Bug 1955694 - SELinux is preventing gnome-shell from watch access on the directory path_to_NFS_home_dir (NFS export)
Summary: SELinux is preventing gnome-shell from watch access on the directory path_to_...
Keywords:
Status: NEW
Alias: None
Product: Fedora
Classification: Fedora
Component: gnome-shell
Version: 34
Hardware: x86_64
OS: Linux
unspecified
low
Target Milestone: ---
Assignee: Florian Müllner
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2021-04-30 16:49 UTC by Francesco Simula
Modified: 2021-04-30 16:49 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: ---
Doc Text:
Clone Of:
Environment:
Last Closed:
Type: Bug


Attachments (Terms of Use)

Description Francesco Simula 2021-04-30 16:49:28 UTC
Description of problem:
Medium to large quantities of this message spamming the log journal:
"SELinux is preventing gnome-shell from watch access on the directory...", where the directory is the path to the NFS-exported home of an user that was logged in and has since logged out.
This appeared on three different boxes as soon as they were upgraded to Fedora 34.

Output of ausearch:
type=AVC msg=audit(1619797658.061:2299): avc:  denied  { watch } for  pid=1727 comm="gmain" path="path_to_homedir_of_user" dev="0:55" ino=137711740434 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir permissive=0
Version-Release number of selected component (if applicable):

There seem to be no other effect that this log spam...

How reproducible:
Always

Steps to Reproduce:
1. User logs in, then out
2. login as root via SSH and check the log journal

Actual results:
Hundreds to thousands of these unexpected messages start appearing in the journal log:
type=AVC msg=audit(1619797658.061:2299): avc:  denied  { watch } for  pid=1727 comm="gmain" path="path_to_homedir_of_user" dev="0:55" ino=137711740434 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir permissive=0

Expected results:
No such messages should be appearing

Additional info:
I don't know what 'gmain' is - the PID is property of the 'gnome-shell' application.
I can understand the 'gnome-shell' application trying to access the home of an user when logged in, not after logout - only thing I can think of is it's trying to access again the '.face' files that store the user mugshots that are displayed in GDM greeter screen (we have those in our NFS-exported homes) but then why the message pertains to the homedir path instead of the specific file and why is it expecting to find a file in the home of an user with SELinux context xdm_t instead of user_home_dir_t, which is what is found?


Note You need to log in before you can comment on or make changes to this bug.