Bug 1685591
| Summary: | [RHEL 7.7] boltd SELinux AVC running gnome on a system with thunderbolt | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Erico Nunes <ernunes> |
| Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> |
| Status: | CLOSED DUPLICATE | QA Contact: | Milos Malik <mmalik> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 7.7 | CC: | kbenoit, lvrabec, mgrepl, mmalik, plautrba, ssekidde, vmojzis, zpytela |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2019-03-06 12:27:41 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
I believe that first 4 SELinux denials are already mentioned in https://bugzilla.redhat.com/show_bug.cgi?id=1589086#c28. The fifth SELinux denial can be avoided by enabling the xdm_write_home boolean. |
Description of problem: SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: enforcing Mode from config file: enforcing Policy MLS status: enabled Policy deny_unknown status: allowed Max kernel policy version: 31 selinux-policy-3.13.1-238.el7.noarch ---- time->Tue Mar 5 15:35:32 2019 type=PROCTITLE msg=audit(1551796532.166:58): proctitle="/usr/libexec/boltd" type=SYSCALL msg=audit(1551796532.166:58): arch=c000003e syscall=42 success=no exit=-13 a0=6 a1=7efdbf8dba70 a2=6e a3=7efdbf8db4a0 items=0 ppid=1 pid=5587 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="pool" exe="/usr/libexec/boltd" subj=system_u:system_r:boltd_t:s0 key=(null) type=AVC msg=audit(1551796532.166:58): avc: denied { connectto } for pid=5587 comm="pool" path="/run/dbus/system_bus_socket" scontext=system_u:system_r:boltd_t:s0 tcontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=0 ---- time->Tue Mar 5 15:35:32 2019 type=PROCTITLE msg=audit(1551796532.590:62): proctitle="/usr/libexec/boltd" type=SYSCALL msg=audit(1551796532.590:62): arch=c000003e syscall=42 success=no exit=-13 a0=6 a1=7f0fb6151a70 a2=6e a3=7f0fb61514a0 items=0 ppid=1 pid=5666 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="pool" exe="/usr/libexec/boltd" subj=system_u:system_r:boltd_t:s0 key=(null) type=AVC msg=audit(1551796532.590:62): avc: denied { connectto } for pid=5666 comm="pool" path="/run/dbus/system_bus_socket" scontext=system_u:system_r:boltd_t:s0 tcontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=0 ---- time->Tue Mar 5 15:35:33 2019 type=PROCTITLE msg=audit(1551796533.004:66): proctitle="/usr/libexec/boltd" type=SYSCALL msg=audit(1551796533.004:66): arch=c000003e syscall=42 success=no exit=-13 a0=6 a1=7f79cf95fa70 a2=6e a3=7f79cf95f4a0 items=0 ppid=1 pid=5696 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="pool" exe="/usr/libexec/boltd" subj=system_u:system_r:boltd_t:s0 key=(null) type=AVC msg=audit(1551796533.004:66): avc: denied { connectto } for pid=5696 comm="pool" path="/run/dbus/system_bus_socket" scontext=system_u:system_r:boltd_t:s0 tcontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=0 ---- time->Tue Mar 5 15:35:45 2019 type=PROCTITLE msg=audit(1551796545.274:120): proctitle="/usr/libexec/boltd" type=SYSCALL msg=audit(1551796545.274:120): arch=c000003e syscall=42 success=no exit=-13 a0=6 a1=7fe7e4d50a70 a2=6e a3=7fe7e4d504a0 items=0 ppid=1 pid=9221 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="pool" exe="/usr/libexec/boltd" subj=system_u:system_r:boltd_t:s0 key=(null) type=AVC msg=audit(1551796545.274:120): avc: denied { connectto } for pid=9221 comm="pool" path="/run/dbus/system_bus_socket" scontext=system_u:system_r:boltd_t:s0 tcontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=0 ---- time->Tue Mar 5 15:35:43 2019 type=PROCTITLE msg=audit(1551796543.166:117): proctitle=67646D2D73657373696F6E2D776F726B6572205B70616D2F67646D2D6175746F6C6F67696E5D type=SYSCALL msg=audit(1551796543.166:117): arch=c000003e syscall=83 success=no exit=-13 a0=55d5fe81aff0 a1=1c0 a2=55d5fe81b000 a3=b items=0 ppid=7381 pid=7919 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="gdm-session-wor" exe="/usr/libexec/gdm-session-worker" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1551796543.166:117): avc: denied { create } for pid=7919 comm="gdm-session-wor" name="gdm" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:admin_home_t:s0 tclass=dir permissive=0 Version-Release number of selected component (if applicable): RHEL-7.7-20190226.n.0 kernel 3.10.0-1013.el7.x86_64 How reproducible: Consistently Steps to Reproduce: 1. Get a system with thunderbolt (example system: dell-pr3520-01.tpb.lab.eng.brq.redhat.com) 2. yum group install -y "Server with GUI" 3. systemctl set-default graphical.target 4. reboot