Issue Summary
During gnome-initial-setup (Gnome 49/50), critical SELinux denials prevent the successful creation of the initial user and session setup. Multiple services are denied IPC access to GDM's userdb socket, and incorrect labeling of /var/home blocks useradd and gdm-session-worker.
Detailed Analysis of Audit Logs
Analysis of ausearch -m AVC,USER_AVC reveals:
-
GDM UserDB IPC Denials:
- Multiple domains are denied
connectto to /run/systemd/userdb/org.gnome.DisplayManager (in xdm_t).
- Affected domains:
useradd_t, policykit_t, policykit_auth_t, NetworkManager_t, colord_t, and systemd_tmpfiles_t.
- Sample denial:
avc: denied { connectto } for pid=2621 comm="useradd" path="/run/systemd/userdb/org.gnome.DisplayManager" scontext=system_u:system_r:useradd_t:s0 tcontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tclass=unix_stream_socket
-
Home Directory Labeling Inconsistency:
/var/home and its sub-items are being assigned default_t or unlabeled_t, which restricts useradd_t.useradd is denied create, add_name, setattr, and read on directories and skeleton files like .bash_logout.- Sample denial:
avc: denied { create } for pid=2621 comm="useradd" name="james" scontext=system_u:system_r:useradd_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=dir
-
GDM Session Worker:
gdm-session-worker (xdm_t) is denied create and add_name for .cache within the new user's home due to the labeling issue.
-
Boot/EFI Denials:
systemd-logind is denied getattr and search on /boot/efi (unlabeled_t).
Proposed Policy Fix
I have generated a draft policy module (tunaos_gnome_fix.te) to allow these interactions.
Wait! The root cause for some of these is likely missing file context definitions for the /var/home tree in TunaOS.
Recommended Actions
- Update File Contexts: Ensure
/var/home is handled like /home in the policy (e.g., semanage fcontext -a -e /home /var/home).
- Apply Policy Module: Integrate the necessary IPC permissions between the mentioned domains and
xdm_t.
Created automatically by TunaOS Gemini CLI.
Issue Summary
During
gnome-initial-setup(Gnome 49/50), critical SELinux denials prevent the successful creation of the initial user and session setup. Multiple services are denied IPC access to GDM'suserdbsocket, and incorrect labeling of/var/homeblocksuseraddandgdm-session-worker.Detailed Analysis of Audit Logs
Analysis of
ausearch -m AVC,USER_AVCreveals:GDM UserDB IPC Denials:
connecttoto/run/systemd/userdb/org.gnome.DisplayManager(inxdm_t).useradd_t,policykit_t,policykit_auth_t,NetworkManager_t,colord_t, andsystemd_tmpfiles_t.avc: denied { connectto } for pid=2621 comm="useradd" path="/run/systemd/userdb/org.gnome.DisplayManager" scontext=system_u:system_r:useradd_t:s0 tcontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tclass=unix_stream_socketHome Directory Labeling Inconsistency:
/var/homeand its sub-items are being assigneddefault_torunlabeled_t, which restrictsuseradd_t.useraddis deniedcreate,add_name,setattr, andreadon directories and skeleton files like.bash_logout.avc: denied { create } for pid=2621 comm="useradd" name="james" scontext=system_u:system_r:useradd_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=dirGDM Session Worker:
gdm-session-worker(xdm_t) is deniedcreateandadd_namefor.cachewithin the new user's home due to the labeling issue.Boot/EFI Denials:
systemd-logindis deniedgetattrandsearchon/boot/efi(unlabeled_t).Proposed Policy Fix
I have generated a draft policy module (
tunaos_gnome_fix.te) to allow these interactions.Wait! The root cause for some of these is likely missing file context definitions for the
/var/hometree in TunaOS.Recommended Actions
/var/homeis handled like/homein the policy (e.g.,semanage fcontext -a -e /home /var/home).xdm_t.Created automatically by TunaOS Gemini CLI.