Bug 2218869

Summary: SELinux is preventing accounts-daemon from 'write' accesses on the directory lightdm.
Product: [Fedora] Fedora Reporter: jplie <obodenkokira>
Component: selinux-policyAssignee: Zdenek Pytela <zpytela>
Status: NEW --- QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 38CC: dwalsh, lvrabec, mmalik, nknazeko, obodenkokira, omosnacek, pkoncity, vmojzis, zpytela
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Unspecified   
Whiteboard: abrt_hash:785a48854e90bbdb4b33fee63400cb9d491164e6bbaf0fa8d18145ba112e58dd;VARIANT_ID=budgie;
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
File: description
none
File: os_info none

Description jplie 2023-06-30 10:49:39 UTC 
Description of problem:
Changed avatar in system settings
SELinux is preventing accounts-daemon from 'write' accesses on the directory lightdm.

*****  Plugin catchall_labels (83.8 confidence) suggests   *******************

If you want to allow accounts-daemon to have write access on the lightdm directory
Then you need to change the label on lightdm
Do
# semanage fcontext -a -t FILE_TYPE 'lightdm'
where FILE_TYPE is one of the following: accountsd_var_lib_t, krb5_host_rcache_t, tmp_t, tmpfs_t, var_lib_t, xdm_etc_t.
Then execute:
restorecon -v 'lightdm'


*****  Plugin catchall (17.1 confidence) suggests   **************************

If you believe that accounts-daemon should be allowed write access on the lightdm directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'accounts-daemon' --raw | audit2allow -M my-accountsdaemon
# semodule -X 300 -i my-accountsdaemon.pp

Additional Information:
Source Context                system_u:system_r:accountsd_t:s0
Target Context                system_u:object_r:etc_t:s0
Target Objects                lightdm [ dir ]
Source                        accounts-daemon
Source Path                   accounts-daemon
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
SELinux Policy RPM            selinux-policy-targeted-38.15-1.fc38.noarch
Local Policy RPM              selinux-policy-targeted-38.15-1.fc38.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 6.3.7-200.fc38.x86_64 #1 SMP
                              PREEMPT_DYNAMIC Fri Jun 9 15:21:11 UTC 2023 x86_64
Alert Count                   1
First Seen                    2023-06-30 13:45:46 MSK
Last Seen                     2023-06-30 13:45:46 MSK
Local ID                      7c7ce7d9-f1da-475d-9985-fb7c9df83638

Raw Audit Messages
type=AVC msg=audit(1688121946.790:201): avc:  denied  { write } for  pid=814 comm="accounts-daemon" name="lightdm" dev="sda3" ino=355 scontext=system_u:system_r:accountsd_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=0


Hash: accounts-daemon,accountsd_t,etc_t,dir,write

Version-Release number of selected component:
selinux-policy-targeted-38.15-1.fc38.noarch

Additional info:
reporter:       libreport-2.17.10
reason:         SELinux is preventing accounts-daemon from 'write' accesses on the directory lightdm.
package:        selinux-policy-targeted-38.15-1.fc38.noarch
component:      selinux-policy
hashmarkername: setroubleshoot
type:           libreport
kernel:         6.3.7-200.fc38.x86_64
comment:        Changed avatar in system settings
component:      selinux-policy
Comment 1 jplie 2023-06-30 10:49:42 UTC 
Created attachment 1973390 [details]
File: description
Comment 2 jplie 2023-06-30 10:49:46 UTC 
Created attachment 1973391 [details]
File: os_info
Comment 3 Nikola Knazekova 2023-06-30 11:44:04 UTC 
Hi,

Can you reproduce the issue in permissive mode with full auditing enabled?

setenforce 0

1) Open the /etc/audit/rules.d/audit.rules file in an editor.
2) Remove the following line if it exists:
-a task,never
3) Add the following line to the end of the file:
-w /etc/shadow -p w
4) Restart the audit daemon:
  # service auditd restart
5) Re-run your scenario.
6) Collect AVC denials:
  # ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts today

Thank you,

Nikola
Comment 4 jplie 2023-06-30 12:01:19 UTC 
(In reply to Nikola Knazekova from comment #3)
> Hi,
> 
> Can you reproduce the issue in permissive mode with full auditing enabled?
> 
> setenforce 0
> 
> 1) Open the /etc/audit/rules.d/audit.rules file in an editor.
> 2) Remove the following line if it exists:
> -a task,never
> 3) Add the following line to the end of the file:
> -w /etc/shadow -p w
> 4) Restart the audit daemon:
>   # service auditd restart
> 5) Re-run your scenario.
> 6) Collect AVC denials:
>   # ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts today
> 
> Thank you,
> 
> Nikola

If I created a new selinux module for the accounts daemon following selinux-troubleshooter instructions ```# ausearch -c 'accounts-daemon' --raw | audit2allow -M my-accountsdaemon
# semodule -X 300 -i my-accountsdaemon.pp``` should I just remove module and restart selinux firstly or something more than that?
Comment 5 jplie 2023-07-01 09:02:42 UTC 
(In reply to Nikola Knazekova from comment #3)
> Hi,
> 
> Can you reproduce the issue in permissive mode with full auditing enabled?
> 
> setenforce 0
> 
> 1) Open the /etc/audit/rules.d/audit.rules file in an editor.
> 2) Remove the following line if it exists:
> -a task,never
> 3) Add the following line to the end of the file:
> -w /etc/shadow -p w
> 4) Restart the audit daemon:
>   # service auditd restart
> 5) Re-run your scenario.
> 6) Collect AVC denials:
>   # ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts today
> 
> Thank you,
> 
> Nikola

I want to clarify that issue happens when I unlock user settings changing and next enable automatic login so after that when I'm trying to change Avatar it's issue happens.
Here is requested information:

----
type=AVC msg=audit(07/01/2023 11:47:04.981:171) : avc:  denied  { write } for  pid=777 comm=accounts-daemon name=lightdm dev="sda3" ino=355 scontext=system_u:system_r:accountsd_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=0 
----
type=AVC msg=audit(07/01/2023 11:47:09.332:174) : avc:  denied  { write } for  pid=777 comm=accounts-daemon name=lightdm dev="sda3" ino=355 scontext=system_u:system_r:accountsd_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=0 
----
type=AVC msg=audit(07/01/2023 11:49:57.130:227) : avc:  denied  { write } for  pid=777 comm=accounts-daemon name=lightdm dev="sda3" ino=355 scontext=system_u:system_r:accountsd_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=1 
----
type=AVC msg=audit(07/01/2023 11:49:57.130:228) : avc:  denied  { add_name } for  pid=777 comm=accounts-daemon name=lightdm.conf.EQHB71 scontext=system_u:system_r:accountsd_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=1 
----
type=AVC msg=audit(07/01/2023 11:49:57.130:229) : avc:  denied  { create } for  pid=777 comm=accounts-daemon name=lightdm.conf.EQHB71 scontext=system_u:system_r:accountsd_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=1 
----
type=AVC msg=audit(07/01/2023 11:49:57.130:230) : avc:  denied  { write } for  pid=777 comm=accounts-daemon path=/etc/lightdm/lightdm.conf.EQHB71 dev="sda3" ino=366398 scontext=system_u:system_r:accountsd_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=1 
----
type=AVC msg=audit(07/01/2023 11:49:57.146:231) : avc:  denied  { remove_name } for  pid=777 comm=accounts-daemon name=lightdm.conf.EQHB71 dev="sda3" ino=366398 scontext=system_u:system_r:accountsd_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=1 
----
type=AVC msg=audit(07/01/2023 11:49:57.146:232) : avc:  denied  { rename } for  pid=777 comm=accounts-daemon name=lightdm.conf.EQHB71 dev="sda3" ino=366398 scontext=system_u:system_r:accountsd_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=1 
----
type=AVC msg=audit(07/01/2023 11:49:57.146:233) : avc:  denied  { unlink } for  pid=777 comm=accounts-daemon name=lightdm.conf dev="sda3" ino=1607 scontext=system_u:system_r:accountsd_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=1 
----
type=AVC msg=audit(07/01/2023 11:50:10.315:236) : avc:  denied  { write } for  pid=777 comm=accounts-daemon name=lightdm dev="sda3" ino=355 scontext=system_u:system_r:accountsd_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=1 
----
type=AVC msg=audit(07/01/2023 11:50:10.315:237) : avc:  denied  { add_name } for  pid=777 comm=accounts-daemon name=lightdm.conf.4NQ761 scontext=system_u:system_r:accountsd_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=1 
----
type=AVC msg=audit(07/01/2023 11:50:10.339:238) : avc:  denied  { remove_name } for  pid=777 comm=accounts-daemon name=lightdm.conf.4NQ761 dev="sda3" ino=366404 scontext=system_u:system_r:accountsd_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=1
Comment 6 Nikola Knazekova 2023-07-07 13:58:42 UTC 
Hi,

Did you follow the steps for enabling full audit? because from these logs, I am not able to investigate what is happening.

Thank you,
N
Comment 7 jplie 2023-07-12 20:26:05 UTC 
(In reply to Nikola Knazekova from comment #6)
> Hi,
> 
> Did you follow the steps for enabling full audit? because from these logs, I
> am not able to investigate what is happening.
> 
> Thank you,
> N

Hi, sorry for the late response, but seems that now I can get more denial logs.
Here is it:

----
type=AVC msg=audit(07/12/2023 22:51:45.760:193) : avc:  denied  { write } for  pid=780 comm=accounts-daemon name=lightdm dev="vda3" ino=355 scontext=system_u:system_r:accountsd_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=0 
----
type=AVC msg=audit(07/12/2023 22:51:49.682:196) : avc:  denied  { write } for  pid=780 comm=accounts-daemon name=lightdm dev="vda3" ino=355 scontext=system_u:system_r:accountsd_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=0 
----
type=AVC msg=audit(07/12/2023 22:51:52.149:197) : avc:  denied  { write } for  pid=780 comm=accounts-daemon name=lightdm dev="vda3" ino=355 scontext=system_u:system_r:accountsd_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=0 
----
type=PROCTITLE msg=audit(07/12/2023 23:11:34.343:184) : proctitle=/usr/libexec/accounts-daemon 
type=PATH msg=audit(07/12/2023 23:11:34.343:184) : item=1 name=/etc/lightdm/lightdm.conf.QKVS71 inode=269159 dev=00:23 mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:etc_t:s0 nametype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=PATH msg=audit(07/12/2023 23:11:34.343:184) : item=0 name=/etc/lightdm/ inode=355 dev=00:23 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:etc_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(07/12/2023 23:11:34.343:184) : cwd=/ 
type=SYSCALL msg=audit(07/12/2023 23:11:34.343:184) : arch=x86_64 syscall=openat success=yes exit=9 a0=AT_FDCWD a1=0x55b8f8686d80 a2=O_RDWR|O_CREAT|O_EXCL|O_CLOEXEC a3=0x1b6 items=2 ppid=1 pid=742 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=accounts-daemon exe=/usr/libexec/accounts-daemon subj=system_u:system_r:accountsd_t:s0 key=(null) 
type=AVC msg=audit(07/12/2023 23:11:34.343:184) : avc:  denied  { write } for  pid=742 comm=accounts-daemon path=/etc/lightdm/lightdm.conf.QKVS71 dev="vda3" ino=269159 scontext=system_u:system_r:accountsd_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=1 
type=AVC msg=audit(07/12/2023 23:11:34.343:184) : avc:  denied  { create } for  pid=742 comm=accounts-daemon name=lightdm.conf.QKVS71 scontext=system_u:system_r:accountsd_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=1 
type=AVC msg=audit(07/12/2023 23:11:34.343:184) : avc:  denied  { add_name } for  pid=742 comm=accounts-daemon name=lightdm.conf.QKVS71 scontext=system_u:system_r:accountsd_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=1 
type=AVC msg=audit(07/12/2023 23:11:34.343:184) : avc:  denied  { write } for  pid=742 comm=accounts-daemon name=lightdm dev="vda3" ino=355 scontext=system_u:system_r:accountsd_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=1 
----
type=PROCTITLE msg=audit(07/12/2023 23:11:34.367:185) : proctitle=/usr/libexec/accounts-daemon 
type=PATH msg=audit(07/12/2023 23:11:34.367:185) : item=4 name=/etc/lightdm/lightdm.conf inode=269159 dev=00:23 mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:etc_t:s0 nametype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=PATH msg=audit(07/12/2023 23:11:34.367:185) : item=3 name=/etc/lightdm/lightdm.conf inode=1606 dev=00:23 mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:etc_t:s0 nametype=DELETE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=PATH msg=audit(07/12/2023 23:11:34.367:185) : item=2 name=/etc/lightdm/lightdm.conf.QKVS71 inode=269159 dev=00:23 mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:etc_t:s0 nametype=DELETE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=PATH msg=audit(07/12/2023 23:11:34.367:185) : item=1 name=/etc/lightdm/ inode=355 dev=00:23 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:etc_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=PATH msg=audit(07/12/2023 23:11:34.367:185) : item=0 name=/etc/lightdm/ inode=355 dev=00:23 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:etc_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(07/12/2023 23:11:34.367:185) : cwd=/ 
type=SYSCALL msg=audit(07/12/2023 23:11:34.367:185) : arch=x86_64 syscall=rename success=yes exit=0 a0=0x55b8f8686d80 a1=0x55b8f7f31199 a2=0x0 a3=0x1a14 items=5 ppid=1 pid=742 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=accounts-daemon exe=/usr/libexec/accounts-daemon subj=system_u:system_r:accountsd_t:s0 key=(null) 
type=AVC msg=audit(07/12/2023 23:11:34.367:185) : avc:  denied  { unlink } for  pid=742 comm=accounts-daemon name=lightdm.conf dev="vda3" ino=1606 scontext=system_u:system_r:accountsd_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=1 
type=AVC msg=audit(07/12/2023 23:11:34.367:185) : avc:  denied  { rename } for  pid=742 comm=accounts-daemon name=lightdm.conf.QKVS71 dev="vda3" ino=269159 scontext=system_u:system_r:accountsd_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=1 
type=AVC msg=audit(07/12/2023 23:11:34.367:185) : avc:  denied  { remove_name } for  pid=742 comm=accounts-daemon name=lightdm.conf.QKVS71 dev="vda3" ino=269159 scontext=system_u:system_r:accountsd_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=1