Bug 2125757

Summary: SELinux is preventing slick-greeter-c from 'getattr' accesses on the chr_file /dev/dri/renderD129.
Product: [Fedora] Fedora Reporter: Ian Laurie <ian.laurie>
Component: selinux-policyAssignee: Zdenek Pytela <zpytela>
Status: CLOSED NOTABUG QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: 37CC: dwalsh, grepl.miroslav, lvrabec, mmalik, omosnacek, pkoncity, vmojzis, zpytela
Target Milestone: ---Keywords: Triaged
Target Release: ---   
Hardware: x86_64   
OS: Unspecified   
Whiteboard: abrt_hash:0574bac1f5cca63f3fb79c96cf6260d37202f3883b81034ef22afe65b05b2192;
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-06-27 19:02:43 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Ian Laurie 2022-09-10 03:47:08 UTC 
Description of problem:
Simply logged into Xfce from slickgreeter.
SELinux is preventing slick-greeter-c from 'getattr' accesses on the chr_file /dev/dri/renderD129.

*****  Plugin restorecon (90.5 confidence) suggests   ************************

If you want to fix the label. 
/dev/dri/renderD129 default label should be dri_device_t.
Then you can run restorecon. The access attempt may have been stopped due to insufficient permissions to access a parent directory in which case try to change the following command accordingly.
Do
# /sbin/restorecon -v /dev/dri/renderD129

*****  Plugin device (9.50 confidence) suggests   ****************************

If you want to allow slick-greeter-c to have getattr access on the renderD129 chr_file
Then you need to change the label on /dev/dri/renderD129 to a type of a similar device.
Do
# semanage fcontext -a -t SIMILAR_TYPE '/dev/dri/renderD129'
# restorecon -v '/dev/dri/renderD129'

*****  Plugin catchall (1.40 confidence) suggests   **************************

If you believe that slick-greeter-c should be allowed getattr access on the renderD129 chr_file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'slick-greeter-c' --raw | audit2allow -M my-slickgreeterc
# semodule -X 300 -i my-slickgreeterc.pp

Additional Information:
Source Context                system_u:system_r:xdm_t:s0-s0:c0.c1023
Target Context                system_u:object_r:device_t:s0
Target Objects                /dev/dri/renderD129 [ chr_file ]
Source                        slick-greeter-c
Source Path                   slick-greeter-c
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
SELinux Policy RPM            selinux-policy-targeted-37.8-1.fc37.noarch
Local Policy RPM              selinux-policy-targeted-37.8-1.fc37.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     (removed)
Platform                      Linux (removed) 5.19.7-300.fc37.x86_64 #1 SMP
                              PREEMPT_DYNAMIC Mon Sep 5 15:09:01 UTC 2022 x86_64
                              x86_64
Alert Count                   1
First Seen                    2022-09-07 21:06:31 AEST
Last Seen                     2022-09-07 21:06:31 AEST
Local ID                      f7754c1d-b7ec-4ec8-8196-8fb4e14c80b9

Raw Audit Messages
type=AVC msg=audit(1662548791.142:239): avc:  denied  { getattr } for  pid=2105 comm="slick-greeter-c" path="/dev/dri/renderD129" dev="devtmpfs" ino=1024 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:device_t:s0 tclass=chr_file permissive=1


Hash: slick-greeter-c,xdm_t,device_t,chr_file,getattr

Version-Release number of selected component:
selinux-policy-targeted-37.8-1.fc37.noarch

Additional info:
component:      selinux-policy
reporter:       libreport-2.17.2
hashmarkername: setroubleshoot
kernel:         5.19.8-300.fc37.x86_64
type:           libreport
Comment 1 Zdenek Pytela 2022-09-12 06:37:52 UTC 
Hi,

The file in the setroubleshoot report has incorrect label. Along with the restorecon plugin suggestion, you can fix the label with a single command:

  # /sbin/restorecon -v /dev/dri/renderD129

This change will not, however, persist boot.
Comment 2 Zdenek Pytela 2023-06-27 19:02:43 UTC 
As no new information appeared during the past weeks, we are going to close this bug. If you need to pursue this matter further, feel free to reopen this bug and attach the needed information.