Leap 16 Beta - Cockpit Login fails "Permission denied"

McAsim · May 4, 2025, 6:33pm

In a fresh install of Leap 16 Beta (installed on May 1st, updated today) I couldn’t login to the cockpit web console. I tried to login with the regular user and it said “Permission denied”.

journalctl system log

Mai 04 18:00:01 linux.fritz.box systemd[1]: Starting Dynamic user for /run/cockpit/wsinstance/ sockets...
Mai 04 18:00:01 linux.fritz.box systemd[1]: Started Timeline of Snapper Snapshots.
Mai 04 18:00:01 linux.fritz.box systemd[1]: Finished Dynamic user for /run/cockpit/wsinstance/ sockets.
Mai 04 18:00:01 linux.fritz.box systemd[1]: Starting Socket for Cockpit Web Service http instance...
Mai 04 18:00:01 linux.fritz.box systemd[1]: Starting Socket for Cockpit Web Service https instance factory...
Mai 04 18:00:01 linux.fritz.box systemd[1]: Listening on Socket for Cockpit Web Service http instance.
Mai 04 18:00:01 linux.fritz.box systemd[1]: Listening on Socket for Cockpit Web Service https instance factory.
Mai 04 18:00:01 linux.fritz.box systemd[1]: Starting Cockpit Web Service...
Mai 04 18:00:01 linux.fritz.box systemd[1]: Starting DBus interface for snapper...
Mai 04 18:00:01 linux.fritz.box systemd[1]: Started DBus interface for snapper.
Mai 04 18:00:01 linux.fritz.box systemd[1]: snapper-timeline.service: Deactivated successfully.
Mai 04 18:00:01 linux.fritz.box systemd[1]: Started Cockpit Web Service.
Mai 04 18:00:01 linux.fritz.box systemd[1]: Starting Dynamic user for /run/cockpit/session socket...
Mai 04 18:00:01 linux.fritz.box systemd[1]: Finished Dynamic user for /run/cockpit/session socket.
Mai 04 18:00:01 linux.fritz.box systemd[1]: Starting Initiator socket for Cockpit sessions...
Mai 04 18:00:01 linux.fritz.box systemd[1]: Listening on Initiator socket for Cockpit sessions.
Mai 04 18:00:01 linux.fritz.box systemd[1]: Started Cockpit Web Service http instance.
Mai 04 18:00:01 linux.fritz.box systemd[1]: Created slice Slice /system/cockpit-session.
Mai 04 18:00:01 linux.fritz.box systemd[1]: Started Cockpit session 0/3648/0 (PID 3648/UID 0).
Mai 04 18:00:01 linux.fritz.box systemd[1]: cockpit-session@0-3648-0.service: Deactivated successfully.
Mai 04 18:00:12 linux.fritz.box systemd[1]: Started Cockpit session 1/3648/0 (PID 3648/UID 0).
Mai 04 18:00:12 linux.fritz.box systemd-logind[1166]: New session 4 of user achim.
Mai 04 18:00:12 linux.fritz.box systemd[1]: Started Session 4 of User achim.
Mai 04 18:00:12 linux.fritz.box cockpit-session[3700]: pam_unix(cockpit:session): session opened for user achim(uid=1000) by achim(uid=0)
Mai 04 18:00:12 linux.fritz.box systemd[1]: cockpit-session@1-3648-0.service: Deactivated successfully.
Mai 04 18:00:12 linux.fritz.box systemd-logind[1166]: Session 4 logged out. Waiting for processes to exit.
Mai 04 18:00:12 linux.fritz.box systemd[1]: session-4.scope: Deactivated successfully.
Mai 04 18:00:12 linux.fritz.box systemd-logind[1166]: Removed session 4.
Mai 04 18:00:14 linux.fritz.box systemd[1]: Starting SETroubleshoot daemon for processing new SELinux denial logs...
Mai 04 18:00:14 linux.fritz.box systemd[1]: Started SETroubleshoot daemon for processing new SELinux denial logs.
Mai 04 18:00:14 linux.fritz.box systemd[1]: Created slice Slice /system/dbus-:1.2-org.fedoraproject.SetroubleshootPrivileged.
Mai 04 18:00:14 linux.fritz.box systemd[1]: Started dbus-:1.2-org.fedoraproject.SetroubleshootPrivileged@0.service.
Mai 04 18:00:15 linux.fritz.box setroubleshoot[3728]: SELinux is preventing cockpit-session from using the transition access on a process. For complete SELinux messages run: sealert -l 23531a46-f807-43f8-a50c-4fe1a73e7586
Mai 04 18:00:15 linux.fritz.box setroubleshoot[3728]: SELinux is preventing cockpit-session from using the transition access on a process.
                                                      
                                                      *****  Plugin catchall_boolean (89.3 confidence) suggests   ******************
                                                      
                                                      If you want to allow unconfined to service transition to unconfined user
                                                      Then you must tell SELinux about this by enabling the 'unconfined_service_transition_to_unconfined_user' boolean.
                                                      
                                                      Do
                                                      setsebool -P unconfined_service_transition_to_unconfined_user 1
                                                      
                                                      *****  Plugin catchall (11.6 confidence) suggests   **************************
                                                      
                                                      If you believe that cockpit-session should be allowed transition access on processes labeled unconfined_t by default.
                                                      Then you should report this as a bug.
                                                      You can generate a local policy module to allow this access.
                                                      Do
                                                      allow this access for now by executing:
                                                      # ausearch -c 'cockpit-session' --raw | audit2allow -M my-cockpitsession
                                                      # semodule -X 300 -i my-cockpitsession.pp
                                                      
Mai 04 18:00:25 linux.fritz.box systemd[1]: dbus-:1.2-org.fedoraproject.SetroubleshootPrivileged@0.service: Deactivated successfully.
Mai 04 18:00:26 linux.fritz.box systemd[1]: setroubleshootd.service: Deactivated successfully.
Mai 04 18:00:35 linux.fritz.box sudo[3744]:    achim : TTY=pts/0 ; PWD=/home/achim ; USER=root ; COMMAND=/usr/bin/journalctl --since '2 minutes ago'
Mai 04 18:00:35 linux.fritz.box sudo[3744]: pam_unix(sudo:session): session opened for user root(uid=0) by achim(uid=1000)

SELinux sealert

SELinux is preventing cockpit-session from using the transition access on a process.

*****  Plugin catchall_boolean (89.3 confidence) suggests   ******************

If you want to allow unconfined to service transition to unconfined user
Then you must tell SELinux about this by enabling the 'unconfined_service_transition_to_unconfined_user' boolean.

Do
setsebool -P unconfined_service_transition_to_unconfined_user 1

*****  Plugin catchall (11.6 confidence) suggests   **************************

If you believe that cockpit-session should be allowed transition access on processes labeled unconfined_t by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'cockpit-session' --raw | audit2allow -M my-cockpitsession
# semodule -X 300 -i my-cockpitsession.pp


Additional Information:
Source Context                system_u:system_r:unconfined_service_t:s0
Target Context                unconfined_u:unconfined_r:unconfined_t:s0
Target Objects                /usr/bin/bash [ process ]
Source                        cockpit-session
Source Path                   cockpit-session
Port                          <Unknown>
Host                          linux.fritz.box
Source RPM Packages           
Target RPM Packages           bash-5.2.37-160000.3.8.x86_64
SELinux Policy RPM            selinux-policy-targeted-20241031+git516.1a75276b-
                              160000.1.15.noarch
Local Policy RPM              selinux-policy-targeted-20241031+git516.1a75276b-
                              160000.1.15.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     linux.fritz.box
Platform                      Linux linux.fritz.box 6.12.0-160000.9-default #1
                              SMP PREEMPT_DYNAMIC Mon Mar 24 17:07:41 UTC 2025
                              (0d0bca0) x86_64 x86_64
Alert Count                   12
First Seen                    2025-05-02 01:02:03 CEST
Last Seen                     2025-05-04 18:00:12 CEST
Local ID                      23531a46-f807-43f8-a50c-4fe1a73e7586

Raw Audit Messages
type=AVC msg=audit(1746374412.268:189): avc:  denied  { transition } for  pid=3704 comm="cockpit-session" path="/usr/bin/bash" dev="dm-0" ino=20367 scontext=system_u:system_r:unconfined_service_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=process permissive=0


Hash: cockpit-session,unconfined_service_t,unconfined_t,process,transition

I applied the suggested setting:
sudo setsebool -P unconfined_service_transition_to_unconfined_user 1
and now I can login to the cockpit.

Is this a proper solution?

Best regards,
Achim

PS: there was no Leap-16-beta tag, so I used the alpha tag.

hendersj · May 4, 2025, 8:41pm

(Have created a tag for Leap 16.0 beta and replaced it)

hui · May 4, 2025, 8:56pm

Created a fresh Virtualbox Leap 16 Beta installation and the cockpit web console came up flawlessly without tinkering with SELinux.
Followed this guide to enable/install cockpit.

No error messages from SELinux in journal for this installation.

McAsim · May 4, 2025, 9:32pm

Hello hui,
thanks for the link to the guide. Actually I did not install cockpit manually, it came with the OS from Agama web-installer, there was the option “Pattern for cockpit”. I only enabled the socket.

Do you also have the SELinux policy system modification:
Allow unconfined to service transition to unconfined user ?

(screenshot from cockpit SELinux)

dglanzman · May 4, 2025, 11:13pm

I also have this issue. I don’t think enabling unconfined transitions is the correct solution for this, because the cockpit install comes with an SELinux module which should be setting a context for cockpit processes. However it doesn’t seem like its working correctly and cockpit ends up unconfined. Have not been able to figure out why this is happening though.

arvidjaar · May 5, 2025, 4:12am

Is cockpit-selinux installed?

jsc · May 5, 2025, 8:58am

“/etc/cockpit/dissallowed-users” ?

McAsim · May 5, 2025, 12:56pm

cockpit-selinux is installed, version 334.1-160000.1.6
/etc/cockpit/dissallowed-users is only root

McAsim · May 5, 2025, 1:01pm

How did you install cockpit, during Agama OS net-install or later via zypper?

McAsim · May 5, 2025, 1:39pm

The cockpit-selinux is coming from this repository:
https://download.opensuse.org/distribution/leap/16.0/repo/oss/x86_64

sudo zypper info cockpit-selinux

Refreshing service 'openSUSE'.
Loading repository data...
Reading installed packages...


Information for package cockpit-selinux:
----------------------------------------
Repository     : https://download.opensuse.org/distribution/leap/16.0/repo/oss/x86_64
Name           : cockpit-selinux
Version        : 334.1-160000.1.6
Arch           : noarch
Vendor         : SUSE LLC <https://www.suse.com/>
Installed Size : 376,3 KiB
Installed      : Yes (automatically)
Status         : up-to-date
Source package : cockpit-334.1-160000.1.6.src
Upstream URL   : https://cockpit-project.org/
Summary        : Cockpit SELinux package
Description    : 
    This package contains the Cockpit user interface integration with the
    utility setroubleshoot to diagnose and resolve SELinux issues.

All repos are:

Is this correct?

jsc · May 5, 2025, 1:51pm

“List of users which are not allowed to login to Cockpit”.
Did you understand that?

hui · May 5, 2025, 1:54pm

Can you point out which ISO you used for installation?
Leap-16.0-offline-installer-x86_64.install.iso from openSUSE Leap 16.0 - openSUSE herunterladen does not contain this pattern and cockpit needs to be installed manually (via zypper or Myrlin) after the first system start.

Nope. My shows: (no SELinux tinkering needed)

McAsim · May 5, 2025, 2:04pm

I used the net-installer, downloaded on May 1st.

McAsim · May 5, 2025, 2:14pm

I think so. root is not allowed to login to cockpit. This is align to the project doku. Privileges and Permissions

hui · May 5, 2025, 2:20pm

The issue needs to be reported at bugzilla then.

Leap 16 Beta Netinstall ISO:

Cockpit pattern available
(SELinux pattern preselected)
Result: not working Cockpit installation

Leap 16 Beta offline installer (full ISO):

no Cockpit pattern in Agama installer
(SELinux pattern preselected)
Cockpit installed manually via zypper/Myrlin
Result: working Cockpit installation

McAsim · May 5, 2025, 2:54pm

Bugzilla – Bug 1242356 Submitted

rsimai · May 5, 2025, 3:06pm

Please do a force re-install of the package cockpit-selinux-policies and reboot, this should enable cockpit login. If yes, then it’s a known problem.

jsc · May 5, 2025, 3:12pm

Ok, just make it easy and rename this file.

McAsim · May 5, 2025, 3:21pm

sudo zypper install -f cockpit-selinux-policies
done

and to remove the workaround:
sudo setsebool -P unconfined_service_transition_to_unconfined_user 0

reboot

Now the normal user can login to cockpit web console. The SELinux modification is still there, but changed, probably align to default:
Disallow unconfined to service transition to unconfined user

Solution confirmed

Thank you very much to all of you!

McAsim · May 5, 2025, 4:00pm

I marked the bug as solved and duplicate of Bug 1236057