Bug 2419755

Summary: SELinux is preventing blocking-2 from 'write' accesses on the sock_file org.gnome.DisplayManager.
Product: [Fedora] Fedora Reporter: ada.bgzfed.x.loki04
Component: selinux-policyAssignee: Zdenek Pytela <zpytela>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 43CC: ada.bgzfed.x.loki04, dwalsh, jwadodson, k.grozdanov, kiselvadim, lvrabec, mmalik, omosnacek, pkoncity, vmojzis, zpytela
Target Milestone: ---Keywords: Reopened
Target Release: ---   
Hardware: x86_64   
OS: Unspecified   
Whiteboard: abrt_hash:427c6c80a6c7dad7fdf7d6c10c3f3dacc56722d66e2c43706a3f01e822ec8c14;VARIANT_ID=workstation;
Fixed In Version: selinux-policy-42.20-1.fc43 Doc Type: ---
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2026-01-08 01:28:06 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
File: description
none
File: os_info none

Description ada.bgzfed.x.loki04 2025-12-07 12:33:29 UTC 
Description of problem:
just pops up 
SELinux is preventing blocking-2 from 'write' accesses on the sock_file org.gnome.DisplayManager.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that blocking-2 should be allowed write access on the org.gnome.DisplayManager sock_file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'blocking-2' --raw | audit2allow -M my-blocking2
# semodule -X 300 -i my-blocking2.pp

Additional Information:
Source Context                unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023
Target Context                system_u:object_r:xdm_var_run_t:s0
Target Objects                org.gnome.DisplayManager [ sock_file ]
Source                        blocking-2
Source Path                   blocking-2
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
SELinux Policy RPM            selinux-policy-targeted-42.18-1.fc43.noarch
Local Policy RPM              selinux-policy-targeted-42.18-1.fc43.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 6.17.9-300.fc43.x86_64 #1 SMP
                              PREEMPT_DYNAMIC Mon Nov 24 23:31:27 UTC 2025
                              x86_64
Alert Count                   307
First Seen                    2025-11-15 22:47:28 CET
Last Seen                     2025-12-07 09:24:44 CET
Local ID                      ae4da056-b6bf-4a45-b190-c0810211d257

Raw Audit Messages
type=AVC msg=audit(1765095884.414:741): avc:  denied  { write } for  pid=55950 comm="blocking-2" name="org.gnome.DisplayManager" dev="tmpfs" ino=3504 scontext=unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xdm_var_run_t:s0 tclass=sock_file permissive=0


Hash: blocking-2,thumb_t,xdm_var_run_t,sock_file,write

Version-Release number of selected component:
selinux-policy-targeted-42.18-1.fc43.noarch

Additional info:
reporter:       libreport-2.17.15
reason:         SELinux is preventing blocking-2 from 'write' accesses on the sock_file org.gnome.DisplayManager.
package:        selinux-policy-targeted-42.18-1.fc43.noarch
component:      selinux-policy
hashmarkername: setroubleshoot
type:           libreport
kernel:         6.17.9-300.fc43.x86_64
comment:        just pops up 
component:      selinux-policy
Comment 1 ada.bgzfed.x.loki04 2025-12-07 12:33:31 UTC 
Created attachment 2117797 [details]
File: description
Comment 2 ada.bgzfed.x.loki04 2025-12-07 12:33:32 UTC 
Created attachment 2117798 [details]
File: os_info
Comment 3 jjanasek 2025-12-19 08:40:22 UTC 
*** Bug 2422031 has been marked as a duplicate of this bug. ***
Comment 4 jjanasek 2025-12-19 08:40:27 UTC 
*** Bug 2421806 has been marked as a duplicate of this bug. ***
Comment 5 jjanasek 2025-12-19 08:40:32 UTC 
*** Bug 2422041 has been marked as a duplicate of this bug. ***
Comment 6 jjanasek 2025-12-19 08:40:40 UTC 
*** Bug 2419966 has been marked as a duplicate of this bug. ***
Comment 7 jjanasek 2025-12-19 08:40:49 UTC 
*** Bug 2421046 has been marked as a duplicate of this bug. ***
Comment 8 John Dodson 2025-12-22 08:11:20 UTC 
What version is fixed?

Still happening with
selinux-policy.noarch          42.19-1.fc43 updates
selinux-policy-targeted.noarch 42.19-1.fc43 updates

SELinux is preventing blocking-1 from write access on the sock_file org.gnome.DisplayManager.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that blocking-1 should be allowed write access on the org.gnome.DisplayManager sock_file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'blocking-1' --raw | audit2allow -M my-blocking1
# semodule -X 300 -i my-blocking1.pp

Additional Information:
Source Context                unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023
Target Context                system_u:object_r:xdm_var_run_t:s0
Target Objects                org.gnome.DisplayManager [ sock_file ]
Source                        blocking-1
Source Path                   blocking-1
Port                          <Unknown>
Host                          X
Source RPM Packages           
Target RPM Packages           
SELinux Policy RPM            selinux-policy-targeted-42.19-1.fc43.noarch
Local Policy RPM              selinux-policy-targeted-42.19-1.fc43.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     X
Platform                      Linux X 6.17.12-300.fc43.x86_64
                              #1 SMP PREEMPT_DYNAMIC Sat Dec 13 05:06:24 UTC
                              2025 x86_64
Alert Count                   95
First Seen                    2025-11-25 13:43:42 AEDT
Last Seen                     2025-12-22 16:18:15 AEDT
Local ID                      e4f85bfa-f478-4f35-8ee8-f4b7378fb983

Raw Audit Messages
type=AVC msg=audit(1766380695.604:2109): avc:  denied  { write } for  pid=1282317 comm="blocking-17" name="org.gnome.DisplayManager" dev="tmpfs" ino=3370 scontext=unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xdm_var_run_t:s0 tclass=sock_file permissive=0


Hash: blocking-1,thumb_t,xdm_var_run_t,sock_file,write
Comment 9 Zdenek Pytela 2025-12-22 12:30:32 UTC 
Thanks for spotting this, looks I misread the report.
Comment 10 John Dodson 2025-12-23 01:26:20 UTC 
On a slightly related matter, can you comment on why often the policy files will be
updated but only the date on them changes?
The content remains the same.
It's not as if they are regenerated for a reason.
Almost as if someone is using a Makefile with inconsistent dependencies.
Comment 11 Fedora Update System 2026-01-06 20:24:57 UTC 
FEDORA-2026-c3af1a6b23 (selinux-policy-42.20-1.fc43) has been submitted as an update to Fedora 43.
https://bodhi.fedoraproject.org/updates/FEDORA-2026-c3af1a6b23
Comment 12 Fedora Update System 2026-01-07 01:09:44 UTC 
FEDORA-2026-c3af1a6b23 has been pushed to the Fedora 43 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2026-c3af1a6b23`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2026-c3af1a6b23

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 13 Fedora Update System 2026-01-08 01:28:06 UTC 
FEDORA-2026-c3af1a6b23 (selinux-policy-42.20-1.fc43) has been pushed to the Fedora 43 stable repository.
If problem still persists, please make note of it in this bug report.