Bug 1628857 - Weird interaction with orca and the selinux policy
Summary: Weird interaction with orca and the selinux policy
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 29
Hardware: All
OS: Linux
unspecified
high
Target Milestone: ---
Assignee: Lukas Vrabec
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-09-14 08:12 UTC by Lukáš Tyrychtr
Modified: 2018-09-17 08:10 UTC (History)
7 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2018-09-17 08:10:46 UTC
Type: Bug
Embargoed:


Attachments (Terms of Use)
Selinux denials (39.58 KB, text/plain)
2018-09-14 08:52 UTC, Lukáš Tyrychtr
no flags Details

Description Lukáš Tyrychtr 2018-09-14 08:12:36 UTC
Description of problem:
For some reason, when selinux is in enforcing mode, no outside events get to the orca screen reader (key presses, focus changes).

Version-Release number of selected component (if applicable):
Selinux-policy 3.14.2-32

How reproducible:
Always

Steps to Reproduce:
1. Ensure that selinux is in enforcing mode
2. Start orca through the gnome autostart facility

Actual results:
Orca does not work and a probably related message in its log:
Sep 13 13:43:53 believer orca[2381]: AT-SPI: Error in GetItems, sender=(null), error=Did not receive a reply. Possible c
auses include: the remote application did not send a reply, the message bus security policy blocked the reply, the reply

However, ausearch -p 2381 has no matches. However, when selinux is in permissive mode, Orca works...
Expected results:
Orca works and no error is printed when enforcing mode is in effect.

Comment 1 Milos Malik 2018-09-14 08:44:19 UTC
Please collect SELinux denials and attach them here:

# ausearch -m avc -m user_avc -m selinux_err -m user_selinux_err -i -ts today

Based on "Did not receive a reply" messages, there will be SELinux denials (USER_AVC) related to D-bus.

Comment 2 Lukáš Tyrychtr 2018-09-14 08:52:52 UTC
Created attachment 1483251 [details]
Selinux denials

Yes, the denials are plenty, i just did not see the others because i did not use liberal enough filters, but this is corrected there.

Comment 3 Lukáš Tyrychtr 2018-09-17 07:13:03 UTC
Hello. The last update of the selinux policy and the rest of the packages (basically the last f29 compose which got to the repos) fixed the bug. But if you could still identify the root cause and through some qa or i do not what sort of processes make sure that it does not appear again...

Comment 4 Lukas Vrabec 2018-09-17 08:10:46 UTC
Hi, 

Yes, I saw that lot of SELinux denials from your report are already fixed. 

Let's close this ticket and if you catch it again, feel free to re-open it.

Thanks,
Lukas.


Note You need to log in before you can comment on or make changes to this bug.