Bug 2111834
| Summary: | avc: denied { status } for auid=1000 uid=1000 gid=1000 path="/proc/self/mountinfo" cmdline="/usr/bin/gnome-shell" function="mac_selinux_filter" | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Kamil Páral <kparal> | ||||||
| Component: | selinux-policy | Assignee: | Zdenek Pytela <zpytela> | ||||||
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||||
| Severity: | medium | Docs Contact: | |||||||
| Priority: | medium | ||||||||
| Version: | 36 | CC: | dwalsh, grepl.miroslav, lvrabec, mmalik, omosnace, pkoncity, vmojzis, zpytela | ||||||
| Target Milestone: | --- | Keywords: | Triaged | ||||||
| Target Release: | --- | ||||||||
| Hardware: | Unspecified | ||||||||
| OS: | Unspecified | ||||||||
| Whiteboard: | |||||||||
| Fixed In Version: | selinux-policy-36.14-1.fc36 | Doc Type: | If docs needed, set a value | ||||||
| Doc Text: | Story Points: | --- | |||||||
| Clone Of: | Environment: | ||||||||
| Last Closed: | 2022-08-20 01:44:38 UTC | Type: | Bug | ||||||
| Regression: | --- | Mount Type: | --- | ||||||
| Documentation: | --- | CRM: | |||||||
| Verified Versions: | Category: | --- | |||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||
| Embargoed: | |||||||||
| Attachments: |
|
||||||||
Created attachment 1899891 [details]
journal
Created attachment 1899892 [details]
ausearch
I don't know why this error happens or how to trigger it. It is present immediately after boot. I am unable to reproduce on a fully updated system. Could you do the following? 1) Open the /etc/audit/rules.d/audit.rules file in an editor. 2) Remove the following line if it exists: -a task,never 3) Add the following line to the end of the file: -w /etc/shadow -p w 4) Restart the audit daemon: # service auditd restart 5) Log in or reboot to trigger the denials 6) Collect AVC denials: # ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts today I suppose the events have the USER_AVC type. Additionaly, does some service fail to perform any task? Is there a gnome-shell service? These are messages were produced by the systemd process. We should ask the systemd guys to give us a detailed explanation of what was happening. # strings /usr/lib/systemd/systemd | grep mac_selinux mac_selinux_init mac_selinux_finish mac_selinux_retest mac_selinux_get_create_label_from_exe mac_selinux_maybe_reload mac_selinux_use mac_selinux_bind mac_selinux_create_file_prepare_at mac_selinux_create_file_clear mac_selinux_enforcing mac_selinux_free mac_selinux_get_our_label mac_selinux_get_child_mls_label mac_selinux_setup mac_selinux_filter mac_selinux_filter mac_selinux_access_check_internal mac_selinux_access_check_internal # Performed the steps, ausearch doesn't seem to see it:
$ sudo ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts today
----
type=AVC msg=audit(28.7.2022 10:34:24.736:251) : avc: denied { read } for pid=1454 comm=gdm-session-wor scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:kernel_t:s0 tclass=key permissive=0
----
type=AVC msg=audit(28.7.2022 10:34:24.736:252) : avc: denied { read } for pid=1454 comm=gdm-session-wor scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:kernel_t:s0 tclass=key permissive=0
----
type=AVC msg=audit(28.7.2022 11:26:22.159:250) : avc: denied { read } for pid=1467 comm=gdm-session-wor scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:kernel_t:s0 tclass=key permissive=0
----
type=AVC msg=audit(28.7.2022 11:26:22.159:251) : avc: denied { read } for pid=1467 comm=gdm-session-wor scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:kernel_t:s0 tclass=key permissive=0
----
type=USER_AVC msg=audit(28.7.2022 13:38:34.836:247) : pid=1 uid=root auid=unset ses=unset subj=system_u:system_r:init_t:s0 msg='avc: denied { status } for auid=unset uid=root gid=root path=/usr/lib/systemd/system/sendmail.service cmdline="" function="reply_unit_path" scontext=system_u:system_r:NetworkManager_dispatcher_sendmail_t:s0 tcontext=system_u:object_r:systemd_unit_file_t:s0 tclass=service permissive=0 exe=/usr/lib/systemd/systemd sauid=root hostname=? addr=? terminal=?'
----
type=PROCTITLE msg=audit(28.7.2022 13:38:34.889:250) : proctitle=gdm-session-worker [pam/gdm-autologin]
type=SYSCALL msg=audit(28.7.2022 13:38:34.889:250) : arch=x86_64 syscall=keyctl success=yes exit=10 a0=0xb a1=0x1276ecec a2=0x0 a3=0x0 items=0 ppid=1417 pid=1455 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=gdm-session-wor exe=/usr/libexec/gdm-session-worker subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(28.7.2022 13:38:34.889:250) : avc: denied { read } for pid=1455 comm=gdm-session-wor scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:kernel_t:s0 tclass=key permissive=0
----
type=PROCTITLE msg=audit(28.7.2022 13:38:34.889:251) : proctitle=gdm-session-worker [pam/gdm-autologin]
type=SYSCALL msg=audit(28.7.2022 13:38:34.889:251) : arch=x86_64 syscall=keyctl success=yes exit=10 a0=0xb a1=0x1276ecec a2=0x55bcb1e4a7b0 a3=0xa items=0 ppid=1417 pid=1455 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=gdm-session-wor exe=/usr/libexec/gdm-session-worker subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(28.7.2022 13:38:34.889:251) : avc: denied { read } for pid=1455 comm=gdm-session-wor scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:kernel_t:s0 tclass=key permissive=0
But, I found out how to trigger it! Just locking my session, letting the screen go black, and the unlocking the session is enough to see the error printed again.
> Is there a gnome-shell service?
I don't think so.
$ sudo systemctl status gnome-shell
Unit gnome-shell.service could not be found.
$ systemctl --user status gnome-shell
Unit gnome-shell.service could not be found.
> Additionaly, does some service fail to perform any task?
I haven't seen anything broken.
FEDORA-2022-70c63dd1e2 has been submitted as an update to Fedora 36. https://bodhi.fedoraproject.org/updates/FEDORA-2022-70c63dd1e2 FEDORA-2022-70c63dd1e2 has been pushed to the Fedora 36 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2022-70c63dd1e2` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2022-70c63dd1e2 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates. FEDORA-2022-70c63dd1e2 has been pushed to the Fedora 36 stable repository. If problem still persists, please make note of it in this bug report. *** Bug 2127402 has been marked as a duplicate of this bug. *** |
Description of problem: Each boot, I see the following error in journal repeated ~15 times: čec 28 11:26:24 hydra systemd[1483]: selinux: avc: denied { status } for auid=1000 uid=1000 gid=1000 path="/proc/self/mountinfo" cmdline="/usr/bin/gnome-shell" function="mac_selinux_filter" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=service permissive=0 Quite interestingly, this error is not visible in ausearch nor SELinux Alert Browser. It was first reported at: https://bodhi.fedoraproject.org/updates/FEDORA-2022-320775eb9a I don't know if it happened before that (I can try to downgrade selinux-policy or some other package, if needed). Version-Release number of selected component (if applicable): selinux-policy-36.12-1.fc36.noarch gnome-shell-42.3.1-1.fc36.x86_64 systemd-250.8-1.fc36.x86_64 How reproducible: always Steps to Reproduce: 1. boot 2. journalctl -b | grep -i avc -or- 1. lock your screen, make it go blank 2. unlock your screen 3. journalctl -b | grep -i avc