Bug 2011772
| Summary: | avc: denied { search } for pid=1662 comm="at-spi-bus-laun" name="gnome-initial-setup" dev="tmpfs" | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 9 | Reporter: | Jan Stodola <jstodola> |
| Component: | selinux-policy | Assignee: | Zdenek Pytela <zpytela> |
| Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> |
| Severity: | high | Docs Contact: | |
| Priority: | medium | ||
| Version: | 9.0 | CC: | lvrabec, mmalik, ssekidde |
| Target Milestone: | rc | Keywords: | Triaged |
| Target Release: | 9.0 | Flags: | pm-rhel:
mirror+
|
| Hardware: | Unspecified | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | selinux-policy-34.1.17-1.el9 | Doc Type: | No Doc Update |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2022-05-17 15:49:48 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 1942219, 1971841 | ||
To backport:
commit e327c69fe54fe93cbff6e8233bc4354ec7a6fcad
Author: Zdenek Pytela <zpytela>
Date: Mon Sep 13 16:01:19 2021 +0200
Allow at-spi-bus-launcher read and map xdm pid files
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (new packages: selinux-policy), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2022:3918 |
Description of problem: The following messages were found in audit.log after the default package set on x86_64: type=AVC msg=audit(1633597537.032:70): avc: denied { search } for pid=1662 comm="at-spi-bus-laun" name="gnome-initial-setup" dev="tmpfs" ino=1128 scontext=system_u:system_r:gnome_atspi_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xdm_var_run_t:s0 tclass=dir permissive=0 type=SYSCALL msg=audit(1633597537.032:70): arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=5560a625e650 a2=0 a3=0 items=0 ppid=1661 pid=1662 auid=4294967295 uid=986 gid=981 euid=986 suid=986 fsuid=986 egid=981 sgid=981 fsgid=981 tty=(none) ses=4294967295 comm="at-spi-bus-laun" exe="/usr/libexec/at-spi-bus-launcher" subj=system_u:system_r:gnome_atspi_t:s0-s0:c0.c1023 key=(null)^]ARCH=x86_64 SYSCALL=openat AUID="unset" UID="gnome-initial-setup" GID="gnome-initial-setup" EUID="gnome-initial-setup" SUID="gnome-initial-setup" FSUID="gnome-initial-setup" EGID="gnome-initial-setup" SGID="gnome-initial-setup" FSGID="gnome-initial-setup" type=PROCTITLE msg=audit(1633597537.032:70): proctitle="/usr/libexec/at-spi-bus-launcher" type=AVC msg=audit(1633597537.033:71): avc: denied { search } for pid=1662 comm="at-spi-bus-laun" name="gnome-initial-setup" dev="tmpfs" ino=1128 scontext=system_u:system_r:gnome_atspi_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xdm_var_run_t:s0 tclass=dir permissive=0 type=SYSCALL msg=audit(1633597537.033:71): arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=5560a6269280 a2=0 a3=0 items=0 ppid=1661 pid=1662 auid=4294967295 uid=986 gid=981 euid=986 suid=986 fsuid=986 egid=981 sgid=981 fsgid=981 tty=(none) ses=4294967295 comm="at-spi-bus-laun" exe="/usr/libexec/at-spi-bus-launcher" subj=system_u:system_r:gnome_atspi_t:s0-s0:c0.c1023 key=(null)^]ARCH=x86_64 SYSCALL=openat AUID="unset" UID="gnome-initial-setup" GID="gnome-initial-setup" EUID="gnome-initial-setup" SUID="gnome-initial-setup" FSUID="gnome-initial-setup" EGID="gnome-initial-setup" SGID="gnome-initial-setup" FSGID="gnome-initial-setup" type=PROCTITLE msg=audit(1633597537.033:71): proctitle="/usr/libexec/at-spi-bus-launcher" Version-Release number of selected component (if applicable): RHEL-9.0.0-20211006.1 selinux-policy-34.1.16-1.el9 How reproducible: Always Steps to Reproduce: 1. Run grpahical installation, use the default package set ("Server with GUI") 2. Boot the installed system and check /var/log/audit/audit.log Actual results: AVC messages related to at-spi-bus-launcher Expected results: No AVCs Additional info: There are more AVCs in audit.log, but they should be covered by bug 1960010.