Bug 1960010
| Summary: | Many AVCs after default package set installation | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 9 | Reporter: | Jan Stodola <jstodola> | ||||||
| Component: | selinux-policy | Assignee: | Zdenek Pytela <zpytela> | ||||||
| Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> | ||||||
| Severity: | high | Docs Contact: | |||||||
| Priority: | medium | ||||||||
| Version: | 9.0 | CC: | lvrabec, mmalik, plautrba, ssekidde, zpytela | ||||||
| Target Milestone: | beta | Keywords: | Triaged | ||||||
| Target Release: | 9.0 | Flags: | pm-rhel:
mirror+
|
||||||
| Hardware: | All | ||||||||
| OS: | Linux | ||||||||
| Whiteboard: | |||||||||
| Fixed In Version: | selinux-policy-34.1.20-1.el9 | Doc Type: | No Doc Update | ||||||
| Doc Text: | Story Points: | --- | |||||||
| Clone Of: | Environment: | ||||||||
| Last Closed: | 2022-05-17 15:49:27 UTC | Type: | Bug | ||||||
| Regression: | --- | Mount Type: | --- | ||||||
| Documentation: | --- | CRM: | |||||||
| Verified Versions: | Category: | --- | |||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||
| Embargoed: | |||||||||
| Bug Depends On: | |||||||||
| Bug Blocks: | 1942219, 1971841 | ||||||||
| Attachments: |
|
||||||||
Created attachment 1782537 [details]
audit.log
SELinux denials collected in enforcing mode:
----
type=PROCTITLE msg=audit(05/13/2021 11:58:55.717:529) : proctitle=/usr/bin/gnome-shell
type=PATH msg=audit(05/13/2021 11:58:55.717:529) : item=0 name=/tmp/dbus-L81sgOGwlG inode=3567 dev=00:22 mode=socket,777 ouid=gdm ogid=gdm rdev=00:00 obj=system_u:object_r:tmp_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(05/13/2021 11:58:55.717:529) : cwd=/var/lib/gdm
type=SOCKADDR msg=audit(05/13/2021 11:58:55.717:529) : saddr={ saddr_fam=local path=/tmp/dbus-L81sgOGwlG }
type=SYSCALL msg=audit(05/13/2021 11:58:55.717:529) : arch=x86_64 syscall=connect success=no exit=EACCES(Permission denied) a0=0x1f a1=0x7ffe227cffd0 a2=0x16 a3=0x55bfe0943e50 items=1 ppid=32043 pid=32126 auid=unset uid=gdm gid=gdm euid=gdm suid=gdm fsuid=gdm egid=gdm sgid=gdm fsgid=gdm tty=tty1 ses=unset comm=gnome-shell exe=/usr/bin/gnome-shell subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(05/13/2021 11:58:55.717:529) : avc: denied { write } for pid=32126 comm=gnome-shell name=dbus-L81sgOGwlG dev="tmpfs" ino=3567 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tmp_t:s0 tclass=sock_file permissive=0
----
type=PROCTITLE msg=audit(05/13/2021 11:58:56.107:530) : proctitle=/usr/bin/gnome-shell
type=PATH msg=audit(05/13/2021 11:58:56.107:530) : item=0 name=/var/lib/flatpak inode=27195052 dev=fd:02 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:var_lib_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(05/13/2021 11:58:56.107:530) : cwd=/var/lib/gdm
type=SYSCALL msg=audit(05/13/2021 11:58:56.107:530) : arch=x86_64 syscall=inotify_add_watch success=no exit=EACCES(Permission denied) a0=0x19 a1=0x55bfe134cc70 a2=0x1002fce a3=0x0 items=1 ppid=32043 pid=32126 auid=unset uid=gdm gid=gdm euid=gdm suid=gdm fsuid=gdm egid=gdm sgid=gdm fsgid=gdm tty=tty1 ses=unset comm=gnome-shell exe=/usr/bin/gnome-shell subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(05/13/2021 11:58:56.107:530) : avc: denied { watch } for pid=32126 comm=gnome-shell path=/var/lib/flatpak dev="vda2" ino=27195052 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=dir permissive=0
----
type=PROCTITLE msg=audit(05/13/2021 11:58:58.288:544) : proctitle=/usr/libexec/gsd-media-keys
type=PATH msg=audit(05/13/2021 11:58:58.288:544) : item=0 name=/tmp/dbus-L81sgOGwlG inode=3567 dev=00:22 mode=socket,777 ouid=gdm ogid=gdm rdev=00:00 obj=system_u:object_r:tmp_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(05/13/2021 11:58:58.288:544) : cwd=/var/lib/gdm
type=SOCKADDR msg=audit(05/13/2021 11:58:58.288:544) : saddr={ saddr_fam=local path=/tmp/dbus-L81sgOGwlG }
type=SYSCALL msg=audit(05/13/2021 11:58:58.288:544) : arch=x86_64 syscall=connect success=no exit=EACCES(Permission denied) a0=0xc a1=0x7ffc97119710 a2=0x16 a3=0x31 items=1 ppid=32043 pid=32274 auid=unset uid=gdm gid=gdm euid=gdm suid=gdm fsuid=gdm egid=gdm sgid=gdm fsgid=gdm tty=tty1 ses=unset comm=gsd-media-keys exe=/usr/libexec/gsd-media-keys subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(05/13/2021 11:58:58.288:544) : avc: denied { write } for pid=32274 comm=gsd-media-keys name=dbus-L81sgOGwlG dev="tmpfs" ino=3567 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tmp_t:s0 tclass=sock_file permissive=0
----
type=PROCTITLE msg=audit(05/13/2021 11:58:58.303:546) : proctitle=/usr/libexec/gsd-wacom
type=PATH msg=audit(05/13/2021 11:58:58.303:546) : item=0 name=/tmp/dbus-L81sgOGwlG inode=3567 dev=00:22 mode=socket,777 ouid=gdm ogid=gdm rdev=00:00 obj=system_u:object_r:tmp_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(05/13/2021 11:58:58.303:546) : cwd=/var/lib/gdm
type=SOCKADDR msg=audit(05/13/2021 11:58:58.303:546) : saddr={ saddr_fam=local path=/tmp/dbus-L81sgOGwlG }
type=SYSCALL msg=audit(05/13/2021 11:58:58.303:546) : arch=x86_64 syscall=connect success=no exit=EACCES(Permission denied) a0=0xc a1=0x7ffd90eb97a0 a2=0x16 a3=0x31 items=1 ppid=32043 pid=32255 auid=unset uid=gdm gid=gdm euid=gdm suid=gdm fsuid=gdm egid=gdm sgid=gdm fsgid=gdm tty=tty1 ses=unset comm=gsd-wacom exe=/usr/libexec/gsd-wacom subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(05/13/2021 11:58:58.303:546) : avc: denied { write } for pid=32255 comm=gsd-wacom name=dbus-L81sgOGwlG dev="tmpfs" ino=3567 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tmp_t:s0 tclass=sock_file permissive=0
----
type=PROCTITLE msg=audit(05/13/2021 11:58:58.304:547) : proctitle=/usr/libexec/gsd-power
type=PATH msg=audit(05/13/2021 11:58:58.304:547) : item=0 name=/tmp/dbus-L81sgOGwlG inode=3567 dev=00:22 mode=socket,777 ouid=gdm ogid=gdm rdev=00:00 obj=system_u:object_r:tmp_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(05/13/2021 11:58:58.304:547) : cwd=/var/lib/gdm
type=SOCKADDR msg=audit(05/13/2021 11:58:58.304:547) : saddr={ saddr_fam=local path=/tmp/dbus-L81sgOGwlG }
type=SYSCALL msg=audit(05/13/2021 11:58:58.304:547) : arch=x86_64 syscall=connect success=no exit=EACCES(Permission denied) a0=0xc a1=0x7ffd37cf2200 a2=0x16 a3=0x55c6a719ccc0 items=1 ppid=32043 pid=32285 auid=unset uid=gdm gid=gdm euid=gdm suid=gdm fsuid=gdm egid=gdm sgid=gdm fsgid=gdm tty=tty1 ses=unset comm=gsd-power exe=/usr/libexec/gsd-power subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(05/13/2021 11:58:58.304:547) : avc: denied { write } for pid=32285 comm=gsd-power name=dbus-L81sgOGwlG dev="tmpfs" ino=3567 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tmp_t:s0 tclass=sock_file permissive=0
----
type=PROCTITLE msg=audit(05/13/2021 11:58:58.304:548) : proctitle=/usr/libexec/gsd-color
type=PATH msg=audit(05/13/2021 11:58:58.304:548) : item=0 name=/tmp/dbus-L81sgOGwlG inode=3567 dev=00:22 mode=socket,777 ouid=gdm ogid=gdm rdev=00:00 obj=system_u:object_r:tmp_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(05/13/2021 11:58:58.304:548) : cwd=/var/lib/gdm
type=SOCKADDR msg=audit(05/13/2021 11:58:58.304:548) : saddr={ saddr_fam=local path=/tmp/dbus-L81sgOGwlG }
type=SYSCALL msg=audit(05/13/2021 11:58:58.304:548) : arch=x86_64 syscall=connect success=no exit=EACCES(Permission denied) a0=0xc a1=0x7ffd9b8a41f0 a2=0x16 a3=0x21 items=1 ppid=32043 pid=32259 auid=unset uid=gdm gid=gdm euid=gdm suid=gdm fsuid=gdm egid=gdm sgid=gdm fsgid=gdm tty=tty1 ses=unset comm=gsd-color exe=/usr/libexec/gsd-color subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(05/13/2021 11:58:58.304:548) : avc: denied { write } for pid=32259 comm=gsd-color name=dbus-L81sgOGwlG dev="tmpfs" ino=3567 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tmp_t:s0 tclass=sock_file permissive=0
----
type=PROCTITLE msg=audit(05/13/2021 11:58:58.308:549) : proctitle=/usr/libexec/gsd-keyboard
type=PATH msg=audit(05/13/2021 11:58:58.308:549) : item=0 name=/tmp/dbus-L81sgOGwlG inode=3567 dev=00:22 mode=socket,777 ouid=gdm ogid=gdm rdev=00:00 obj=system_u:object_r:tmp_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(05/13/2021 11:58:58.308:549) : cwd=/var/lib/gdm
type=SOCKADDR msg=audit(05/13/2021 11:58:58.308:549) : saddr={ saddr_fam=local path=/tmp/dbus-L81sgOGwlG }
type=SYSCALL msg=audit(05/13/2021 11:58:58.308:549) : arch=x86_64 syscall=connect success=no exit=EACCES(Permission denied) a0=0xc a1=0x7ffc1065b690 a2=0x16 a3=0x563bffa0b460 items=1 ppid=32043 pid=32260 auid=unset uid=gdm gid=gdm euid=gdm suid=gdm fsuid=gdm egid=gdm sgid=gdm fsgid=gdm tty=tty1 ses=unset comm=gsd-keyboard exe=/usr/libexec/gsd-keyboard subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(05/13/2021 11:58:58.308:549) : avc: denied { write } for pid=32260 comm=gsd-keyboard name=dbus-L81sgOGwlG dev="tmpfs" ino=3567 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tmp_t:s0 tclass=sock_file permissive=0
----
type=PROCTITLE msg=audit(05/13/2021 11:58:59.041:551) : proctitle=/usr/libexec/ibus-x11 --kill-daemon
type=PATH msg=audit(05/13/2021 11:58:59.041:551) : item=0 name=/tmp/dbus-L81sgOGwlG inode=3567 dev=00:22 mode=socket,777 ouid=gdm ogid=gdm rdev=00:00 obj=system_u:object_r:tmp_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(05/13/2021 11:58:59.041:551) : cwd=/var/lib/gdm
type=SOCKADDR msg=audit(05/13/2021 11:58:59.041:551) : saddr={ saddr_fam=local path=/tmp/dbus-L81sgOGwlG }
type=SYSCALL msg=audit(05/13/2021 11:58:59.041:551) : arch=x86_64 syscall=connect success=no exit=EACCES(Permission denied) a0=0x6 a1=0x7ffd66099c40 a2=0x16 a3=0x31 items=1 ppid=1 pid=32468 auid=unset uid=gdm gid=gdm euid=gdm suid=gdm fsuid=gdm egid=gdm sgid=gdm fsgid=gdm tty=tty1 ses=unset comm=ibus-x11 exe=/usr/libexec/ibus-x11 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(05/13/2021 11:58:59.041:551) : avc: denied { write } for pid=32468 comm=ibus-x11 name=dbus-L81sgOGwlG dev="tmpfs" ino=3567 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tmp_t:s0 tclass=sock_file permissive=0
----
type=PROCTITLE msg=audit(05/13/2021 11:59:00.457:552) : proctitle=/usr/bin/gnome-shell
type=PATH msg=audit(05/13/2021 11:59:00.457:552) : item=0 name=/var/lib/flatpak inode=27195052 dev=fd:02 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:var_lib_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(05/13/2021 11:59:00.457:552) : cwd=/var/lib/gdm
type=SYSCALL msg=audit(05/13/2021 11:59:00.457:552) : arch=x86_64 syscall=inotify_add_watch success=no exit=EACCES(Permission denied) a0=0x19 a1=0x55bfe134cc70 a2=0x1002fce a3=0x7ffe227f4080 items=1 ppid=32043 pid=32126 auid=unset uid=gdm gid=gdm euid=gdm suid=gdm fsuid=gdm egid=gdm sgid=gdm fsgid=gdm tty=tty1 ses=unset comm=gmain exe=/usr/bin/gnome-shell subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(05/13/2021 11:59:00.457:552) : avc: denied { watch } for pid=32126 comm=gmain path=/var/lib/flatpak dev="vda2" ino=27195052 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=dir permissive=0
----
After installation of packages from the "Server with GUI" group, I executed the following command:
# telinit 5
The GDM session started successfully.
Previous comment shows SELinux denials collected after an unconfined user (unconfined_u) logged in and logged out. When confined users (staff_u, sysadm_u, xguest_u) do the same, there are different SELinux denials. I just want to point out that flatpak component brings its own policy module (in flatpak-selinux package), which means that default SELinux label for /var/lib/flatpak directory should be defined there. Does "graphical installation, use the default package set (Server with GUI)" mean that Xwayland is running (instead of Xorg) when the SELinux denials appear? Created attachment 1791780 [details] ps auxf (In reply to Milos Malik from comment #6) > Does "graphical installation, use the default package set (Server with GUI)" > mean that Xwayland is running (instead of Xorg) when the SELinux denials > appear? Xwayland is running. If we cannot persuade the at-spi-bus-launcher process (or its parent process) to run the dbus-daemon the right way (using systemctl which leads to correctly labeled processes), it's very difficult to get rid of the SELinux denials visible in comment#0 or comment#2, because they are triggered by the incorrectly labeled dbus-daemon process. # systemctl cat at-spi-dbus-bus.service --user # /usr/lib/systemd/user/at-spi-dbus-bus.service [Unit] Description=Accessibility services bus [Service] Type=dbus BusName=org.a11y.Bus ExecStart=/usr/libexec/at-spi-bus-launcher # /usr/lib/systemd/user/at-spi-dbus-bus.service.d/00-uresourced.conf [Service] Slice=session.slice # rpm -qf /usr/lib/systemd/user/at-spi-dbus-bus.service.d/00-uresourced.conf uresourced-0.4.0-1.fc34.x86_64 After uninstalling uresourced or disabling the service snippet, there are no unconfined_service_t processes: # ps axfZ | grep -B 1 dbus-broke[r] system_u:system_r:devicekit_power_t:s0 693 ? Ssl 0:00 /usr/libexec/upowerd system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 698 ? Ss 0:00 /usr/bin/dbus-broker-launch --scope system --audit system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 714 ? S 0:00 \_ dbus-broker --log 4 --controller 9 --machine-id bf6e64eca39a4a69b0b1d58bec31bfb7 --max-bytes 536870912 --max-fds 4096 --max-matches 131072 --audit -- unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 2484 ? S<sl 0:00 \_ /usr/bin/pipewire-pulse unconfined_u:unconfined_r:unconfined_dbusd_t:s0-s0:c0.c1023 5067 ? Ss 0:00 \_ /usr/bin/dbus-broker-launch --scope user unconfined_u:unconfined_r:unconfined_dbusd_t:s0-s0:c0.c1023 5068 ? S 0:00 | \_ dbus-broker --log 4 --controller 11 --machine-id bf6e64eca39a4a69b0b1d58bec31bfb7 --max-bytes 100000000000000 --max-fds 25000000000000 --max-matches 5000000000 unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 5153 ? Ssl 0:00 \_ /usr/libexec/at-spi-bus-launcher unconfined_u:unconfined_r:unconfined_dbusd_t:s0-s0:c0.c1023 5158 ? S 0:00 | \_ /usr/bin/dbus-broker-launch --config-file=/usr/share/defaults/at-spi2/accessibility.conf --scope user unconfined_u:unconfined_r:unconfined_dbusd_t:s0-s0:c0.c1023 5159 ? S 0:00 | \_ dbus-broker --log 4 --controller 9 --machine-id bf6e64eca39a4a69b0b1d58bec31bfb7 --max-bytes 100000000000000 --max-fds 6400000 --max-matches 5000000000 Also note: # cat /usr/share/doc/uresourced/README UResourced ========== NOTE: This daemon is designed for obsoletion. The codebase is not supposed to be pretty, it just needs to do the one job until other components are able to take over in the long run. Majority of the denials were resolved in bz#1972655. These remain: ---- type=PROCTITLE msg=audit(05/13/2021 11:58:56.107:530) : proctitle=/usr/bin/gnome-shell type=PATH msg=audit(05/13/2021 11:58:56.107:530) : item=0 name=/var/lib/flatpak inode=27195052 dev=fd:02 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:var_lib_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD msg=audit(05/13/2021 11:58:56.107:530) : cwd=/var/lib/gdm type=SYSCALL msg=audit(05/13/2021 11:58:56.107:530) : arch=x86_64 syscall=inotify_add_watch success=no exit=EACCES(Permission denied) a0=0x19 a1=0x55bfe134cc70 a2=0x1002fce a3=0x0 items=1 ppid=32043 pid=32126 auid=unset uid=gdm gid=gdm euid=gdm suid=gdm fsuid=gdm egid=gdm sgid=gdm fsgid=gdm tty=tty1 ses=unset comm=gnome-shell exe=/usr/bin/gnome-shell subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(05/13/2021 11:58:56.107:530) : avc: denied { watch } for pid=32126 comm=gnome-shell path=/var/lib/flatpak dev="vda2" ino=27195052 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=dir permissive=0 ---- type=AVC msg=audit(1620846116.598:548): avc: denied { watch } for pid=1211 comm="gsd-xsettings" path="/usr/share/fonts" dev="dm-0" ino=33575060 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:fonts_t:s0 tcl ass=dir permissive=0 ---- type=AVC msg=audit(12.5.2021 21:03:36.627:1522) : avc: denied { watch } for pid=1211 comm=gmain path=/usr/lib64/gnome-settings-daemon-3.0/gtk-modules dev="dm-0" ino=34198403 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lib_t:s0 tclass=dir permissive=0 ---- To backport:
commit 09d6db05fd99a4fe1ac7f35576229d88ae20951d
Author: Zdenek Pytela <zpytela>
Date: Wed Oct 6 20:25:15 2021 +0200
Allow xdm_t watch fonts directories
commit a53e7cfb01ba48a50a70ae77f9579fb199f14d14
Author: Zdenek Pytela <zpytela>
Date: Wed Oct 6 20:22:38 2021 +0200
Allow xdm_t watch generic directories in /lib
and
https://github.com/fedora-selinux/selinux-policy/pull/956
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (new packages: selinux-policy), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2022:3918 |
Description of problem: There are plenty of AVCs logged after running the default package set installation ("Server with GUI") and booting to the installed system. For example: type=AVC msg=audit(1620846114.074:528): avc: denied { watch } for pid=1080 comm="gnome-shell" path="/var/lib/flatpak" dev="dm-0" ino=1599956 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=dir permissive=0 type=AVC msg=audit(1620846116.090:535): avc: denied { write } for pid=1228 comm="gsd-keyboard" name="dbus-RtZylFxidg" dev="tmpfs" ino=34 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tmp_t:s0 tclass=sock_file permissive=0 type=AVC msg=audit(1620846116.090:534): avc: denied { write } for pid=1238 comm="gsd-media-keys" name="dbus-RtZylFxidg" dev="tmpfs" ino=34 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tmp_t:s0 tclass=sock_file permissive=0 type=AVC msg=audit(1620846116.090:536): avc: denied { write } for pid=1216 comm="gsd-power" name="dbus-RtZylFxidg" dev="tmpfs" ino=34 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tmp_t:s0 tclass=sock_file permissive=0 type=AVC msg=audit(1620846116.090:537): avc: denied { write } for pid=1234 comm="gsd-wacom" name="dbus-RtZylFxidg" dev="tmpfs" ino=34 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tmp_t:s0 tclass=sock_file permissive=0 type=AVC msg=audit(1620846116.104:538): avc: denied { write } for pid=1226 comm="gsd-color" name="dbus-RtZylFxidg" dev="tmpfs" ino=34 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tmp_t:s0 tclass=sock_file permissive=0 type=AVC msg=audit(1620846116.351:544): avc: denied { write } for pid=1211 comm="gsd-xsettings" name="dbus-RtZylFxidg" dev="tmpfs" ino=34 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tmp_t:s0 tclass=sock_file permissive=0 type=AVC msg=audit(1620846116.598:548): avc: denied { watch } for pid=1211 comm="gsd-xsettings" path="/usr/share/fonts" dev="dm-0" ino=33575060 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:fonts_t:s0 tcl ass=dir permissive=0 type=AVC msg=audit(1620846118.625:588): avc: denied { watch } for pid=1080 comm="gmain" path="/var/lib/flatpak" dev="dm-0" ino=1599956 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=dir permissive=0 The whole audit.log will be attached. Version-Release number of selected component (if applicable): RHEL-9.0.0-20210511.3 selinux-policy-34.1.3-1.el9.noarch How reproducible: Always Steps to Reproduce: 1. Run graphical installation, use the default package set (Server with GUI) 2. Reboot to the installed system and check /var/log/audit/audit.log Actual results: AVCs reported. Expected results: No AVC reported.