AVCs, I cannot name the root cause here.
Attached you can find the output of 'audit2allow --boot'.

I set the severity to grave because IMHO a lot of people use / will
use Debian as their desktop / laptop OS with graphical UI.  This is
not usable any more when SELinux is enabled using the current default
policy.

If I can support finding the root cause or providing a patch, please
drop me a note.

Kind regards

Andre


-- System Information:
Debian Release: 8.0
  APT prefers testing-updates
  APT policy: (500, 'testing-updates'), (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages selinux-policy-default depends on:
ii  libpam-modules   1.1.8-3.1
ii  libselinux1      2.3-2
ii  libsepol1        2.3-2
ii  policycoreutils  2.3-1
ii  python           2.7.9-1
ii  selinux-utils    2.3-2

Versions of packages selinux-policy-default recommends:
ii  checkpolicy  2.3-1
ii  setools      3.3.8-3.1

Versions of packages selinux-policy-default suggests:
pn  logcheck        <none>
pn  syslog-summary  <none>

-- no debconf information

============================== 8< ==============================
# audit2allow --boot

#============= NetworkManager_t ==============
allow NetworkManager_t NetworkManager_initrc_exec_t:dir { read getattr open search };
allow NetworkManager_t init_var_run_t:dir read;
allow NetworkManager_t self:rawip_socket { write create setopt getattr };
allow NetworkManager_t systemd_logind_t:dbus send_msg;
allow NetworkManager_t systemd_logind_t:fd use;
allow NetworkManager_t systemd_logind_var_run_t:dir { read search };
allow NetworkManager_t systemd_logind_var_run_t:fifo_file write;
allow NetworkManager_t systemd_logind_var_run_t:file { read getattr open };

#============= alsa_t ==============

#!!!! The source type 'alsa_t' can write to a 'dir' of the following types:
# pulseaudio_home_t, alsa_tmp_t, alsa_var_lib_t

allow alsa_t var_run_t:dir { write create add_name setattr };

#!!!! The source type 'alsa_t' can write to a 'file' of the following types:
# pulseaudio_home_t, alsa_tmp_t, alsa_var_lib_t, alsa_lock_t, alsa_etc_rw_t, alsa_tmpfs_t, user_home_t

allow alsa_t var_run_t:file { read write create open lock };
allow alsa_t var_run_t:lnk_file create;
allow alsa_t xdm_t:process signull;
allow alsa_t xdm_tmpfs_t:file { read getattr unlink open };

#============= apmd_t ==============
allow apmd_t device_t:chr_file { read ioctl open };

#============= kernel_t ==============
allow kernel_t systemd_unit_file_t:service { status start };

#============= policykit_t ==============

#!!!! This avc can be allowed using one of the these booleans:
#     authlogin_nsswitch_use_ldap, global_ssp
allow policykit_t urandom_device_t:chr_file { read getattr open };

#============= rtkit_daemon_t ==============
allow rtkit_daemon_t xdm_t:process setsched;

#============= systemd_cgroups_t ==============
allow systemd_cgroups_t kernel_t:unix_dgram_socket sendto;
allow systemd_cgroups_t kernel_t:unix_stream_socket connectto;

#============= systemd_logind_t ==============
allow systemd_logind_t NetworkManager_t:dbus send_msg;

#!!!! The source type 'systemd_logind_t' can write to a 'dir' of the following types:
# var_auth_t, cgroup_t, user_tmp_t, udev_var_run_t, systemd_logind_var_run_t, systemd_logind_sessions_t

allow systemd_logind_t tmpfs_t:dir { write remove_name rmdir };
allow systemd_logind_t tmpfs_t:sock_file unlink;
allow systemd_logind_t user_tmpfs_t:dir read;
allow systemd_logind_t user_tmpfs_t:file getattr;

#!!!! The source type 'systemd_logind_t' can write to a 'dir' of the following types:
# var_auth_t, cgroup_t, user_tmp_t, udev_var_run_t, systemd_logind_var_run_t, systemd_logind_sessions_t

allow systemd_logind_t xdm_tmpfs_t:dir { write getattr rmdir read remove_name open };
allow systemd_logind_t xdm_tmpfs_t:file { getattr unlink };

#============= udev_t ==============
allow udev_t self:netlink_socket { write getattr setopt read bind create };

#============= unconfined_t ==============

#!!!! This avc can be allowed using one of the these booleans:
#     allow_execstack, allow_execmem
allow unconfined_t self:process execmem;

#============= xdm_t ==============
allow xdm_t init_t:system status;

More information about the SELinux-devel mailing list