Bug 2040214
| Summary: | SELinux prevents xdm_t process from talking to timedatex_t process via D-bus | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | Jan Stodola <jstodola> |
| Component: | selinux-policy | Assignee: | Zdenek Pytela <zpytela> |
| Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 8.6 | CC: | lvrabec, mmalik, ssekidde |
| Target Milestone: | rc | Keywords: | AutoVerified, Triaged |
| Target Release: | 8.6 | Flags: | pm-rhel:
mirror+
|
| Hardware: | Unspecified | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | selinux-policy-3.14.3-90.el8 | Doc Type: | No Doc Update |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2022-05-10 15:15:45 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 2008126 | ||
Please re-run the scenario in permissive mode and collect SELinux denials which appear: # ausearch -m avc -m user_avc -m selinux_err -i -ts today The SELinux denials shown in comment#0 were caught in enforcing mode and we need to know the complete picture in order to fix the issue properly. Thank you. [root@localhost ~]# getenforce
Permissive
[root@localhost ~]# ausearch -m avc -m user_avc -m selinux_err -i -ts today
----
type=USER_AVC msg=audit(01/21/22 17:26:04.050:159) : pid=945 uid=dbus auid=unset ses=unset subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_call interface=org.freedesktop.DBus.Properties member=GetAll dest=:1.232 spid=6459 tpid=6525 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:timedatex_t:s0 tclass=dbus permissive=1 exe=/usr/bin/dbus-daemon sauid=dbus hostname=? addr=? terminal=?'
----
type=USER_AVC msg=audit(01/21/22 17:26:04.054:160) : pid=945 uid=dbus auid=unset ses=unset subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_return dest=:1.177 spid=6525 tpid=6459 scontext=system_u:system_r:timedatex_t:s0 tcontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tclass=dbus permissive=1 exe=/usr/bin/dbus-daemon sauid=dbus hostname=? addr=? terminal=?'
[root@localhost ~]#
I've submitted a Fedora PR to address the issue: https://github.com/fedora-selinux/selinux-policy/pull/1031 Note I was unable to reproduce it: changing timezone did not trigger the denial; there was no "Server with GUI" option in the installation screen; no EULA-accept popped. Anyway, the rule looks reasonable. To backport:
commit 40a8223b142eb3ed9d63869b5dc447b0ede4ebf3 (HEAD -> rawhide, upstream/rawhide)
Author: Zdenek Pytela <zpytela>
Date: Fri Jan 28 17:04:07 2022 +0100
Allow timedatex dbus chat with xdm
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2022:1995 |
Description of problem: The following AVCs were found in audit.log after the default package set installation and completing initial-setup: type=USER_AVC msg=audit(1642064567.567:163): pid=942 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_call interface=org.freedesktop.DBus.Properties member=GetAll dest=:1.201 spid=6469 tpid=6505 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:timedatex_t:s0 tclass=dbus permissive=0 exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'^]UID="dbus" AUID="unset" SAUID="dbus" type=USER_AVC msg=audit(1642064568.655:164): pid=942 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_call interface=org.freedesktop.timedate1 member=SetTimezone dest=:1.201 spid=6469 tpid=6505 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:timedatex_t:s0 tclass=dbus permissive=0 exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'^]UID="dbus" AUID="unset" SAUID="dbus" Version-Release number of selected component (if applicable): RHEL-8.6.0-20220111.0 selinux-policy-3.14.3-86.el8 How reproducible: Always Steps to Reproduce: 1. Run the default package set installation (Server with GUI) 2. Reboot to the installed system 3. Accept the EULA in initial-setup and finish it 4. Login to the system and check /var/log/audit/audit.log Actual results: AVCs present. Expected results: No AVCs.