Fedora 39 wayland selinux

Wayland works if selinux disabled, but fails to x11 if enabled.
Four laptops a mix of dell and lenovo all up to date with 39
and all have same problem.

Are you trying to run with selinux disabled? Why?

I always run with selinux enabled, but laptop always goes to x11.
If I test with selinux disabled all laptops go to wayland just fine.

stan paules via Fedora Discussion
notifications@fedoraproject.discoursemail.com writes:

I always run with selinux enabled, but laptop always goes to x11.
If I test with selinux disabled all laptops go to wayland just fine.

Does it work in permissive mode - sudo setenforce 0?

Please take a look for AVC denial messages:

sudo ausearch -m avc -ts recent

I’m on Lenovo P1 with Kde Plasma Workspace with wayland and everything
work as expected

$ set | grep wayland
MEMORY_PRESSURE_WATCH=/sys/fs/cgroup/user.slice/user-1000.slice/user@1000.service/session.slice/plasma-kwin_wayland.service/memory.pressure
WAYLAND_DISPLAY=wayland-0
XDG_SESSION_TYPE=wayland

$ sestatus                    
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          permissive
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Memory protection checking:     actual (secure)
Max kernel policy version:      33

Yes, all four laptops run wayland just fine in permissive mode.
I have spent several days going through selinux troubleshooting
proceedures to no avail. The AVC’s audit2allow and etc.

As a guess I somehow think that PAM and pam_selinux.so is
involved.

The ausearch does return a bunch, but none seem related to the problem.

In general.
The usual fix for this type of problem is to relabel the selinux context on the whole system.
sudo fixfiles onboot or sudo touch /.autorelabel then reboot and wait while the file system is relabeled before the boot completes.
Once it has completed then you should be able to set selinux to enforcing and reboot.

The usual cause is that selinux may have been disabled at some point (not just permissive) while performing admin tasks so any new files installed/created were not labeled with selinux context and thus selinux prevents the apps that use those files from accessing them.

In most cases selinux should NEVER be disabled, but at best only switched to permissive mode. Permissive mode still does the proper labeling even if it is not enforcing the policies.

Done all as requested. Still same problem. Wayland works when in
permissive mode, but when enforcing x11 only.



What’s your GPU?

When booting in enforcing mode, what session options do you see in GDM? Just GNOME and GNOME Classic? or is there also a ‘GNOME on Xorg’ option?

You did reboot after touch /.autorelabel or not?

When booting in enforcing I only see the two options and take the default.
When booting in permissive I see all four options and take the default.

Yes, several times.

SInce Wayland works in permissive mode, it is definitely SElInux blocking you somewhere.

What steps did you take trouble shooting to get your AVC’s?

I followed the red hat document and tried several audit2allow, but
my skill set is not good enough to say yes this is blocking wayland.

I’d follow these steps:

  1. enable full auditing:
sudo auditctl -D
sudo auditctl -w /etc/shadow -p wa
  1. disable dontaudit rules
sudo semodule -DB
  1. store time somewhere
$ date
Fri Jan 26 15:37:46 CET 2024
  1. start wayland session in permissive mode

  2. collect avc denials

sudo ausearch -i -m avc -ts 15:37:46
  1. report a bug on selinux-policy package and provide collected information

If your not getting any AVC’s, I would suggest @plautrba’s steps.

Also, systemd also enforces SELinux. So i will block the request and it will not show up in ausearch, but is displayed in journalctl.

The journal would display it as: selinux: avc: denied

Feb 19 00:59:54 fedora systemd[1527]: selinux: avc:  denied  { status } for auid=60155 uid=60155 gid=60155 path="/run/user/60155/systemd/transient/app-gnome-firefox-2877.scope" cmdline="/usr/libexec/cgroupify app-gnome-firefox-2877.scope" function="reply_unit_path" scontext=user_u:user_r:user_t:s0 tcontext=user_u:object_r:user_tmp_t:s0 tclass=service permissive=1

journalctl -b | grep avc

Try these methods and post your results.

1 Like

Done as specified. Just need to learn how to file a bug report.


Done as specified.


1 Like

Please learn to copy and paste text using the </> button so we can see and read everything you have on your screen.

– Images are not searchable.
– if text needs quoted it cannot be done from the image
– images truncate text so we do not necessarily see all that may be displayed, especially to the right side of the screen.
– you needed 2 images to show what could have been shown with one copy&paste of text.
– there is a gap between the times 08:36:06 and 08:36:08 that may or may not have contained additional data.

1 Like

Unfortunately these are screen shots. It is hard to get anything out or that. If you copy-paste the text instead, it would be much easier to digest. Put a line with ``` before and after the copy-pasted text, and it would be perfect.

root@melody51:/home/stan# journalctl -b | grep -iE "avc" | grep -iE "systemd"
Jan 26 08:35:57 melody51 kernel: audit: type=1400 audit(1706283357.339:7): avc:  denied  { sys_admin } for  pid=583 comm="systemd-gpt-aut" capability=21  scontext=system_u:system_r:systemd_gpt_generator_t:s0 tcontext=system_u:system_r:systemd_gpt_generator_t:s0 tclass=capability permissive=0
Jan 26 08:35:57 melody51 kernel: audit: type=1400 audit(1706283357.651:8): avc:  denied  { net_admin } for  pid=618 comm="systemd-modules" capability=12  scontext=system_u:system_r:systemd_modules_load_t:s0 tcontext=system_u:system_r:systemd_modules_load_t:s0 tclass=capability permissive=0
Jan 26 08:35:57 melody51 audit[618]: AVC avc:  denied  { net_admin } for  pid=618 comm="systemd-modules" capability=12  scontext=system_u:system_r:systemd_modules_load_t:s0 tcontext=system_u:system_r:systemd_modules_load_t:s0 tclass=capability permissive=0
Jan 26 08:35:57 melody51 audit[640]: AVC avc:  denied  { net_admin } for  pid=640 comm="systemd-tmpfile" capability=12  scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:system_r:systemd_tmpfiles_t:s0 tclass=capability permissive=0
Jan 26 08:35:57 melody51 audit[648]: AVC avc:  denied  { net_admin } for  pid=648 comm="systemd-tmpfile" capability=12  scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:system_r:systemd_tmpfiles_t:s0 tclass=capability permissive=0
Jan 26 08:35:58 melody51 audit[790]: AVC avc:  denied  { net_admin } for  pid=790 comm="systemd-tmpfile" capability=12  scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:system_r:systemd_tmpfiles_t:s0 tclass=capability permissive=0
Jan 26 08:36:06 melody51 audit[1267]: AVC avc:  denied  { net_admin } for  pid=1267 comm="systemd-user-ru" capability=12  scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:system_r:systemd_logind_t:s0 tclass=capability permissive=0
Jan 26 08:36:06 melody51 audit[1267]: AVC avc:  denied  { net_admin } for  pid=1267 comm="systemd-user-ru" capability=12  scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:system_r:systemd_logind_t:s0 tclass=capability permissive=0
Jan 26 08:36:06 melody51 audit[1278]: AVC avc:  denied  { read } for  pid=1278 comm="(systemd)" name="shadow" dev="nvme0n1p7" ino=264412 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:shadow_t:s0 tclass=file permissive=0
Jan 26 08:36:06 melody51 audit[1278]: AVC avc:  denied  { read } for  pid=1278 comm="(systemd)" name="shadow" dev="nvme0n1p7" ino=264412 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:shadow_t:s0 tclass=file permissive=0
Jan 26 08:36:06 melody51 audit[1278]: AVC avc:  denied  { siginh } for  pid=1278 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process permissive=0
Jan 26 08:36:08 melody51 audit[1463]: AVC avc:  denied  { noatsecure } for  pid=1463 comm="kworker/u16:1" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:systemd_coredump_t:s0 tclass=process permissive=0
Jan 26 08:36:08 melody51 audit[1463]: AVC avc:  denied  { rlimitinh } for  pid=1463 comm="systemd-coredum" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:systemd_coredump_t:s0 tclass=process permissive=0
Jan 26 08:36:08 melody51 audit[1463]: AVC avc:  denied  { siginh } for  pid=1463 comm="systemd-coredum" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:systemd_coredump_t:s0 tclass=process permissive=0
Jan 26 08:36:29 melody51 audit[2391]: AVC avc:  denied  { net_admin } for  pid=2391 comm="systemd-user-ru" capability=12  scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:system_r:systemd_logind_t:s0 tclass=capability permissive=0
Jan 26 08:36:29 melody51 audit[2391]: AVC avc:  denied  { net_admin } for  pid=2391 comm="systemd-user-ru" capability=12  scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:system_r:systemd_logind_t:s0 tclass=capability permissive=0
Jan 26 08:36:29 melody51 audit[2396]: AVC avc:  denied  { read } for  pid=2396 comm="(systemd)" name="shadow" dev="nvme0n1p7" ino=264412 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:shadow_t:s0 tclass=file permissive=0
Jan 26 08:36:30 melody51 audit[2396]: AVC avc:  denied  { read } for  pid=2396 comm="(systemd)" name="shadow" dev="nvme0n1p7" ino=264412 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:shadow_t:s0 tclass=file permissive=0
Jan 26 08:36:30 melody51 audit[2396]: AVC avc:  denied  { siginh } for  pid=2396 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process permissive=0
Jan 26 08:50:55 melody51 audit[4303]: AVC avc:  denied  { net_admin } for  pid=4303 comm="systemd-tmpfile" capability=12  scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:system_r:systemd_tmpfiles_t:s0 tclass=capability permissive=0
root@melody51:/home/stan# 

1 Like