Created attachment 1481167 [details] sudo ausearch -m AVC,USER_AVC,SELINUX_ERR for a boot where the process of starting the system with gdm and then switching to lightdm happened Description of problem: I've been getting many denials since updating to selinux-policy-3.14.1-39.fc28 which appear to prevent messages being sent between boltd, polkit, and gdm through dbus. These denials occur in the journal and audit logs each time the system starts gdm then gnome-shell which requests boltd be started on dbus: I'm still getting the denials of send_msg between boltd, polkit, and gdm on dbus and of acquire_svc between boltd and dbus shortly after gdm and boltd start. I described those denials in more detail on the Bodhi page for 3.14.1-39 on August 9, but they are still occurring so I have posted them here. https://bodhi.fedoraproject.org/updates/FEDORA-2018-bf58a7faec The following are representative denials when gdm starts boltd when I ran sudo ausearch -m AVC,USER_AVC,SELINUX_ERR | less type=USER_AVC msg=audit(1533 782415.943:279): pid=715 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method _call interface=org.freedesktop.DBus.Properties member=GetAll dest=:1.6 spid=1184 t pid=757 scontext=system_u:system_r:boltd_t:s0 tcontext=system_u:system_r:policykit t:s0 tclass=dbus permissive=1 exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr= ? terminal=?' type=USER_AVC msg=audit(1533 782415.952:280): pid=715 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system _r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method _return dest=:1.50 spid=757 tpid=1184 scontext=system_u:system_r:policykit_t:s0 tco ntext=system_u:system_r:boltd_t:s0 tclass=dbus permissive=0 exe="/usr/bin/dbus-dae mon" sauid=81 hostname=? addr=? terminal=?' type=USER_AVC msg=audit(1533782440.970:297): pid=715 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { acquire_svc } for service=org.freedesktop.bolt spid=1184 scontext=system_u:system_r:boltd_t:s0 tcontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tclass=dbus permissive=1 exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?' type=USER_AVC msg=audit(1533782440.979:299): pid=715 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_call interface=org.freedesktop.DBus.Properties member=GetAll dest=:1.50 spid=1060 tpid=1184 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:boltd_t:s0 tclass=dbus permissive=0 exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?' type=USER_AVC msg=audit(1533782448.976:306): pid=715 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=signal interface=org.freedesktop.PolicyKit1.Authority member=Changed dest=org.freedesktop.DBus spid=757 tpid=1184 scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:system_r:boltd_t:s0 tclass=dbus permissive=0 exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?' I'm using the targeted policy in enforcing mode. I don't have any Thunderbolt devices so these denials have no apparent functional effect on my system. The denials might affect those using Thunderbolt though. When I've tested lightdm-1.28.0-1.fc28, I get the denial of send_msg between polkit and boltd on dbus many times right after lightdm starts in the journal and audit logs. These denials occur after starting the system with gdm enabled with systemd, then running sudo systemctl stop gdm sudo systemctl start lightdm I saw many occurrences of the following denial of send_msg between polkit and bolt on dbus when after lightdm started I ran sudo ausearch -m AVC,USER_AVC,SELINUX_ERR -ts today | less type=USER_AVC msg=audit(1536182050.395:387): pid=706 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=signal interface=org.freedesktop.PolicyKit1.Authority member=Changed dest=org.freedesktop.DBus spid=762 tpid=1199 scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:system_r:boltd_t:s0 tclass=dbus permissive=0 exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?' When I ran sudo systemctl disable gdm then sudo systemctl enable lightdm and rebooted the system, I didn't see those denials I think since lightdm didn't start boltd. I've attached the output of sudo ausearch -m AVC,USER_AVC,SELINUX_ERR for a boot where the process of starting the system with gdm and then switching to lightdm happened. Version-Release number of selected component (if applicable): dbus-1:1.12.10-1.fc28.i686 gdm-1:3.28.4-1.fc28.i686 lightdm-0:1.28.0-1.fc28.i686 polkit-0:0.115-1.fc28.i686 selinux-policy-0:3.14.1-40.fc28.noarch How reproducible: Always Steps to Reproduce: 1. If F28 isn't fully updated, run sudo dnf upgrade --refresh with updates-testing enabled 2. If gdm and lightdm aren't installed, run sudo dnf install gdm lightdm 3. If gdm isn't enabled, run sudo systemctl disable <current display manager> then sudo systemctl enable gdm 4. Reboot the system 5. Login to Plasma or another DE 6. In Konsole or another a terminal program, run sudo ausearch -m AVC,USER_AVC,SELINUX_ERR -ts today | less 7. sudo systemctl stop gdm 8. sudo systemctl start lightdm 9. In Konsole or another a terminal program, run sudo ausearch -m AVC,USER_AVC,SELINUX_ERR -ts today | less Actual results: selinux denials involving boltd, gdm, polkit, and dbus when gdm and lightdm start. Expected results: No selinux denials when gdm and lightdm start.
*** This bug has been marked as a duplicate of bug 1625285 ***