|
Bugzilla – Full Text Bug Listing |
| Summary: | Gnome desktop: Cannot enable auto login for user via settings | ||
|---|---|---|---|
| Product: | [openSUSE] openSUSE Tumbleweed | Reporter: | Wolfram Fischer <wolfram.fischer1979+opensuse> |
| Component: | Security | Assignee: | Security Team bot <security-team> |
| Status: | NEW --- | QA Contact: | E-mail List <qa-bugs> |
| Severity: | Normal | ||
| Priority: | P5 - None | CC: | felix.sieges, rbrown, stephan |
| Version: | Current | ||
| Target Milestone: | --- | ||
| Hardware: | x86-64 | ||
| OS: | Other | ||
| Whiteboard: | |||
| Found By: | --- | Services Priority: | |
| Business Priority: | Blocker: | --- | |
| Marketing QA Status: | --- | IT Deployment: | --- |
|
Description
Wolfram Fischer
2023-06-24 08:11:42 UTC
## Issue Description
I have the same issue, the steps to reproduce are the same as in the original bug report. I have investigated the issue a bit further.
## Possible root cause
When the slider to toggle the auto login is activated the following line is written in `/var/log/audit.log`
```
> sudo ausearch -m AVC -ts recent
----
time->Sat Jul 15 12:50:20 2023
type=AVC msg=audit(1689418220.429:134): avc: denied { write } for pid=916 comm="accounts-daemon" name="sysconfig" dev="overlay" ino=20523 scontext=system_u:system_r:accountsd_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=0
```
That indicates, that the accounts-daemon attempts to do a write operation in the `/etc` directory but the operation is denies by SELinux.
audit2allow gives the following information.
```
type=AVC msg=audit(1689361409.674:276): avc: denied { write } for pid=941 comm=accounts-daemon name=sysconfig dev=overlay ino=282 scontext=system_u:system_r:accountsd_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=0
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow this access.
```
## Proposed fix
This could be fixed by enabling the following se-linux rule:
```
#============= accountsd_t ==============
allow accountsd_t etc_t:dir write;
```
However this policy could potentially be more restrictive and I'd propose that it should be investigated further by someone with more knowledge about MicroOS and SELinux.
I have investigated the issue a bit further. The accounts-daemon (which is labeled with `accountsd_t`) tries to write to the file "/etc/sysconfig/displaymanager" > ls -Z /etc/sysconfig/displaymanager > system_u:object_r:etc_t:s0 /etc/sysconfig/displaymanager this file is labeled with etc_t which the accountsd_t class is not allowed access to, see: https://manpages.opensuse.org/Tumbleweed/selinux-policy-devel/accountsd_selinux.8.en.html In order for accountsd to be able to write to "/etc/sysconfig/displaymanager" it needs to be allowed to write to "/etc/sysconfig/" and "/etc/sysconfig/displaymanager". For example and to test it, changing the label of "/etc/sysconfig/" to "xdm_etc_t", because accountsd_t is allowed the "write" operation to files labeled with this class, leads to the following message: > sudo ausearch -m "AVC" -ts recent > time->Sat Jul 15 13:35:11 2023 > type=AVC msg=audit(1689420911.338:243): avc: denied { unlink } for pid=951 > comm="accounts-daemon" name="displaymanager" dev="overlay" ino=33811 > scontext=system_u:system_r:accountsd_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=0 which indicates that it need to write to the file "/etc/sysconfig/displaymanager" Not a MicroOS specific issue - this is broken on Tumbleweed also, and needs a general SELinux policy fix *** Bug 1213794 has been marked as a duplicate of this bug. *** |