Loop login, SELinux GDM

[tsantos]

Hello everybody,
some days ago i did a CENTOS 7 update and i have loop login in my user "Tsantos". In root user , works but i have a SELinux Alert.
I'm using a Virtual Box.

I'm afraid to execute the code, what you recomend?
"
SELinux is preventing gdm-session-wor from create access on the directory gdm.

***** Plugin catchall_boolean (89.3 confidence) suggests ******************

If you want to allow polyinstantiation to enabled
Then you must tell SELinux about this by enabling the 'polyinstantiation_enabled' boolean.
You can read 'None' man page for more details.
Do
setsebool -P polyinstantiation_enabled 1

***** Plugin catchall (11.6 confidence) suggests **************************

If you believe that gdm-session-wor should be allowed create access on the gdm directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'gdm-session-wor' --raw | audit2allow -M my-gdmsessionwor
# semodule -i my-gdmsessionwor.pp

Additional Information:
Source Context system_u:system_r:xdm_t:s0-s0:c0.c1023
Target Context system_u:object_r:admin_home_t:s0
Target Objects gdm [ dir ]
Source gdm-session-wor
Source Path gdm-session-wor
Port <Unknown>
Host localhost.localdomain
Source RPM Packages
Target RPM Packages
Policy RPM selinux-policy-3.13.1-102.el7.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name localhost.localdomain
Platform Linux localhost.localdomain 3.10.0-514.el7.x86_64
#1 SMP Tue Nov 22 16:42:41 UTC 2016 x86_64 x86_64
Alert Count 3
First Seen 2017-08-14 19:07:37 IST
Last Seen 2017-08-18 19:22:20 IST
Local ID 756edf82-7fde-4325-bb9e-9863d4e95567

Raw Audit Messages
type=AVC msg=audit(1503080540.100:167): avc: denied { create } for pid=2799 comm="gdm-session-wor" name="gdm" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:admin_home_t:s0 tclass=dir


Hash: gdm-session-wor,xdm_t,admin_home_t,dir,create
"
Thanks

Tiago Santos

[TrevorH]

That looks like you used mv to move a file from your /root directory instead of using cp and it has created a file there with the wrong selinux context on it. I don't see any information there about exactly which file it is so I would recommend that you relabel your filesystem. To do that, edit /etc/sysconfig/selinux and change SELINUX=enforcing to SELINUX=permissive and save it. Now touch /.autorelabel and reboot. When it comes back up, edit the same file and put it back to enforcing and reboot again.

[tsantos]

Hi,
Apologize about my missing answer but I'm trying to fix it.
With your answer i understand where i made a mistake . -> I was fowlowing a tutorial creating some files with my user but i arrived in a point where i recived "permission denied" after that i used root to do some changes like move the files and other operation with them, maybe i shoud't use root to do this test.

I'm new in Linux and i'm not shore if i'm doing the right thing. So i use setenforce comand to change SELINUX=permissive and after, i did . touch /.autorelabel, when reboot , output said that need sometime to relabel but after a after a few minutes i recived a relabel error

If i remove the tests files that i create i solve the problem?

Thank you for you patience
Tiago Santos

[TrevorH]

You can't use setenforce in this instance as that gets reset on reboot. You need to either edit /etc/sysconfig/selinux and change the line in that from enforcing to permissive or you can interrupt the boot at the grub menu and edit the kernel parameters there and append a space followed by enforcing=0 to the end of it. So have another go at that and see if it works this time.

[tsantos]

Hi,
At the moment i creat another problem, maybe i don't know how to edit selinux, i used vim /etc/systemconfig/selinux, what i should to do, recover or delete?

"
E325: ATTENTION
Found a swap file by the name "/etc/selinux/.config.swp"
owned by: root dated: Mon Sep 18 22:43:44 2017
file name: /etc/sysconfig/selinux
modified: YES
user name: root host name: localhost.localdomain
process ID: 4184
While opening file "/etc/sysconfig/selinux"
dated: Wed Sep 20 22:50:25 2017
NEWER than swap file!

(1) Another program may be editing the same file. If this is the case,
be careful not to end up with two different instances of the same
file when making changes. Quit, or continue with caution.
(2) An edit session for this file crashed.
If this is the case, use ":recover" or "vim -r /etc/sysconfig/selinux"
to recover the changes (see ":help recovery").
If you did this already, delete the swap file "/etc/selinux/.config.swp"
to avoid this message.

Swap file "/etc/selinux/.config.swp" already exists!
[O]pen Read-Only, (E)dit anyway, (R)ecover, (D)elete it, (Q)uit, (A)bort:

"
Thanks a milion
Tiago Santos

[TrevorH]

Is there a process id 4184 running? Have you got the file open for edit in a different session? If neither then you can probably safely run vim -r /etc/sysconfig/selinux to recover your previous edit and then delete the .swp file.

[tsantos]

Hi,
At the moment i can see the SELINUX setting, i recovered and after I delet the .swp (I think it is fixed)

->Problem with relabel:
What I'm doing wrong?
I tried to to what you recomend, but i'am fail some step, or i create a new issue.
I would explain what i'm doing
So i would explain what i'm doing: 1-Boot in first option, i 'm not use the rescue; 2- login with root user; 3- change SELINUX=permissive "vim /etc/sysconfig/selinux to save i use :wq! "; 4 - touch /.autorelabel ; 5- reboot; 6- appear wait for relabel, after few minutes, i received an error, in attach,

[TrevorH]

Well the relabel finished without error. What does it do if you reboot it normally?

[tsantos]

My user continue in loop login. In SELinux alert i can read the some information that i post before. I did all actions in GNOME classic.

[TrevorH]

Can you login in permissive mode and run aureport -a then look at that output and find the line(s) that look like they are from the most recent occurrence of the problem. In each of those lines, look a the right hand end of the line and there'll be a number. Take that number and feed it into ausearch -a nnnn where nnnn is the number you first thought of. Post the output from the ausearch(es) here.