Description of problem: This alert started happeniing as soon as the system was rebooted after setroubleshoot was installed. Installing setrouble shoot was the only change made to the system after the WS Bets 0214 was installed. This is on a bare metal system. SELinux is preventing gmain from 'watch' accesses on the directory /etc/gdm. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that gmain should be allowed watch access on the gdm directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'gmain' --raw | audit2allow -M my-gmain # semodule -X 300 -i my-gmain.pp Additional Information: Source Context system_u:system_r:accountsd_t:s0 Target Context system_u:object_r:xdm_etc_t:s0 Target Objects /etc/gdm [ dir ] Source gmain Source Path gmain Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages gdm-3.38.2.1-2.fc34.x86_64 SELinux Policy RPM selinux-policy-targeted-3.14.7-20.fc34.noarch Local Policy RPM selinux-policy-targeted-3.14.7-20.fc34.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 5.11.0-0.rc7.149.fc34.x86_64 #1 SMP Mon Feb 8 16:23:47 UTC 2021 x86_64 x86_64 Alert Count 347 First Seen 2021-02-14 16:06:41 EST Last Seen 2021-02-14 16:32:34 EST Local ID b01cdf9c-e54b-4c28-9f56-79bb4a12681c Raw Audit Messages type=AVC msg=audit(1613338354.706:989): avc: denied { watch } for pid=742 comm="gmain" path="/etc/gdm" dev="sda2" ino=343 scontext=system_u:system_r:accountsd_t:s0 tcontext=system_u:object_r:xdm_etc_t:s0 tclass=dir permissive=0 Hash: gmain,accountsd_t,xdm_etc_t,dir,watch Version-Release number of selected component: selinux-policy-targeted-3.14.7-20.fc34.noarch Additional info: component: selinux-policy reporter: libreport-2.14.0 hashmarkername: setroubleshoot kernel: 5.11.0-0.rc7.149.fc34.x86_64 type: libreport Potential duplicate: bug 1928546
Same problem here after upgrading from 33 to 34 (prerelease). Exactly the same AVC message. I cannot log in as the GDM screen appears for a second and then becomes black. I entered tty2, added a local policy module (as described above) and rebooted. I don't see the AVC denial anymore, but still I can't log in. In the logs I see several systemd-coredump messages about gsd-keyboard, gsd-power, gsd-wacom, gsd-color, gsd-media-keys. I'll investigate tonight.
I observed this on aarch64 (Raspberry Pi 3b+) with 20210219.n.0 workstation compose[0] as well. [0] - https://kojipkgs.fedoraproject.org/compose/branched/Fedora-34-20210219.n.0/compose/Workstation/aarch64/images/Fedora-Workstation-34-20210219.n.0.aarch64.raw.xz
Exists on: 5.11.0-156.fc34.x86_64 gdm-3.38.2.1-2.fc34.x86_64 selinux-policy-3.14.7-22.fc34.noarch selinux-policy-minimum-3.14.7-22.fc34.noarch selinux-policy-targeted-3.14.7-22.fc34.noarch
*** This bug has been marked as a duplicate of bug 1928546 ***