Bug 1955694
| Summary: | SELinux is preventing gnome-shell from watch access on the directory path_to_NFS_home_dir (NFS export) | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Francesco Simula <francesco.simula> |
| Component: | gnome-shell | Assignee: | Florian Müllner <fmuellner> |
| Status: | CLOSED EOL | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | low | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 36 | CC: | brian, fmuellner, gnome-sig, jadahl, matt, otaylor, philip.wyett, zpytela |
| Target Milestone: | --- | Keywords: | Reopened, SELinux |
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2023-05-25 16:18:42 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
This doesn't just happen on NFS /home. It happens on local /home also: #1994667. *** This bug has been marked as a duplicate of bug 1963745 *** I'm reopening this as still unresolved (as I also presume to be the one this should be a duplicate of) on Fedora 36. Same thing is happening with samba, even when samba_enable_home_dirs == true:
type=AVC msg=audit(1656856625.235:654): avc: denied { watch } for pid=15124 comm="smbd-notifyd" path="/nvmepool/home/matt" dev="zfs" ino=34 scontext=system_u:system_r:smbd_t:s0 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir permissive=0
Yes, this happens on F36 with local home dirs even. I'm getting an AVC about every second. This message is a reminder that Fedora Linux 36 is nearing its end of life. Fedora will stop maintaining and issuing updates for Fedora Linux 36 on 2023-05-16. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a 'version' of '36'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, change the 'version' to a later Fedora Linux version. Note that the version field may be hidden. Click the "Show advanced fields" button if you do not see it. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora Linux 36 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora Linux, you are encouraged to change the 'version' to a later version prior to this bug being closed. Fedora Linux 36 entered end-of-life (EOL) status on 2023-05-16. Fedora Linux 36 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora Linux please feel free to reopen this bug against that version. Note that the version field may be hidden. Click the "Show advanced fields" button if you do not see the version field. If you are unable to reopen this bug, please file a new report against an active release. Thank you for reporting this bug and we are sorry it could not be fixed. |
Description of problem: Medium to large quantities of this message spamming the log journal: "SELinux is preventing gnome-shell from watch access on the directory...", where the directory is the path to the NFS-exported home of an user that was logged in and has since logged out. This appeared on three different boxes as soon as they were upgraded to Fedora 34. Output of ausearch: type=AVC msg=audit(1619797658.061:2299): avc: denied { watch } for pid=1727 comm="gmain" path="path_to_homedir_of_user" dev="0:55" ino=137711740434 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir permissive=0 Version-Release number of selected component (if applicable): There seem to be no other effect that this log spam... How reproducible: Always Steps to Reproduce: 1. User logs in, then out 2. login as root via SSH and check the log journal Actual results: Hundreds to thousands of these unexpected messages start appearing in the journal log: type=AVC msg=audit(1619797658.061:2299): avc: denied { watch } for pid=1727 comm="gmain" path="path_to_homedir_of_user" dev="0:55" ino=137711740434 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir permissive=0 Expected results: No such messages should be appearing Additional info: I don't know what 'gmain' is - the PID is property of the 'gnome-shell' application. I can understand the 'gnome-shell' application trying to access the home of an user when logged in, not after logout - only thing I can think of is it's trying to access again the '.face' files that store the user mugshots that are displayed in GDM greeter screen (we have those in our NFS-exported homes) but then why the message pertains to the homedir path instead of the specific file and why is it expecting to find a file in the home of an user with SELinux context xdm_t instead of user_home_dir_t, which is what is found?