Black screen after logging in

[ilchub]

Black screen with blinking underscope after logging in on Fedora 32(both proprietary and open-source NVidia driver)

[itafraze]

I observed the same behaviour after a fresh install of Fedora 32, regardless of the desktop environment (tried with i3wm, bspwm, xfce, gnome). SELinux reports

SELinux is preventing ly from using the transition access on a process.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that ly should be allowed transition access on processes labeled unconfined_t by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'ly' --raw | audit2allow -M my-ly
# semodule -X 300 -i my-ly.pp

Additional Information:
Source Context                system_u:system_r:unconfined_service_t:s0
Target Context                unconfined_u:unconfined_r:unconfined_t:s0
Target Objects                /usr/bin/bash [ process ]
Source                        ly
Source Path                   ly
Port                          <Unknown>
Host                          localhost-live.lan
Source RPM Packages           
Target RPM Packages           bash-5.0.17-1.fc32.x86_64
SELinux Policy RPM            selinux-policy-targeted-3.14.5-41.fc32.noarch
Local Policy RPM              selinux-policy-targeted-3.14.5-41.fc32.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     localhost-live.lan
Platform                      Linux localhost-live.lan 5.7.7-200.fc32.x86_64 #1
                              SMP Wed Jul 1 19:53:01 UTC 2020 x86_64 x86_64
Alert Count                   15
First Seen                    2020-07-10 12:49:30 CEST
Last Seen                     2020-07-10 13:04:23 CEST
Local ID                      4e326103-22a2-4627-8e4a-618a865e9391

Raw Audit Messages
type=AVC msg=audit(1594379063.892:204): avc:  denied  { transition } for  pid=1105 comm="ly" path="/usr/bin/bash" dev="dm-0" ino=1179948 scontext=system_u:system_r:unconfined_service_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=process permissive=0


Hash: ly,unconfined_service_t,unconfined_t,process,transition

[dhalucario]

I found the error and used audit2allow and sepolicy to generate a policy for ly to be useable with SELinux. Maybe we can add a step to the Makefile to generate and install the SELinux policies? Or go further and add a spec file so we can build rpms of ly on the Fedora Copr buildsystem.

Here the policy I generated. You need to run the ly.sh as root to install it.
ly.tar.gz

[dhalucario]

Here is a first WIP for the spec file. We would need to add the .te file from above to the repo so I can actually write a make entry that compiles the module.

Name:       ly
Version:    0.5
Release:    2
Summary:    A TUI display manager
License:    WTFPL
BuildRequires: libxcb-devel
BuildRequires: pam-devel
Requires: libxcb
Requires: pam

%description
Ly is a lightweight TUI (ncurses-like) display manager for Linux and BSD.

%prep
rm -rf $RPM_BUILD_DIR/ly
rm -rf $RPM_BUILD_DIR/src
git clone https://github.com/nullgemm/ly.git src
cd $RPM_BUILD_DIR/src
make github

%build
cd src
make

%install
cd src
mkdir -p %{buildroot}/etc/
mkdir -p %{buildroot}/usr/bin/
mkdir -p %{buildroot}/usr/lib/systemd/system/
mkdir -p %{buildroot}/etc/pam.d/
DESTDIR="%{buildroot}" make install

%files
/usr/bin/ly
/usr/lib/systemd/system/ly.service
/etc/ly/lang/es.ini
/etc/ly/lang/pt.ini
/etc/ly/lang/ru.ini
/etc/ly/lang/en.ini
/etc/ly/lang/fr.ini
/etc/ly/lang/ro.ini
/etc/ly/xsetup.sh
/etc/ly/wsetup.sh
/etc/ly/config.ini
/etc/pam.d/ly

%changelog

[dhalucario]

I made a WIP Copr for ly
https://copr.fedorainfracloud.org/coprs/dhalucario/ly/

[dhalucario]

The WIP seems to work now properly.
You still need to enable the service and disable getty@tty2 by hand (and make sure that your systemd target is set to graphical sudo systemctl set-default graphical.target). Then it should work just fine.

[chaibronz]

The WIP seems to work now properly.
You still need to enable the service and disable getty@tty2 by hand (and make sure that your systemd target is set to graphical sudo systemctl set-default graphical.target). Then it should work just fine.

thanks for putting this together @dhalucario ! i was able to login with ly using your COPR build, however i had some other issues creep up: 1) being prompted for a password when starting firefox, 2) not being able to 'reboot' without sudo, and 3) not being able to launch dmenu on one of my wms. when I removed your build of ly everything went back to normal. is there anything in your ly policy, or any other packaged files, that would cause these changes? thanks

[dhalucario]

The WIP seems to work now properly.
You still need to enable the service and disable getty@tty2 by hand (and make sure that your systemd target is set to graphical sudo systemctl set-default graphical.target). Then it should work just fine.

thanks for putting this together @dhalucario ! i was able to login with ly using your COPR build, however i had some other issues creep up: 1) being prompted for a password when starting firefox, 2) not being able to 'reboot' without sudo, and 3) not being able to launch dmenu on one of my wms. when I removed your build of ly everything went back to normal. is there anything in your ly policy, or any other packaged files, that would cause these changes? thanks

I know that the display manager usually does a lot of initialization when it comes to permissions for specific tasks which I haven't completely figured out myself. I use awesome WM and I can use Firefox just fine. Maybe you could tell us more about your system so we can try to debug stuff.

1. How did you install Fedora? Did you use Fedora Workstation or Fedora Everything?
2. Also which desktop environment are you using?

I remember some DE's wanting the password for Firefox because its trying to access the keychain.

[dhalucario]

#310 I created a pull request for the files. It would be cool if we could add this to the repo.

[dhalucario]

@nullgemm

[nullgemm]

This is awesome @dhalucario, let's discuss it on the PR thread: #310

[KouranliKe]

I tried using the copr repo in Fedora 36 (KDE) and it didn't even want to download the package. Also, the selinux permission script provided above returns an error message (I am not in my computer rn but when I get home I'll qoute it). How can I give Ly a selinux permission manually? I am dying to use it as my display manager over sddm.

[AnErrupTion]

This issue is now tracked on #494.