Bug 1928547 - SELinux is preventing dbus-daemon from 'watch' accesses on the directory /etc/dbus-1/session.d.
Summary: SELinux is preventing dbus-daemon from 'watch' accesses on the directory /etc...
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 34
Hardware: x86_64
OS: Unspecified
high
medium
Target Milestone: ---
Assignee: Zdenek Pytela
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: abrt_hash:4da62ef1239436c606c77c3a5be...
: 1928560 1941672 (view as bug list)
Depends On:
Blocks: 1939028
TreeView+ depends on / blocked
 
Reported: 2021-02-14 20:12 UTC by Mikhail
Modified: 2021-09-09 15:30 UTC (History)
14 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-09-09 15:30:37 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)

Description Mikhail 2021-02-14 20:12:32 UTC 
Description of problem:
SELinux is preventing dbus-daemon from 'watch' accesses on the directory /etc/dbus-1/session.d.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that dbus-daemon should be allowed watch access on the session.d directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'dbus-daemon' --raw | audit2allow -M my-dbusdaemon
# semodule -X 300 -i my-dbusdaemon.pp

Additional Information:
Source Context                system_u:system_r:xdm_t:s0-s0:c0.c1023
Target Context                system_u:object_r:dbusd_etc_t:s0
Target Objects                /etc/dbus-1/session.d [ dir ]
Source                        dbus-daemon
Source Path                   dbus-daemon
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           dbus-common-1.12.20-3.fc34.noarch
SELinux Policy RPM            selinux-policy-targeted-3.14.8-1.fc35.noarch
Local Policy RPM              selinux-policy-targeted-3.14.8-1.fc35.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     (removed)
Platform                      Linux (removed) 5.11.0-0.rc7.20210212git291009f656
                              e8.151.fc35.x86_64 #1 SMP Fri Feb 12 13:02:28 UTC
                              2021 x86_64 x86_64
Alert Count                   4
First Seen                    2021-02-15 01:01:36 +05
Last Seen                     2021-02-15 01:04:20 +05
Local ID                      8d736164-73e1-4424-b2a7-7282e81449d8

Raw Audit Messages
type=AVC msg=audit(1613333060.966:547): avc:  denied  { watch } for  pid=1542 comm="dbus-daemon" path="/etc/dbus-1/session.d" dev="nvme0n1p2" ino=134320398 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:dbusd_etc_t:s0 tclass=dir permissive=1


Hash: dbus-daemon,xdm_t,dbusd_etc_t,dir,watch

Version-Release number of selected component:
selinux-policy-targeted-3.14.8-1.fc35.noarch

Additional info:
component:      selinux-policy
reporter:       libreport-2.14.0
hashmarkername: setroubleshoot
kernel:         5.11.0-0.rc7.20210212git291009f656e8.151.fc35.x86_64
type:           libreport
Comment 1 Lee Packham 2021-02-16 08:23:08 UTC 
This bug affects Fedora 34 as well. The solution by 'catchall' resolves it.

In Fedora Workstation this results in an upgraded machine not being able to boot to the desktop at all.
Comment 2 Zdenek Pytela 2021-02-22 21:42:13 UTC 
*** Bug 1928560 has been marked as a duplicate of this bug. ***
Comment 3 Pat Kelly 2021-02-26 16:19:40 UTC 
Similar problem has been detected:

second reboot after install. I had been installing additional software.

hashmarkername: setroubleshoot
kernel:         5.11.1-300.fc34.x86_64
package:        selinux-policy-targeted-3.14.7-23.fc34.noarch
reason:         SELinux is preventing dbus-daemon from 'watch' accesses on the directory /etc/dbus-1/session.d.
type:           libreport
Comment 4 Vasco Rodrigues 2021-03-01 10:12:16 UTC 
Similar problem has been detected:

System start and login

hashmarkername: setroubleshoot
kernel:         5.11.2-300.fc34.x86_64
package:        selinux-policy-targeted-3.14.7-23.fc34.noarch
reason:         SELinux is preventing dbus-daemon from 'watch' accesses on the directory /etc/dbus-1/session.d.
type:           libreport
Comment 5 Pat Kelly 2021-03-05 13:53:28 UTC 
Similar problem has been detected:

This shows up right after a restart. I have setroubleshoot loaded.

hashmarkername: setroubleshoot
kernel:         5.11.2-300.fc34.x86_64
package:        selinux-policy-targeted-3.14.7-24.fc34.noarch
reason:         SELinux is preventing dbus-daemon from 'watch' accesses on the directory /etc/dbus-1/session.d.
type:           libreport
Comment 6 Adam Williamson 2021-03-18 19:34:13 UTC 
Similar problem has been detected:

Happens during boot of current Fedora 34 Workstation.

hashmarkername: setroubleshoot
kernel:         5.11.6-300.fc34.x86_64
package:        selinux-policy-targeted-3.14.7-25.fc34.noarch
reason:         SELinux is preventing dbus-daemon from 'watch' accesses on the directory /etc/dbus-1/session.d.
type:           libreport
Comment 7 Zdenek Pytela 2021-03-19 07:40:32 UTC 
I've submitted a Fedora PR to address the issue:
https://github.com/fedora-selinux/selinux-policy/pull/646
Comment 8 Zdenek Pytela 2021-03-22 17:43:08 UTC 
*** Bug 1941672 has been marked as a duplicate of this bug. ***
Note You need to log in before you can comment on or make changes to this bug.