Bug 1928565 - SELinux is preventing gmain from 'watch' accesses on the directory /etc/gdm.
Summary: SELinux is preventing gmain from 'watch' accesses on the directory /etc/gdm.
Keywords:
Status: CLOSED DUPLICATE of bug 1928546
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 34
Hardware: x86_64
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Zdenek Pytela
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: abrt_hash:f4707e2b593ca94abd25e9e7df4...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2021-02-14 21:33 UTC by Pat Kelly
Modified: 2021-03-09 11:32 UTC (History)
11 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-02-23 20:40:51 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)

Description Pat Kelly 2021-02-14 21:33:21 UTC
Description of problem:
This alert started happeniing as soon as the system was rebooted after setroubleshoot was installed. Installing setrouble shoot was the only change made to the system after the WS Bets 0214 was installed. This is on a bare metal system.
SELinux is preventing gmain from 'watch' accesses on the directory /etc/gdm.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that gmain should be allowed watch access on the gdm directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'gmain' --raw | audit2allow -M my-gmain
# semodule -X 300 -i my-gmain.pp

Additional Information:
Source Context                system_u:system_r:accountsd_t:s0
Target Context                system_u:object_r:xdm_etc_t:s0
Target Objects                /etc/gdm [ dir ]
Source                        gmain
Source Path                   gmain
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           gdm-3.38.2.1-2.fc34.x86_64
SELinux Policy RPM            selinux-policy-targeted-3.14.7-20.fc34.noarch
Local Policy RPM              selinux-policy-targeted-3.14.7-20.fc34.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 5.11.0-0.rc7.149.fc34.x86_64 #1
                              SMP Mon Feb 8 16:23:47 UTC 2021 x86_64 x86_64
Alert Count                   347
First Seen                    2021-02-14 16:06:41 EST
Last Seen                     2021-02-14 16:32:34 EST
Local ID                      b01cdf9c-e54b-4c28-9f56-79bb4a12681c

Raw Audit Messages
type=AVC msg=audit(1613338354.706:989): avc:  denied  { watch } for  pid=742 comm="gmain" path="/etc/gdm" dev="sda2" ino=343 scontext=system_u:system_r:accountsd_t:s0 tcontext=system_u:object_r:xdm_etc_t:s0 tclass=dir permissive=0


Hash: gmain,accountsd_t,xdm_etc_t,dir,watch

Version-Release number of selected component:
selinux-policy-targeted-3.14.7-20.fc34.noarch

Additional info:
component:      selinux-policy
reporter:       libreport-2.14.0
hashmarkername: setroubleshoot
kernel:         5.11.0-0.rc7.149.fc34.x86_64
type:           libreport

Potential duplicate: bug 1928546

Comment 1 Federico Bruni 2021-02-19 16:32:35 UTC
Same problem here after upgrading from 33 to 34 (prerelease). Exactly the same AVC message.
I cannot log in as the GDM screen appears for a second and then becomes black.

I entered tty2, added a local policy module (as described above) and rebooted.
I don't see the AVC denial anymore, but still I can't log in.
In the logs I see several systemd-coredump messages about gsd-keyboard, gsd-power, gsd-wacom, gsd-color, gsd-media-keys.
I'll investigate tonight.

Comment 2 Brandon Nielsen 2021-02-21 15:20:49 UTC
I observed this on aarch64 (Raspberry Pi 3b+) with 20210219.n.0 workstation compose[0] as well.

[0] - https://kojipkgs.fedoraproject.org/compose/branched/Fedora-34-20210219.n.0/compose/Workstation/aarch64/images/Fedora-Workstation-34-20210219.n.0.aarch64.raw.xz

Comment 3 Andrey Motoshkov 2021-02-22 07:22:55 UTC
Exists on:
5.11.0-156.fc34.x86_64
gdm-3.38.2.1-2.fc34.x86_64
selinux-policy-3.14.7-22.fc34.noarch
selinux-policy-minimum-3.14.7-22.fc34.noarch
selinux-policy-targeted-3.14.7-22.fc34.noarch

Comment 4 Zdenek Pytela 2021-02-23 20:40:51 UTC

*** This bug has been marked as a duplicate of bug 1928546 ***


Note You need to log in before you can comment on or make changes to this bug.