Bug 1315095

Summary: selinux denies sddm-helper to access .wayland-errors
Product: [Fedora] Fedora Reporter: bodhi.zazen <bodhi.zazen>
Component: selinux-policy-targetedAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED NOTABUG QA Contact: Ben Levenson <benl>
Severity: low Docs Contact:
Priority: medium    
Version: 23CC: bodhi.zazen, dwalsh
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-03-07 06:55:16 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description bodhi.zazen 2016-03-06 15:40:56 UTC 
Description of problem: Gnome-shell on wayland is crashing and I am getting selinux denials with confined users.


Version-Release number of selected component (if applicable):


How reproducible: Seems to happen with multimedia apps most often, but is semi random.



Actual results: Wayland crashes - selinux denies writing error log.


Not sure if this is a selinux or wayand/sddm problem, but posting the denials

DENIAL

SELinux is preventing sddm-helper from write access on the file .wayland-errors.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that sddm-helper should be allowed write access on the .wayland-errors file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep sddm-helper /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:xdm_t:s0-s0:c0.c1023
Target Context                system_u:object_r:user_home_t:s0
Target Objects                .wayland-errors [ file ]
Source                        sddm-helper
Source Path                   sddm-helper
Port                          <Unknown>
Host                          jazz
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-158.7.fc23.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     jazz
Platform                      Linux jazz 4.4.2-301.fc23.x86_64 #1 SMP Tue Feb 23
                              19:00:38 UTC 2016 x86_64 x86_64
Alert Count                   14
First Seen                    2015-12-07 14:20:27 MST
Last Seen                     2016-03-03 05:31:15 MST
Local ID                      39ddb6dd-944f-40d8-8337-7c1fd81d881e

Raw Audit Messages
type=AVC msg=audit(1457008275.223:407): avc:  denied  { write } for  pid=11116 comm="sddm-helper" name=".wayland-errors" dev="sda5" ino=918139 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:user_home_t:s0 tclass=file permissive=0


Hash: sddm-helper,xdm_t,user_home_t,file,write
Comment 1 Miroslav Grepl 2016-03-07 06:55:16 UTC 
Could you please try to execute

$ restorecon -v ~/.wayland-errors

which will fix labeling and you probably will see what is a real reason for the crash. 

Reopen the bug if you can reproduce it with SELinux errors.

Thank you.