Bug 2413082
| Summary: | SELinux is preventing RDP socket thre from 'read' accesses on the Verzeichnis /var/lib/sss/pubconf/krb5.include.d. | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Frank Büttner <bugzilla> | ||||||
| Component: | selinux-policy | Assignee: | Zdenek Pytela <zpytela> | ||||||
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||||
| Severity: | unspecified | Docs Contact: | |||||||
| Priority: | unspecified | ||||||||
| Version: | 42 | CC: | bugzilla, dwalsh, lvrabec, mmalik, omosnacek, pkoncity, vmojzis, zpytela | ||||||
| Target Milestone: | --- | ||||||||
| Target Release: | --- | ||||||||
| Hardware: | x86_64 | ||||||||
| OS: | Unspecified | ||||||||
| Whiteboard: | abrt_hash:340fc7f8eea26471da7c0fa135d3a622c35bceaee1525e13394ec628a2e139fb;VARIANT_ID=workstation; | ||||||||
| Fixed In Version: | selinux-policy-42.17-1.fc42 | Doc Type: | --- | ||||||
| Doc Text: | Story Points: | --- | |||||||
| Clone Of: | Environment: | ||||||||
| Last Closed: | 2025-12-02 01:33:56 UTC | Type: | --- | ||||||
| Regression: | --- | Mount Type: | --- | ||||||
| Documentation: | --- | CRM: | |||||||
| Verified Versions: | Category: | --- | |||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||
| Embargoed: | |||||||||
| Attachments: |
|
||||||||
Created attachment 2112944 [details]
File: description
Created attachment 2112945 [details]
File: os_info
FEDORA-2025-7c0f442595 (selinux-policy-42.15-1.fc42) has been submitted as an update to Fedora 42. https://bodhi.fedoraproject.org/updates/FEDORA-2025-7c0f442595 FEDORA-2025-7c0f442595 has been pushed to the Fedora 42 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2025-7c0f442595` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2025-7c0f442595 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates. FEDORA-2025-0a825f4990 has been pushed to the Fedora 42 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2025-0a825f4990` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2025-0a825f4990 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates. FEDORA-2025-5f224b92e4 has been pushed to the Fedora 42 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2025-5f224b92e4` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2025-5f224b92e4 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates. FEDORA-2025-5f224b92e4 (selinux-policy-42.17-1.fc42) has been pushed to the Fedora 42 stable repository. If problem still persists, please make note of it in this bug report. |
Description of problem: Try to use gnome-remote-desktop using the systemd wide mode. SELinux is preventing RDP socket thre from 'read' accesses on the Verzeichnis /var/lib/sss/pubconf/krb5.include.d. ***** Plugin catchall (100. confidence) suggests ************************** Wenn Sie denken, dass es RDP socket thre standardmäßig erlaubt sein sollte, read Zugriff auf krb5.include.d directory zu erhalten. Then sie sollten dies als Fehler melden. Um diesen Zugriff zu erlauben, können Sie ein lokales Richtlinien-Modul erstellen. Do zugriff jetzt erlauben, indem Sie die nachfolgenden Befehle ausführen: # ausearch -c 'RDP socket thre' --raw | audit2allow -M my-RDPsocketthre # semodule -X 300 -i my-RDPsocketthre.pp Additional Information: Source Context system_u:system_r:gnome_remote_desktop_t:s0 Target Context system_u:object_r:sssd_public_t:s0 Target Objects /var/lib/sss/pubconf/krb5.include.d [ dir ] Source RDP socket thre Source Path RDP socket thre Port <Unbekannt> Host (removed) Source RPM Packages Target RPM Packages sssd-krb5-common-2.11.1-2.fc42.x86_64 SELinux Policy RPM selinux-policy-targeted-42.13-1.fc42.noarch Local Policy RPM selinux-policy-targeted-42.13-1.fc42.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 6.17.7-200.fc42.x86_64 #1 SMP PREEMPT_DYNAMIC Sun Nov 2 17:43:34 UTC 2025 x86_64 Alert Count 1 First Seen 2025-11-06 13:18:46 CET Last Seen 2025-11-06 13:18:46 CET Local ID a3e4143a-9206-448f-9c1b-0b07d6a6a8ba Raw Audit Messages type=AVC msg=audit(1762431526.77:934): avc: denied { read } for pid=62388 comm=52445020736F636B65742074687265 path="/var/lib/sss/pubconf/krb5.include.d" dev="dm-5" ino=537158989 scontext=system_u:system_r:gnome_remote_desktop_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=dir permissive=1 Hash: RDP socket thre,gnome_remote_desktop_t,sssd_public_t,dir,read Version-Release number of selected component: selinux-policy-targeted-42.13-1.fc42.noarch Additional info: reporter: libreport-2.17.15 reason: SELinux is preventing RDP socket thre from 'read' accesses on the Verzeichnis /var/lib/sss/pubconf/krb5.include.d. package: selinux-policy-targeted-42.13-1.fc42.noarch component: selinux-policy hashmarkername: setroubleshoot type: libreport kernel: 6.17.7-200.fc42.x86_64 comment: Try to use gnome-remote-desktop using the systemd wide mode. component: selinux-policy