Display manager (tested with lightdm and xdm) does not show when started by OpenRC - instead blank screen with command prompt is shown. nothing useful is seen neither in dmesg nor audit.log nor /var/log/lightdm 1. this fails ``` # rc-update | grep xdm xdm | default # ps -elyZ | grep 4498 LABEL S UID PID PPID C PRI NI RSS SZ WCHAN TTY TIME CMD system_u:system_r:xdm_t S 0 4498 1 0 80 0 10348 58760 x64_sy ? 00:00:00 lightdm system_u:system_r:xserver_t S 0 4552 4498 0 80 0 49740 42172 - tty7 00:00:00 X system_u:system_r:xdm_t S 0 4619 4498 0 80 0 7888 39623 - ? 00:00:00 lightdm system_u:system_r:xdm_t S 0 4657 4498 0 80 0 5540 2678 - ? 00:00:00 light # init 2 # init 3 ``` 2. this somehow works ``` # /etc/init.d/xdm restart # ps -elyZ | grep 4798 LABEL S UID PID PPID C PRI NI RSS SZ WCHAN TTY TIME CMD system_u:system_r:xdm_t S 0 4798 1 0 80 0 10368 77183 x64_sy ? 00:00:00 lightdm system_u:system_r:xserver_t S 0 4813 4798 4 80 0 49484 42112 - tty7 00:00:00 X system_u:system_r:xdm_t S 0 4823 4798 0 80 0 7808 39623 - ? 00:00:00 lightdm system_u:system_r:xdm_t S 0 4860 4798 0 80 0 5448 2678 - ? 00:00:00 lightdm # init 2 # init 3 ``` *Steps to reproduce* machine with OpenRC and SELinux set into enforcing mode with strict policy add xdm into default runlevel reboot the machine *Expected result* display manager (e.g. lightdm) shows *Actual result* blank screen with command prompt *Dirty fix* 1. `semanage permissive -a xserver_t` 2. `/etc/init.d/xdm restart`
the most suspicious is that `semanage permissive -a xserver_t` dirty fixes the problem although `ps -elyZ` does not show any differences in process contexts
just in case OpenRC audit.log: ``` # cat /var/log/audit/audit.log | grep xserver_t type=AVC msg=audit(1571585350.980:75): avc: denied { execmem } for pid=4549 comm="X" scontext=system_u:system_r:xserver_t tcontext=system_u:system_r:xserver_t tclass=process permissive=0 type=SYSCALL msg=audit(1571585350.980:75): arch=c000003e syscall=10 success=no exit=-13 a0=7f3301879000 a1=35000 a2=7 a3=fffffffffffffbfb items=0 ppid=4495 pid=4549 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty7 ses=4294967295 comm="X" exe="/usr/bin/Xorg" subj=system_u:system_r:xserver_t key=(null) ``` `/etc/init.d/xdm restart` audit.log: ``` # cat /var/log/audit/audit.log | grep xserver_t type=AVC msg=audit(1571585490.765:127): avc: denied { execmem } for pid=4812 comm="X" scontext=system_u:system_r:xserver_t tcontext=system_u:system_r:xserver_t tclass=process permissive=0 type=SYSCALL msg=audit(1571585490.765:127): arch=c000003e syscall=10 success=no exit=-13 a0=7f3b6b704000 a1=35000 a2=7 a3=fffffffffffffbfb items=0 ppid=4800 pid=4812 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty7 ses=3 comm="X" exe="/usr/bin/Xorg" subj=system_u:system_r:xserver_t key=(null) ```
I think I found it: 1. I run `semodule -DB` to increase the verbosity of audit.log 2. I've recorded audit.log for `init 2 && init 3` 3. I've recorded audit.log for `/etc/init.d/xdm restart` and here is the diff of `diff <(cat root.audit2why | grep xserver_t) <(cat initrc.audit2why | grep xserver_t)`: ``` 2a3 > allow xserver_t self:capability chown; ```
opened https://github.com/SELinuxProject/refpolicy/issues/123