Bug 1315095 - selinux denies sddm-helper to access .wayland-errors
selinux denies sddm-helper to access .wayland-errors
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
Unspecified Unspecified
medium Severity low
: ---
: ---
Assigned To: Miroslav Grepl
Ben Levenson
Depends On:
  Show dependency treegraph
Reported: 2016-03-06 10:40 EST by bodhi.zazen
Modified: 2016-03-07 01:55 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2016-03-07 01:55:16 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description bodhi.zazen 2016-03-06 10:40:56 EST
Description of problem: Gnome-shell on wayland is crashing and I am getting selinux denials with confined users.

Version-Release number of selected component (if applicable):

How reproducible: Seems to happen with multimedia apps most often, but is semi random.

Actual results: Wayland crashes - selinux denies writing error log.

Not sure if this is a selinux or wayand/sddm problem, but posting the denials


SELinux is preventing sddm-helper from write access on the file .wayland-errors.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that sddm-helper should be allowed write access on the .wayland-errors file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
allow this access for now by executing:
# grep sddm-helper /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:xdm_t:s0-s0:c0.c1023
Target Context                system_u:object_r:user_home_t:s0
Target Objects                .wayland-errors [ file ]
Source                        sddm-helper
Source Path                   sddm-helper
Port                          <Unknown>
Host                          jazz
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-158.7.fc23.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     jazz
Platform                      Linux jazz 4.4.2-301.fc23.x86_64 #1 SMP Tue Feb 23
                              19:00:38 UTC 2016 x86_64 x86_64
Alert Count                   14
First Seen                    2015-12-07 14:20:27 MST
Last Seen                     2016-03-03 05:31:15 MST
Local ID                      39ddb6dd-944f-40d8-8337-7c1fd81d881e

Raw Audit Messages
type=AVC msg=audit(1457008275.223:407): avc:  denied  { write } for  pid=11116 comm="sddm-helper" name=".wayland-errors" dev="sda5" ino=918139 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:user_home_t:s0 tclass=file permissive=0

Hash: sddm-helper,xdm_t,user_home_t,file,write
Comment 1 Miroslav Grepl 2016-03-07 01:55:16 EST
Could you please try to execute

$ restorecon -v ~/.wayland-errors

which will fix labeling and you probably will see what is a real reason for the crash. 

Reopen the bug if you can reproduce it with SELinux errors.

Thank you.

Note You need to log in before you can comment on or make changes to this bug.