1315095 – selinux denies sddm-helper to access .wayland-errors

Bug 1315095 - selinux denies sddm-helper to access .wayland-errors

Summary: selinux denies sddm-helper to access .wayland-errors

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy-targeted
Sub Component:
Version:	23
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	low
Target Milestone:	---
Assignee:	Miroslav Grepl
QA Contact:	Ben Levenson
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2016-03-06 15:40 UTC by bodhi.zazen
Modified:	2016-03-07 06:55 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2016-03-07 06:55:16 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description bodhi.zazen 2016-03-06 15:40:56 UTC

Description of problem: Gnome-shell on wayland is crashing and I am getting selinux denials with confined users.


Version-Release number of selected component (if applicable):


How reproducible: Seems to happen with multimedia apps most often, but is semi random.



Actual results: Wayland crashes - selinux denies writing error log.


Not sure if this is a selinux or wayand/sddm problem, but posting the denials

DENIAL

SELinux is preventing sddm-helper from write access on the file .wayland-errors.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that sddm-helper should be allowed write access on the .wayland-errors file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep sddm-helper /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:xdm_t:s0-s0:c0.c1023
Target Context                system_u:object_r:user_home_t:s0
Target Objects                .wayland-errors [ file ]
Source                        sddm-helper
Source Path                   sddm-helper
Port                          <Unknown>
Host                          jazz
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-158.7.fc23.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     jazz
Platform                      Linux jazz 4.4.2-301.fc23.x86_64 #1 SMP Tue Feb 23
                              19:00:38 UTC 2016 x86_64 x86_64
Alert Count                   14
First Seen                    2015-12-07 14:20:27 MST
Last Seen                     2016-03-03 05:31:15 MST
Local ID                      39ddb6dd-944f-40d8-8337-7c1fd81d881e

Raw Audit Messages
type=AVC msg=audit(1457008275.223:407): avc:  denied  { write } for  pid=11116 comm="sddm-helper" name=".wayland-errors" dev="sda5" ino=918139 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:user_home_t:s0 tclass=file permissive=0


Hash: sddm-helper,xdm_t,user_home_t,file,write

Comment 1 Miroslav Grepl 2016-03-07 06:55:16 UTC

Could you please try to execute

$ restorecon -v ~/.wayland-errors

which will fix labeling and you probably will see what is a real reason for the crash. 

Reopen the bug if you can reproduce it with SELinux errors.

Thank you.

Note You need to log in before you can comment on or make changes to this bug.