Description of problem: Happened while logging into the system. SELinux is preventing gnome-session-c from 'write' accesses on the sock_file dbus-7hye6voX3Y. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that gnome-session-c should be allowed write access on the dbus-7hye6voX3Y sock_file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'gnome-session-c' --raw | audit2allow -M my-gnomesessionc # semodule -X 300 -i my-gnomesessionc.pp Additional Information: Source Context system_u:system_r:xdm_t:s0-s0:c0.c1023 Target Context system_u:object_r:tmp_t:s0 Target Objects dbus-7hye6voX3Y [ sock_file ] Source gnome-session-c Source Path gnome-session-c Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages SELinux Policy RPM selinux-policy-targeted-34.3-1.fc34.noarch Local Policy RPM selinux-policy-targeted-34.3-1.fc34.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 5.11.13-300.fc34.x86_64 #1 SMP Sun Apr 11 15:07:42 UTC 2021 x86_64 x86_64 Alert Count 32 First Seen 2021-04-14 10:20:59 ACST Last Seen 2021-04-15 06:48:34 ACST Local ID d4b05193-20a3-4bf2-a633-dc13ef23afbe Raw Audit Messages type=AVC msg=audit(1618435114.178:589): avc: denied { write } for pid=1682 comm="gsd-color" name="dbus-7hye6voX3Y" dev="tmpfs" ino=59 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tmp_t:s0 tclass=sock_file permissive=0 Hash: gnome-session-c,xdm_t,tmp_t,sock_file,write Version-Release number of selected component: selinux-policy-targeted-34.3-1.fc34.noarch Additional info: component: selinux-policy reporter: libreport-2.14.0 hashmarkername: setroubleshoot kernel: 5.11.13-300.fc34.x86_64 type: libreport
Similar problem has been detected: Happens every time I log into a GNOME session (Xorg, if that matters). hashmarkername: setroubleshoot kernel: 5.11.13-300.fc34.x86_64 package: selinux-policy-targeted-34.3-1.fc34.noarch reason: SELinux is preventing gnome-session-c from 'write' accesses on the sock_file dbus-B6LDpHB9pK. type: libreport
*** Bug 1950642 has been marked as a duplicate of this bug. ***
Similar problem has been detected: F34 testing, clean install f34 server, dnf group install "Fedora Workstation" login, install some apps, point ff at cockpit, spin up a container,logout. hashmarkername: setroubleshoot kernel: 5.11.12-300.fc34.aarch64 package: selinux-policy-targeted-34-1.fc34.noarch reason: SELinux is preventing gnome-session-c from 'write' accesses on the sock_file dbus-wWVTPGCBgB. type: libreport
Similar problem has been detected: After login into Cinnamon hashmarkername: setroubleshoot kernel: 5.11.16-300.fc34.x86_64 package: selinux-policy-targeted-34.3-1.fc34.noarch reason: SELinux is preventing gnome-session-c from 'write' accesses on the sock_file dbus-fhn9EU9tAf. type: libreport
*** Bug 1956802 has been marked as a duplicate of this bug. ***
Similar problem has been detected: Shows up on boot after upgrading to Fedora 34. hashmarkername: setroubleshoot kernel: 5.11.17-300.fc34.x86_64 package: selinux-policy-targeted-34.4-1.fc34.noarch reason: SELinux is preventing gnome-session-c from 'write' accesses on the sock_file dbus-w2wJTPzxCu. type: libreport
Similar problem has been detected: Log in to GNOME hashmarkername: setroubleshoot kernel: 5.11.17-300.fc34.x86_64 package: selinux-policy-targeted-34.4-1.fc34.noarch reason: SELinux is preventing gnome-session-c from 'write' accesses on the sock_file dbus-iiIAGHOXaB. type: libreport
Similar problem has been detected: Happens right after a normal boot hashmarkername: setroubleshoot kernel: 5.12.9-300.fc34.x86_64 package: selinux-policy-targeted-34.11-1.fc34.noarch reason: SELinux is preventing gnome-session-c from 'write' accesses on the sock_file dbus-DYc1JVls2z. type: libreport
Similar problem has been detected: Happens every boot after login. hashmarkername: setroubleshoot kernel: 5.12.10-300.fc34.x86_64 package: selinux-policy-targeted-34.11-1.fc34.noarch reason: SELinux is preventing gnome-session-c from 'write' accesses on the sock_file dbus-uUd7l3I7Bm. type: libreport
I get this same problem - among other selinux problems that really should have been seen in testing & not allowed to get this far. How can we encourage better pre-release testing? type=AVC msg=audit(15/06/21 22:00:19.863:669) : avc: denied { write } for pid=1081 comm=gnome-session-c name=dbus-i1j6NBZFlC dev="tmpfs" ino=43 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tmp_t:s0 tclass=sock_file permissive=0 type=AVC msg=audit(15/06/21 22:00:20.689:670) : avc: denied { write } for pid=1102 comm=gnome-shell name=dbus-i1j6NBZFlC dev="tmpfs" ino=43 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tmp_t:s0 tclass=sock_file permissive=0 type=AVC msg=audit(15/06/21 22:00:21.315:685) : avc: denied { write } for pid=1134 comm=ibus-x11 name=dbus-i1j6NBZFlC dev="tmpfs" ino=43 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tmp_t:s0 tclass=sock_file permissive=0 type=AVC msg=audit(15/06/21 22:00:21.992:692) : avc: denied { write } for pid=1232 comm=gsd-media-keys name=dbus-i1j6NBZFlC dev="tmpfs" ino=43 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tmp_t:s0 tclass=sock_file permissive=0 type=AVC msg=audit(15/06/21 22:00:21.995:693) : avc: denied { write } for pid=1242 comm=gsd-power name=dbus-i1j6NBZFlC dev="tmpfs" ino=43 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tmp_t:s0 tclass=sock_file permissive=0 type=AVC msg=audit(15/06/21 22:00:22.006:694) : avc: denied { write } for pid=1215 comm=gsd-wacom name=dbus-i1j6NBZFlC dev="tmpfs" ino=43 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tmp_t:s0 tclass=sock_file permissive=0 type=AVC msg=audit(15/06/21 22:00:22.021:695) : avc: denied { write } for pid=1219 comm=gsd-color name=dbus-i1j6NBZFlC dev="tmpfs" ino=43 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tmp_t:s0 tclass=sock_file permissive=0 type=AVC msg=audit(15/06/21 22:00:22.040:696) : avc: denied { write } for pid=1222 comm=gsd-keyboard name=dbus-i1j6NBZFlC dev="tmpfs" ino=43 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tmp_t:s0 tclass=sock_file permissive=0
More today after boot/login... type=AVC msg=audit(21/06/21 08:25:33.396:669) : avc: denied { write } for pid=1080 comm=gnome-session-c name=dbus-2EbzofzkPG dev="tmpfs" ino=43 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tmp_t:s0 tclass=sock_file permissive=0 type=AVC msg=audit(21/06/21 08:25:34.189:670) : avc: denied { write } for pid=1102 comm=gnome-shell name=dbus-2EbzofzkPG dev="tmpfs" ino=43 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tmp_t:s0 tclass=sock_file permissive=0 type=AVC msg=audit(21/06/21 08:25:34.744:684) : avc: denied { write } for pid=1130 comm=ibus-x11 name=dbus-2EbzofzkPG dev="tmpfs" ino=43 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tmp_t:s0 tclass=sock_file permissive=0 type=AVC msg=audit(21/06/21 08:25:35.261:692) : avc: denied { write } for pid=1231 comm=gsd-media-keys name=dbus-2EbzofzkPG dev="tmpfs" ino=43 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tmp_t:s0 tclass=sock_file permissive=0 type=AVC msg=audit(21/06/21 08:25:35.269:693) : avc: denied { write } for pid=1220 comm=gsd-keyboard name=dbus-2EbzofzkPG dev="tmpfs" ino=43 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tmp_t:s0 tclass=sock_file permissive=0 type=AVC msg=audit(21/06/21 08:25:35.285:694) : avc: denied { write } for pid=1213 comm=gsd-wacom name=dbus-2EbzofzkPG dev="tmpfs" ino=43 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tmp_t:s0 tclass=sock_file permissive=0 type=AVC msg=audit(21/06/21 08:25:35.305:695) : avc: denied { write } for pid=1217 comm=gsd-color name=dbus-2EbzofzkPG dev="tmpfs" ino=43 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tmp_t:s0 tclass=sock_file permissive=0 type=AVC msg=audit(21/06/21 08:25:35.373:696) : avc: denied { write } for pid=1243 comm=gsd-power name=dbus-2EbzofzkPG dev="tmpfs" ino=43 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tmp_t:s0 tclass=sock_file permissive=0
Similar problem has been detected: Logged in after upgrade from F33 to F34 hashmarkername: setroubleshoot kernel: 5.12.12-300.fc34.x86_64 package: selinux-policy-targeted-34.11-1.fc34.noarch reason: SELinux is preventing gnome-session-c from 'write' accesses on the sock_file dbus-YdsL6u9Bx8. type: libreport
Similar problem has been detected: The alert was present on the desktop following waking my laptop following it being in sleep mode overnight. The system did not immediately "wake" when the lid was opened but after about a minute is screen did wake to the login. hashmarkername: setroubleshoot kernel: 5.12.9-300.fc34.x86_64 package: selinux-policy-targeted-34.11-1.fc34.noarch reason: SELinux is preventing gnome-session-c from 'write' accesses on the sock_file dbus-MSFZRjTpPp. type: libreport
Similar problem has been detected: After upgrade FC33 > FC34. sudo dnf clean all Sudo dnf upgrade 'reboot' - Notification poped up just after reboot. hashmarkername: setroubleshoot kernel: 5.12.15-300.fc34.x86_64 package: selinux-policy-targeted-34.14-1.fc34.noarch reason: SELinux is preventing gnome-session-c from 'write' accesses on the sock_file dbus-90jnT2K2Dg. type: libreport
Similar problem has been detected: Notfication comes up at almost every bootup hashmarkername: setroubleshoot kernel: 5.12.15-300.fc34.x86_64 package: selinux-policy-targeted-34.14-1.fc34.noarch reason: SELinux is preventing gnome-session-c from 'write' accesses on the sock_file dbus-XyYkgNOyzl. type: libreport
Similar problem has been detected: I logged into Gnome. I have Dash-to-Panel and ArcMenu installed. hashmarkername: setroubleshoot kernel: 5.12.15-300.fc34.x86_64 package: selinux-policy-targeted-34.14-1.fc34.noarch reason: SELinux is preventing gnome-session-c from 'write' accesses on the sock_file dbus-EeqOoNTQ2T. type: libreport
Is this actually getting any attention?
Similar problem has been detected: just on boot lenovo t14 hashmarkername: setroubleshoot kernel: 5.13.4-200.fc34.x86_64 package: selinux-policy-targeted-34.14-1.fc34.noarch reason: SELinux is preventing gnome-session-c from 'write' accesses on the sock_file dbus-Msb5EppAcx. type: libreport
This seems to be hitting lots of users on Fedora 34. I thought that one of the release criteria is that there are no SELinux warnings, but this has been going on for a while (starting at some point before Fedora 34 GA). Nominating as prioritized bug so it might finally get more attention.
*** Bug 1989436 has been marked as a duplicate of this bug. ***
*** Bug 1991771 has been marked as a duplicate of this bug. ***
Similar problem has been detected: Not sure how this happened. hashmarkername: setroubleshoot kernel: 5.12.15-300.fc34.x86_64 package: selinux-policy-targeted-34.14-1.fc34.noarch reason: SELinux is preventing gnome-session-c from 'write' accesses on the sock_file dbus-1PiQVx7vSB. type: libreport
This bug will get prio If we see this on F35 composes as we start testing those, it will be proposed as an F35 blocker :mattdm :bcotton :decathorpe //bittin
At today's Prioritized Bugs meeting, we agreed to accept this as a prioritized bug: https://meetbot.fedoraproject.org/fedora-meeting-1/2021-08-11/fedora_prioritized_bugs_and_issues.2021-08-11-15.00.html If the behavior is observed in F35 composes as we start testing those, it will be nominated as an F35 blocker.
Fedora QA historically interprets release criterion "SELinux and crash notifications" as being a GUI notification, not a journal entry. The idea is that the criterion exists for polish, it's a bad look to have product go out the door with notifications popping up. The AVC denial itself isn't necessary a bug, it might be preventing something nefarious from happening, and you'd expect that it'd be logged. So the log showing the AVC denial also can't inherently be a blocker. Instead, as it relates to F35, the AVC denial inhibiting proper basic functionality of a bundled program (or the desktop itself) would be a blocker under the criterion "Default application functionality" I came across bug 1991077 which also involves an selinux AVC, but might affect non-GUI Fedora variants.
with notifications popping up... ^that suggest the product is broken/flawed/compromised etc.
I agree - IT IS broken/flawed for something like this to be "released.
If it is compromised, then that should also be something we can consider in investigating it!
*** Bug 1993576 has been marked as a duplicate of this bug. ***
*** Bug 1996235 has been marked as a duplicate of this bug. ***
Similar problem has been detected: Login in gnome on fedora 34 hashmarkername: setroubleshoot kernel: 5.13.10-200.fc34.x86_64 package: selinux-policy-targeted-34.16-1.fc34.noarch reason: SELinux is preventing gnome-session-c from 'write' accesses on the sock_file dbus-DyDczuQdiN. type: libreport
There is more info here.... Bug 1997409 (https://bugzilla.redhat.com/show_bug.cgi?id=1997409) I think it related.
(In reply to John Dodson from comment #32) > There is more info here.... > > Bug 1997409 (https://bugzilla.redhat.com/show_bug.cgi?id=1997409) > > I think it related. At first read that seems to be an unrelated crash and error -- if there's a connection I'm missing, can you please elaborate?
They happened at exactly the same time & a particular ebay page crashes the firefox tab & generates the card0 selinux error. Ah, oops I'm mixing the card0 & dbus errors! Sorry!
I've submitted a Fedora PR to address the issue: https://github.com/fedora-selinux/selinux-policy/pull/851 There are rpms available for testing: Show all checks -> build-rpm -> Details -> Artifacts -> rpms
*** Bug 1941853 has been marked as a duplicate of this bug. ***
Similar problem has been detected: after each reboot hashmarkername: setroubleshoot kernel: 5.13.12-200.fc34.x86_64 package: selinux-policy-targeted-34.16-1.fc34.noarch reason: SELinux is preventing gnome-shell from 'write' accesses on the sock_file dbus-2QqMgicqkL. type: libreport
I've submitted a Fedora PR to update the policy: https://github.com/fedora-selinux/selinux-policy/pull/858 There are rpms available for testing: Show all checks -> build-rpm -> Details -> Artifacts -> rpms On my F34 vm, no denial appears.
Merged: commit d46a9c022910e88b0c30184d6a4f9e14cdb811c1 (HEAD -> rawhide, upstream/rawhide) Author: Zdenek Pytela <zpytela> Date: Wed Sep 1 17:24:44 2021 +0200 Allow communication between at-spi and gdm processes
*** Bug 2001147 has been marked as a duplicate of this bug. ***
FEDORA-2021-ad4033a9b0 has been submitted as an update to Fedora 34. https://bodhi.fedoraproject.org/updates/FEDORA-2021-ad4033a9b0
Similar problem has been detected: These error messages appeared when the desktop was loade after the reboot consequent to KDE Plasma installation hashmarkername: setroubleshoot kernel: 5.11.12-300.fc34.x86_64 package: selinux-policy-targeted-34.16-1.fc34.noarch reason: SELinux is preventing gnome-shell from 'write' accesses on the sock_file dbus-oLcYNf2nIf. type: libreport
FEDORA-2021-ad4033a9b0 has been pushed to the Fedora 34 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-ad4033a9b0` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-ad4033a9b0 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2021-ad4033a9b0 has been pushed to the Fedora 34 stable repository. If problem still persists, please make note of it in this bug report.
Similar problem has been detected: Upon system restart, recieved the SELinux alert hashmarkername: setroubleshoot kernel: 5.13.14-200.fc34.x86_64 package: selinux-policy-targeted-34.16-1.fc34.noarch reason: SELinux is preventing gnome-shell from 'write' accesses on the sock_file dbus-WDRZfrLGGy. type: libreport
Similar problem has been detected: Happened after the machine was put to sleep. Two users were logged in to two separate GNOME sessions at the time. hashmarkername: setroubleshoot kernel: 5.13.12-200.fc34.x86_64 package: selinux-policy-targeted-34.16-1.fc34.noarch reason: SELinux is preventing gnome-shell from 'write' accesses on the sock_file dbus-ByBKnw1jwM. type: libreport