1931131 – Can' start sway wm as user_u

Bug 1931131 - Can' start sway wm as user_u

Summary: Can' start sway wm as user_u

Keywords:
Status:	CLOSED DUPLICATE of bug 1878094
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	rawhide
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Zdenek Pytela
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2021-02-20 20:41 UTC by Petr Lautrbach
Modified:	2021-06-09 06:05 UTC (History)
CC List:	8 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2021-06-09 06:05:01 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Petr Lautrbach 2021-02-20 20:41:31 UTC

Description of problem:

1. Run 'exec systemctl --wait --user start sway.service'

2. 'ausearch -m avc,user_avc,selinux_err -ts boot | audit2allow -M localfromaudit2allow'  

3. # /usr/libexec/selinux/hll/pp localfromaudit2allow.pp
(typeattributeset cil_gen_require user_tmp_t)
(typeattributeset cil_gen_require fonts_t)
(typeattributeset cil_gen_require utempter_t)
(typeattributeset cil_gen_require sysfs_t)
(typeattributeset cil_gen_require user_dbusd_t)
(typeattributeset cil_gen_require user_t)
(typeattributeset cil_gen_require user_gkeyringd_t)
(typeattributeset cil_gen_require device_t)
(typeattributeset cil_gen_require etc_t)
(typeattributeset cil_gen_require gpg_agent_t)
(typeattributeset cil_gen_require avahi_t)
(allow avahi_t etc_t (dir (watch)))
(allow gpg_agent_t sysfs_t (filesystem (getattr)))
(allow gpg_agent_t user_t (unix_stream_socket (getattr ioctl)))
(allow user_gkeyringd_t self (process (setsched)))
(allow user_gkeyringd_t user_dbusd_t (unix_stream_socket (getattr)))
(allow user_t device_t (dir (watch)))
(allow user_t fonts_t (dir (watch)))
(allow user_t self (netlink_generic_socket (bind create setopt)))
(allow user_t sysfs_t (dir (watch)))
(allow user_t sysfs_t (file (watch watch_reads)))
(allow user_t user_tmp_t (chr_file (create)))
(allow user_t user_tmp_t (dir (create)))
(allow user_t user_tmp_t (fifo_file (create)))
(allow user_t user_tmp_t (file (create)))
(allow user_t user_tmp_t (lnk_file (create)))
(allow user_t user_tmp_t (sock_file (create)))
(allow utempter_t user_t (unix_stream_socket (getattr)))


Version-Release number of selected component (if applicable):
selinux-policy-3.14.8-2.20210219_212512.b471a50.fc35.noarch

How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:

Comment 1 Petr Lautrbach 2021-02-21 07:45:31 UTC

#============= user_t ==============

#!!!! This avc is a constraint violation.  You would need to modify the attributes of either the source or target types to allow this access.
#Constraint rule: 
#       constrain chr_file { create relabelfrom relabelto } ((u1 == u2 -Fail-)  or (t1 == can_change_object_identity -Fail-) ); Constraint DENIED

#       Possible cause is the source user (user_u) and target user (system_u) are different.
allow user_t user_tmp_t:chr_file create;

#!!!! This avc is a constraint violation.  You would need to modify the attributes of either the source or target types to allow this access.
#Constraint rule: 
#       constrain dir { create relabelfrom relabelto } ((u1 == u2 -Fail-)  or (t1 == can_change_object_identity -Fail-) ); Constraint DENIED

#       Possible cause is the source user (user_u) and target user (system_u) are different.
allow user_t user_tmp_t:dir create;

#!!!! This avc is a constraint violation.  You would need to modify the attributes of either the source or target types to allow this access.
#Constraint rule: 
#       constrain fifo_file { create relabelfrom relabelto } ((u1 == u2 -Fail-)  or (t1 == can_change_object_identity -Fail-) ); Constraint DENIED

#       Possible cause is the source user (user_u) and target user (system_u) are different.
allow user_t user_tmp_t:fifo_file create;

#!!!! This avc is a constraint violation.  You would need to modify the attributes of either the source or target types to allow this access.
#Constraint rule: 
#       constrain file { create relabelfrom relabelto } ((u1 == u2 -Fail-)  or (t1 == can_change_object_identity -Fail-) ); Constraint DENIED

#       Possible cause is the source user (user_u) and target user (system_u) are different.
allow user_t user_tmp_t:file create;

#!!!! This avc is a constraint violation.  You would need to modify the attributes of either the source or target types to allow this access.
#Constraint rule: 
#       constrain lnk_file { create relabelfrom relabelto } ((u1 == u2 -Fail-)  or (t1 == can_change_object_identity -Fail-) ); Constraint DENIED

#       Possible cause is the source user (user_u) and target user (system_u) are different.
allow user_t user_tmp_t:lnk_file create;

#!!!! This avc is a constraint violation.  You would need to modify the attributes of either the source or target types to allow this access.
#Constraint rule: 
#       constrain sock_file { create relabelfrom relabelto } ((u1 == u2 -Fail-)  or (t1 == can_change_object_identity -Fail-) ); Constraint DENIED

#       Possible cause is the source user (user_u) and target user (system_u) are different.
allow user_t user_tmp_t:sock_file create;

Comment 2 Milos Malik 2021-02-22 16:39:14 UTC

Can you check if the SELinux denials on your machine are similar to those mentioned in comment#4 of https://bugzilla.redhat.com/show_bug.cgi?id=1878094 ?

Comment 3 Petr Lautrbach 2021-06-09 06:05:01 UTC


*** This bug has been marked as a duplicate of bug 1878094 ***

Note You need to log in before you can comment on or make changes to this bug.