Bug 1972655

Summary: SELinux is preventing gnome-session-c from connectto access on the unix_stream_socket
Product: Red Hat Enterprise Linux 9 Reporter: Michal Odehnal <modehnal>
Component: selinux-policyAssignee: Zdenek Pytela <zpytela>
Status: CLOSED CURRENTRELEASE QA Contact: Milos Malik <mmalik>
Severity: medium Docs Contact:
Priority: medium    
Version: 9.0CC: lmiksik, lvrabec, mmalik, pkoncity, plautrba, pvlasin, shangsong2, ssekidde, tpelka, zpytela
Target Milestone: betaKeywords: TestBlocker, Triaged
Target Release: 9.0 Beta   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-34.1.16-1.el9_b Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of:
: 1993855 2003037 (view as bug list) Environment:
Last Closed: 2021-12-07 21:35:16 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1972234, 1993855, 2003037, 2004170    
Attachments:
Description Flags
journal log
none
journal log with selinux in permissive mode
none
a few avc logs from beaker
none
command results for needinfo none

Description Michal Odehnal 2021-06-16 11:40:19 UTC 
Created attachment 1791530 [details]
journal log

Description of problem:
I am unable to connect to the user when connecting via xdmcp in Xephyr.

Version-Release number of selected component (if applicable):
selinux-policy-34.1.8-1.el9.noarch

How reproducible:
100%

Steps to Reproduce:
1. Have another user to log in - test2 in my case.
2. Xephyr :99 -query localhost -fullscreen
3. Select test2 user.
4. Enter password and confirm.


Actual results:
I am returned to the login screen.

Expected results:
User will log in.

Additional info:
Comment 1 Michal Odehnal 2021-06-16 11:44:51 UTC 
Created attachment 1791532 [details]
journal log with selinux in permissive mode
Comment 2 Michal Odehnal 2021-06-16 11:46:35 UTC 
Created attachment 1791533 [details]
a few avc logs from beaker
Comment 3 Zdenek Pytela 2021-06-16 16:18:12 UTC 
Michale,

One of the problems I can identify is that gnome-session is running in SELinux context xdm_t.
Will you be able to execute some commands to check the status prior to logging in?

# ls -lZ /usr/bin/X*
# ps -eo pid,ppid,context,command
Comment 4 Michal Odehnal 2021-06-17 07:19:38 UTC 
Created attachment 1791692 [details]
command results for needinfo
Comment 22 Milos Malik 2021-08-24 15:55:28 UTC 
Effect of the NO_AT_BRIDGE variable in the /etc/environment file should be that at-spi-bus-launcher is not executed at all, which means that dbus-daemon is not started and the incorrectly labeled socket file in /tmp directory is not created.
Comment 23 Michal Odehnal 2021-08-25 09:49:38 UTC 
So putting the environment variable in /etc/environment does seem to remove these avc entries, I can no longer see those when I run the tests nor when I try it reproduce by hand.
Comment 25 Zdenek Pytela 2021-08-26 14:31:21 UTC 
*** Bug 1991483 has been marked as a duplicate of this bug. ***
Comment 27 Zdenek Pytela 2021-08-26 22:20:54 UTC 
I've submitted a Fedora PR to address the issue:
https://github.com/fedora-selinux/selinux-policy/pull/851
Comment 29 Milos Malik 2021-08-31 12:20:22 UTC 
Following SELinux denials appeared in the journal during the GDM testing in enforcing mode:

Aug 31 13:55:31 localhost.localdomain dbus-daemon[9114]: avc:  denied  { acquire_svc } for service=org.a11y.Bus spid=9156 scontext=system_u:system_r:gnome_atspi_t:s0-s0:c0.c1023 tcontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tclass=dbus permissive=0
Aug 31 13:52:07 localhost.localdomain dbus-daemon[6948]: avc:  denied  { acquire_svc } for service=org.a11y.Bus spid=7034 scontext=system_u:system_r:gnome_atspi_t:s0-s0:c0.c1023 tcontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tclass=dbus permissive=0
Aug 31 13:48:33 localhost.localdomain dbus-daemon[4687]: avc:  denied  { acquire_svc } for service=org.a11y.Bus spid=4735 scontext=system_u:system_r:gnome_atspi_t:s0-s0:c0.c1023 tcontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tclass=dbus permissive=0
Aug 31 13:47:51 localhost.localdomain dbus-daemon[4088]: avc:  denied  { acquire_svc } for service=org.a11y.Bus spid=4132 scontext=system_u:system_r:gnome_atspi_t:s0-s0:c0.c1023 tcontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tclass=dbus permissive=0
Aug 31 13:45:16 localhost.localdomain dbus-daemon[1827]: avc:  denied  { acquire_svc } for service=org.a11y.Bus spid=2142 scontext=system_u:system_r:gnome_atspi_t:s0-s0:c0.c1023 tcontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tclass=dbus permissive=0

Unfortunately, the ausearch tool does not report them, because they are not recorded in /var/log/audit/audit.log file.

The systemd journal also contains these messages:

Aug 31 13:46:09 localhost.localdomain gsd-wacom[2437]: AT-SPI: Error retrieving accessibility bus address: org.freedesktop.DBus.Error.NoReply: Did not receive a reply. Possible causes include: the remote application did not send a reply, the message bus security policy blocked the reply, the reply timeout expired, or the network connection was broken.
Aug 31 13:46:09 localhost.localdomain gsd-color[2440]: AT-SPI: Error retrieving accessibility bus address: org.freedesktop.DBus.Error.NoReply: Did not receive a reply. Possible causes include: the remote application did not send a reply, the message bus security policy blocked the reply, the reply timeout expired, or the network connection was broken.
Aug 31 13:46:09 localhost.localdomain gsd-media-keys[2452]: AT-SPI: Error retrieving accessibility bus address: org.freedesktop.DBus.Error.NoReply: Did not receive a reply. Possible causes include: the remote application did not send a reply, the message bus security policy blocked the reply, the reply timeout expired, or the network connection was broken.
Aug 31 13:46:09 localhost.localdomain gsd-keyboard[2442]: AT-SPI: Error retrieving accessibility bus address: org.freedesktop.DBus.Error.NoReply: Did not receive a reply. Possible causes include: the remote application did not send a reply, the message bus security policy blocked the reply, the reply timeout expired, or the network connection was broken.
Aug 31 13:46:09 localhost.localdomain gsd-power[2462]: AT-SPI: Error retrieving accessibility bus address: org.freedesktop.DBus.Error.NoReply: Did not receive a reply. Possible causes include: the remote application did not send a reply, the message bus security policy blocked the reply, the reply timeout expired, or the network connection was broken.
Aug 31 13:45:41 localhost.localdomain gnome-shell[1909]: AT-SPI: Error retrieving accessibility bus address: org.freedesktop.DBus.Error.NoReply: Did not receive a reply. Possible causes include: the remote application did not send a reply, the message bus security policy blocked the reply, the reply timeout expired, or the network connection was broken.

# rpm -qa selinux\*
selinux-policy-34.1.15-1.el9.noarch
selinux-policy-mls-34.1.15-1.el9.noarch
selinux-policy-targeted-34.1.15-1.el9.noarch
selinux-policy-devel-34.1.15-1.el9.noarch
selinux-policy-doc-34.1.15-1.el9.noarch
#
Comment 30 Milos Malik 2021-08-31 12:29:23 UTC 
After loading this policy module:

# cat mypolicy.cil 
( allow gnome_atspi_t system_dbusd_t ( dbus ( acquire_svc send_msg )))
( allow xdm_t gnome_atspi_t ( dbus ( send_msg )))
( allow gnome_atspi_t xdm_t ( dbus ( send_msg )))
#

I see some AT-SPI processes:

# ps -efZ | grep at-spi
system_u:system_r:gnome_atspi_t:s0-s0:c0.c1023 gdm 12784 1  0 14:24 ?      00:00:00 /usr/libexec/at-spi-bus-launcher
system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 gdm 12790 12784  0 14:24 ? 00:00:00 /usr/bin/dbus-daemon --config-file=/usr/share/defaults/at-spi2/accessibility.conf --nofork --print-address 3
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 13185 9694  0 14:26 pts/0 00:00:00 grep --color=auto at-spi
#

But there are still many SELinux denials like this one:
----
type=PROCTITLE msg=audit(08/31/2021 14:24:59.545:1769) : proctitle=/usr/libexec/ibus-x11 --kill-daemon 
type=PATH msg=audit(08/31/2021 14:24:59.545:1769) : item=0 name=/tmp/dbus-Use9lqkwkO inode=464 dev=00:22 mode=socket,777 ouid=gdm ogid=gdm rdev=00:00 obj=system_u:object_r:system_dbusd_tmp_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(08/31/2021 14:24:59.545:1769) : cwd=/var/lib/gdm 
type=SOCKADDR msg=audit(08/31/2021 14:24:59.545:1769) : saddr={ saddr_fam=local path=/tmp/dbus-Use9lqkwkO } 
type=SYSCALL msg=audit(08/31/2021 14:24:59.545:1769) : arch=x86_64 syscall=connect success=no exit=EACCES(Permission denied) a0=0x6 a1=0x7ffcc8325ec0 a2=0x16 a3=0x31 items=1 ppid=1 pid=13091 auid=unset uid=gdm gid=gdm euid=gdm suid=gdm fsuid=gdm egid=gdm sgid=gdm fsgid=gdm tty=tty1 ses=unset comm=ibus-x11 exe=/usr/libexec/ibus-x11 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(08/31/2021 14:24:59.545:1769) : avc:  denied  { write } for  pid=13091 comm=ibus-x11 name=dbus-Use9lqkwkO dev="tmpfs" ino=464 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:system_dbusd_tmp_t:s0 tclass=sock_file permissive=0 
----

I will enhance the policy module.
Comment 31 Milos Malik 2021-08-31 12:35:03 UTC 
After loading this policy module:

# cat mypolicy.cil 
( allow gnome_atspi_t system_dbusd_t ( dbus ( acquire_svc send_msg )))
( allow xdm_t gnome_atspi_t ( dbus ( send_msg )))
( allow gnome_atspi_t xdm_t ( dbus ( send_msg )))
( allow xdm_t system_dbusd_tmp_t ( sock_file ( write )))
#

and restarting the GDM, the list of running AT-SPI processes increased:

# ps -efZ | grep at-spi
system_u:system_r:gnome_atspi_t:s0-s0:c0.c1023 gdm 13303 1  0 14:31 ?      00:00:00 /usr/libexec/at-spi-bus-launcher
system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 gdm 13309 13303  0 14:31 ? 00:00:00 /usr/bin/dbus-daemon --config-file=/usr/share/defaults/at-spi2/accessibility.conf --nofork --print-address 3
system_u:system_r:gnome_atspi_t:s0-s0:c0.c1023 gdm 13364 1  0 14:31 ?      00:00:00 /usr/libexec/at-spi2-registryd --use-gnome-session
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 13687 9694  0 14:31 pts/0 00:00:00 grep --color=auto at-spi
# 

An additional SELinux denial appeared:
----
type=PROCTITLE msg=audit(08/31/2021 14:31:25.374:1788) : proctitle=/usr/libexec/at-spi-bus-launcher 
type=OBJ_PID msg=audit(08/31/2021 14:31:25.374:1788) : opid=12790 oauid=unset ouid=gdm oses=-1 obj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 ocomm=dbus-daemon 
type=SYSCALL msg=audit(08/31/2021 14:31:25.374:1788) : arch=x86_64 syscall=kill success=no exit=EACCES(Permission denied) a0=0x31f6 a1=SIGTERM a2=0x2 a3=0x7ffc185f2080 items=0 ppid=1 pid=12784 auid=unset uid=gdm gid=gdm euid=gdm suid=gdm fsuid=gdm egid=gdm sgid=gdm fsgid=gdm tty=(none) ses=unset comm=at-spi-bus-laun exe=/usr/libexec/at-spi-bus-launcher subj=system_u:system_r:gnome_atspi_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(08/31/2021 14:31:25.374:1788) : avc:  denied  { signal } for  pid=12784 comm=at-spi-bus-laun scontext=system_u:system_r:gnome_atspi_t:s0-s0:c0.c1023 tcontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tclass=process permissive=0 
----
Comment 32 Milos Malik 2021-08-31 12:40:19 UTC 
When this policy module is loaded:

# cat mypolicy.cil 
( allow gnome_atspi_t system_dbusd_t ( dbus ( acquire_svc send_msg )))
( allow xdm_t gnome_atspi_t ( dbus ( send_msg )))
( allow gnome_atspi_t xdm_t ( dbus ( send_msg )))
( allow xdm_t system_dbusd_tmp_t ( sock_file ( write )))
( allow gnome_atspi_t system_dbusd_t ( process ( signal )))
#

and GDM is restarted, there are no more SELinux denials reported (ausearch, journalctl) on my RHEL-9.0 VM.
Comment 33 Milos Malik 2021-08-31 12:57:32 UTC 
The list of AT-SPI processes does not grow anymore:

# ps -efZ | grep at-spi
system_u:system_r:gnome_atspi_t:s0-s0:c0.c1023 gdm 15721 1  0 14:46 ?      00:00:00 /usr/libexec/at-spi-bus-launcher
system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 gdm 15727 15721  0 14:46 ? 00:00:00 /usr/bin/dbus-daemon --config-file=/usr/share/defaults/at-spi2/accessibility.conf --nofork --print-address 3
system_u:system_r:gnome_atspi_t:s0-s0:c0.c1023 gdm 15781 1  0 14:46 ?      00:00:00 /usr/libexec/at-spi2-registryd --use-gnome-session
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 16132 9694  0 14:46 pts/0 00:00:00 grep --color=auto at-spi
#

The GDM restart is quick (no timeouts happening) and users can login from GDM to their sessions.

When dontaudit rules are removed, 2 interesting SELinux denials are revealed:
----
type=PROCTITLE msg=audit(08/31/2021 14:06:10.201:1539) : proctitle=/usr/libexec/at-spi-bus-launcher 
type=SYSCALL msg=audit(08/31/2021 14:06:10.201:1539) : arch=x86_64 syscall=sched_setattr success=no exit=EACCES(Permission denied) a0=0
x2d4c a1=0x555fc70ec670 a2=0x0 a3=0x555fc70ec490 items=0 ppid=11595 pid=11596 auid=unset uid=gdm gid=gdm euid=gdm suid=gdm fsuid=gdm eg
id=gdm sgid=gdm fsgid=gdm tty=(none) ses=unset comm=at-spi-bus-laun exe=/usr/libexec/at-spi-bus-launcher subj=system_u:system_r:gnome_a
tspi_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(08/31/2021 14:06:10.201:1539) : avc:  denied  { setsched } for  pid=11596 comm=at-spi-bus-laun scontext=system_u:sys
tem_r:gnome_atspi_t:s0-s0:c0.c1023 tcontext=system_u:system_r:gnome_atspi_t:s0-s0:c0.c1023 tclass=process permissive=0 
----
type=PROCTITLE msg=audit(08/31/2021 14:06:35.530:1542) : proctitle=dbus-daemon --nofork --print-address 4 --session 
type=PATH msg=audit(08/31/2021 14:06:35.530:1542) : item=0 name=/var/lib/gdm/.local/share/dbus-1/services nametype=UNKNOWN cap_fp=none 
cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(08/31/2021 14:06:35.530:1542) : cwd=/var/lib/gdm 
type=SYSCALL msg=audit(08/31/2021 14:06:35.530:1542) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=0xffffff
9c a1=0x5592021a3b20 a2=O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC a3=0x0 items=1 ppid=11559 pid=11560 auid=unset uid=gdm gid=gdm euid=g
dm suid=gdm fsuid=gdm egid=gdm sgid=gdm fsgid=gdm tty=(none) ses=unset comm=dbus-daemon exe=/usr/bin/dbus-daemon subj=system_u:system_r
:system_dbusd_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(08/31/2021 14:06:35.530:1542) : avc:  denied  { search } for  pid=11560 comm=dbus-daemon name=gdm dev="vda2" ino=172
99858 scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xdm_var_lib_t:s0 tclass=dir permissive=0 
----

I'm not sure if these actions are necessary for the AT-SPI functionality.
Comment 34 Zdenek Pytela 2021-09-02 07:35:41 UTC 
I've submitted a Fedora PR to update the policy:
https://github.com/fedora-selinux/selinux-policy/pull/858

On my Fedora vm, no denial appears.
Comment 35 Michal Odehnal 2021-09-02 09:48:28 UTC 
I have executed our testing suite with the new selinux-policy-34.1.15-1.el9 packages and the only denials I see are:

time->Thu Sep  2 04:18:40 2021
type=USER_AVC msg=audit(1630570720.958:1597): pid=743 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for  scontext=system_u:system_r:fprintd_t:s0 tcontext=system_u:system_r:systemd_logind_t:s0 tclass=dbus permissive=0  exe="/usr/bin/dbus-broker" sauid=81 hostname=? addr=? terminal=?'
----
time->Thu Sep  2 04:20:24 2021
type=USER_AVC msg=audit(1630570824.141:1653): pid=743 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for  scontext=system_u:system_r:fprintd_t:s0 tcontext=system_u:system_r:systemd_logind_t:s0 tclass=dbus permissive=0  exe="/usr/bin/dbus-broker" sauid=81 hostname=? addr=? terminal=?'

Which do not seem to be related to this issue.

I can no longer see any at-spi, gdm or gnome-session denials.

Thank you Milos for showing the policy load and the results, that is very interesting.
Comment 36 Milos Malik 2021-09-02 09:53:11 UTC 
The USER_AVCs shown in comment#35 are already reported as https://bugzilla.redhat.com/show_bug.cgi?id=1999537
Comment 38 Zdenek Pytela 2021-09-02 15:49:09 UTC 
(In reply to Michal Odehnal from comment #35)
> I have executed our testing suite with the new selinux-policy-34.1.15-1.el9
> packages and the only denials I see are:
> 
> time->Thu Sep  2 04:18:40 2021
> type=USER_AVC msg=audit(1630570720.958:1597): pid=743 uid=81 auid=4294967295
> ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023
> msg='avc:  denied  { send_msg } for  scontext=system_u:system_r:fprintd_t:s0
> tcontext=system_u:system_r:systemd_logind_t:s0 tclass=dbus permissive=0 
> exe="/usr/bin/dbus-broker" sauid=81 hostname=? addr=? terminal=?'
> ----
> time->Thu Sep  2 04:20:24 2021
> type=USER_AVC msg=audit(1630570824.141:1653): pid=743 uid=81 auid=4294967295
> ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023
> msg='avc:  denied  { send_msg } for  scontext=system_u:system_r:fprintd_t:s0
> tcontext=system_u:system_r:systemd_logind_t:s0 tclass=dbus permissive=0 
> exe="/usr/bin/dbus-broker" sauid=81 hostname=? addr=? terminal=?'
> 
> Which do not seem to be related to this issue.
> 
> I can no longer see any at-spi, gdm or gnome-session denials.
Thank you for confirming. Under some conditions, there can even be other denials, not related to this issue.

> Thank you Milos for showing the policy load and the results, that is very
> interesting.
Michale,

if you take a look at #c33, there are 2 denials not addressed by the current policy:
- sched_setattr(2) denied for /usr/libexec/at-spi-bus-launcher
- search of /var/lib/gdm/.local/share/dbus-1/services denied for /usr/bin/dbus-daemon

They are currently dontaudited, i. e. not allowed, but normally not audited. Do you think it is okay and it does not effect the functionality?
Comment 39 Michal Odehnal 2021-09-03 09:11:42 UTC 
Unfortunately I cannot say, I am currently not aware how everything from at-spi and dbus and higher up to our API use case of ATSPI is combined together.

For now I would say it does not effect the functionality, we have not noticed anything. When it would block us I would let you know.

Thank you.