The trouble with the instructions:

# ausearch -c 'sddm-helper' --raw | audit2allow -M my-sddmhelper # semodule -X 
300 -i my-sddmhelper.pp

is the 1st time it can fail on file 'open'.  When you do the above and
'open' is allowed but then get shot down when your program tries
to 'write', 'relabelfrom', 'setattr', 'relabelto', or 'create'.   Do this first:
setenforce 0
Do the activity that triggers the AVC, then:
setenforce 1

# ausearch -c 'sddm-helper' --raw | audit2allow -M my-sddmhelper # semodule -X 
300 -i my-sddmhelper.pp

This will allow all the activities that the program needs.

Bill

On 9/20/2017 11:56 AM, Bob Jackson wrote:
Have a Fedora 26 laptop which I update on a weekly basis by sudo from my 
regular account.  After applying a batch of updates, including a new kernel, I 
rebooted.  At the login screen I entered my standard login credentials but 
Plasma did not launch and it dropped back to the login screen.

I tried an alternate account.  It worked.

Switched to VT2 and logged in with standard credentials.  While doing so, the terminal 
reported, "Failed to connect to X server".

 From that terminal ran:

startx /usr/bin/startkde

which brought up my standard KDE environment.  I worked this way for a couple 
of days trying to find clues in logs and discussion groups.  Did find a recent 
thread on fedoraforum.org that described my situation exactly, but had no 
solution.

https://forums.fedoraforum.org/showthread.php?p=1794119

Finally, while my workaround session was open, I went back to VT1 and tried 
another login from SDDM.  It failed, but back in my working session I had an 
SELinux alert, which told me:

SELinux is preventing sddm-helper from write access on the file .Xauthority.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that sddm-helper should be allowed write access on the 
.Xauthority file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'sddm-helper' --raw | audit2allow -M my-sddmhelper
# semodule -X 300 -i my-sddmhelper.pp

I applied the recommended fixes and tried again.  Failed but received another 
alert:

SELinux is preventing sddm-helper from open access on the file 
/home/xxxx/.Xauthority.

*****  Plugin restorecon (99.5 confidence) suggests   ************************

If you want to fix the label.
/home/xxxx/.Xauthority default label should be xauth_home_t.
Then you can run restorecon. The access attempt may have been stopped due to 
insufficient permissions to access a parent directory in which case try to 
change the following command accordingly.
Do
# /sbin/restorecon -v /home/xxxx/.Xauthority

Applied this fix and tried again ... with success.

With the benefit of hindsight, does anyone have thoughts on why this might have 
happened, what these SELinux fixes (particularly the first two) did and whether 
this is a permanent resolution?

    Thanks,
       -- Bob
_______________________________________________
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org

_______________________________________________
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org

Reply via email to