Bug 2169117

Summary: SELinux is preventing /usr/bin/gnome-shell from using the signull access on a process.
Product: Red Hat Enterprise Linux 9 Reporter: dirk_sleutjes
Component: selinux-policyAssignee: Nikola Knazekova <nknazeko>
Status: CLOSED INSUFFICIENT_DATA QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: unspecified Docs Contact:
Priority: low    
Version: 9.1CC: lvrabec, mmalik, zpytela
Target Milestone: rcKeywords: Triaged
Target Release: 9.3   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-08-03 07:58:21 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description dirk_sleutjes 2023-02-11 23:23:32 UTC 
Description of problem:
SELinux is preventing /usr/bin/gnome-shell from using the signull access on a process.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that gnome-shell should be allowed signull access on processes labeled gnome_atspi_t by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'gnome-shell' --raw | audit2allow -M my-gnomeshell
# semodule -X 300 -i my-gnomeshell.pp

Additional Information:
Source Context                system_u:system_r:xdm_t:s0-s0:c0.c1023
Target Context                system_u:system_r:gnome_atspi_t:s0-s0:c0.c1023
Target Objects                Unknown [ process ]
Source                        gnome-shell
Source Path                   /usr/bin/gnome-shell
Port                          <Unknown>
Host                          localhost.localdomain
Source RPM Packages           ibus-1.5.25-2.el9.x86_64
Target RPM Packages           
SELinux Policy RPM            selinux-policy-targeted-34.1.43-1.el9.noarch
Local Policy RPM              selinux-policy-targeted-34.1.43-1.el9.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     localhost.localdomain
Platform                      Linux localhost.localdomain
                              5.14.0-162.12.1.el9_1.x86_64 #1 SMP
                              PREEMPT_DYNAMIC Tue Dec 20 06:06:30 EST 2022
                              x86_64 x86_64
Alert Count                   2
First Seen                    2023-02-03 11:56:51 CET
Last Seen                     2023-02-03 11:56:51 CET
Local ID                      b32e5a0b-2a16-459b-a32a-eb594cc6916e

Raw Audit Messages
type=AVC msg=audit(1675421811.813:100): avc:  denied  { signull } for  pid=2849 comm="ibus-daemon" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:gnome_atspi_t:s0-s0:c0.c1023 tclass=process permissive=0


type=SYSCALL msg=audit(1675421811.813:100): arch=x86_64 syscall=kill success=no exit=EACCES a0=b0c a1=0 a2=55945b4e1d57 a3=7f3c36c17ac0 items=0 ppid=2684 pid=2849 auid=4294967295 uid=42 gid=42 euid=42 suid=42 fsuid=42 egid=42 sgid=42 fsgid=42 tty=tty1 ses=4294967295 comm=ibus-daemon exe=/usr/bin/ibus-daemon subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)

Hash: gnome-shell,xdm_t,gnome_atspi_t,process,signull


Version-Release number of selected component (if applicable):
Name         : gnome-shell
Version      : 40.10
Release      : 4.el9_1
Architecture : x86_64

Name         : ibus
Version      : 1.5.25
Release      : 2.el9
Architecture : x86_64

How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:
Comment 1 Nikola Knazekova 2023-02-13 14:38:32 UTC 
Hi, 

can you please reproduce the issue in permissive mode?

# setenforce 0
Comment 2 dirk_sleutjes 2023-02-20 23:19:01 UTC 
Could not trace back what triggered the issue in the first place.
Had only 1 occasion that it occurred. Did not see it back so far.
Could not trigger the issue again after many attempts in enforcing mode so don't know how to trigger it in permissive mode.

I think gnome-shell is now allowed access as I found the following:

$ sudo audit2allow -a
...
#============= xdm_t ==============
allow xdm_t gnome_atspi_t:process signull;
allow xdm_t unlabeled_t:file getattr;

-> If I'm correct then the first allow line prevents the issue to occur.

However semodule does not show me that it was manually added:

$ sudo semodule -lfull |grep 300
300 my-6                         pp          
300 my-python                    pp          
300 my-raster2dymolw             pp          
300 my-rhsmcertdworke            pp          
300 my-snap                      pp          
300 my-snapconfine               pp          
300 my-snapd                     pp          
300 my-snapseccomp               pp          
300 my-systemduserru             pp  

None of the my-*.pp files contains anything about gnome, xdm, or signull.

I have no idea how the allow line below, as presented by audit2allow, was implemented and how I can remove it to test if I can trigger the issue again:

allow xdm_t gnome_atspi_t:process signull;