RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1960010 - Many AVCs after default package set installation
Summary: Many AVCs after default package set installation
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 9
Classification: Red Hat
Component: selinux-policy
Version: 9.0
Hardware: All
OS: Linux
medium
high
Target Milestone: beta
: 9.0
Assignee: Zdenek Pytela
QA Contact: Milos Malik
URL:
Whiteboard:
Depends On:
Blocks: 1942219 1971841
TreeView+ depends on / blocked
 
Reported: 2021-05-12 19:12 UTC by Jan Stodola
Modified: 2022-05-17 16:10 UTC (History)
5 users (show)

Fixed In Version: selinux-policy-34.1.20-1.el9
Doc Type: No Doc Update
Doc Text:
Clone Of:
Environment:
Last Closed: 2022-05-17 15:49:27 UTC
Type: Bug
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)
audit.log (332.62 KB, text/plain)
2021-05-12 19:13 UTC, Jan Stodola 		no flags Details
ps auxf (22.33 KB, text/plain)
2021-06-17 10:30 UTC, Jan Stodola 		no flags Details
View All


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2022:3918 0 None None None 2022-05-17 15:49:39 UTC

Description Jan Stodola 2021-05-12 19:12:06 UTC 
Description of problem:
There are plenty of AVCs logged after running the default package set installation ("Server with GUI") and booting to the installed system.

For example:

type=AVC msg=audit(1620846114.074:528): avc:  denied  { watch } for  pid=1080 comm="gnome-shell" path="/var/lib/flatpak" dev="dm-0" ino=1599956 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=dir permissive=0
type=AVC msg=audit(1620846116.090:535): avc:  denied  { write } for  pid=1228 comm="gsd-keyboard" name="dbus-RtZylFxidg" dev="tmpfs" ino=34 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tmp_t:s0 tclass=sock_file permissive=0
type=AVC msg=audit(1620846116.090:534): avc:  denied  { write } for  pid=1238 comm="gsd-media-keys" name="dbus-RtZylFxidg" dev="tmpfs" ino=34 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tmp_t:s0 tclass=sock_file permissive=0
type=AVC msg=audit(1620846116.090:536): avc:  denied  { write } for  pid=1216 comm="gsd-power" name="dbus-RtZylFxidg" dev="tmpfs" ino=34 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tmp_t:s0 tclass=sock_file permissive=0
type=AVC msg=audit(1620846116.090:537): avc:  denied  { write } for  pid=1234 comm="gsd-wacom" name="dbus-RtZylFxidg" dev="tmpfs" ino=34 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tmp_t:s0 tclass=sock_file permissive=0
type=AVC msg=audit(1620846116.104:538): avc:  denied  { write } for  pid=1226 comm="gsd-color" name="dbus-RtZylFxidg" dev="tmpfs" ino=34 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tmp_t:s0 tclass=sock_file permissive=0
type=AVC msg=audit(1620846116.351:544): avc:  denied  { write } for  pid=1211 comm="gsd-xsettings" name="dbus-RtZylFxidg" dev="tmpfs" ino=34 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tmp_t:s0 tclass=sock_file permissive=0
type=AVC msg=audit(1620846116.598:548): avc:  denied  { watch } for  pid=1211 comm="gsd-xsettings" path="/usr/share/fonts" dev="dm-0" ino=33575060 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:fonts_t:s0 tcl
ass=dir permissive=0
type=AVC msg=audit(1620846118.625:588): avc:  denied  { watch } for  pid=1080 comm="gmain" path="/var/lib/flatpak" dev="dm-0" ino=1599956 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=dir permissive=0

The whole audit.log will be attached.

Version-Release number of selected component (if applicable):
RHEL-9.0.0-20210511.3
selinux-policy-34.1.3-1.el9.noarch

How reproducible:
Always

Steps to Reproduce:
1. Run graphical installation, use the default package set (Server with GUI)
2. Reboot to the installed system and check /var/log/audit/audit.log

Actual results:
AVCs reported.

Expected results:
No AVC reported.
Comment 1 Jan Stodola 2021-05-12 19:13:39 UTC 
Created attachment 1782537 [details]
audit.log
Comment 2 Milos Malik 2021-05-13 10:09:20 UTC 
SELinux denials collected in enforcing mode:
----
type=PROCTITLE msg=audit(05/13/2021 11:58:55.717:529) : proctitle=/usr/bin/gnome-shell 
type=PATH msg=audit(05/13/2021 11:58:55.717:529) : item=0 name=/tmp/dbus-L81sgOGwlG inode=3567 dev=00:22 mode=socket,777 ouid=gdm ogid=gdm rdev=00:00 obj=system_u:object_r:tmp_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(05/13/2021 11:58:55.717:529) : cwd=/var/lib/gdm 
type=SOCKADDR msg=audit(05/13/2021 11:58:55.717:529) : saddr={ saddr_fam=local path=/tmp/dbus-L81sgOGwlG } 
type=SYSCALL msg=audit(05/13/2021 11:58:55.717:529) : arch=x86_64 syscall=connect success=no exit=EACCES(Permission denied) a0=0x1f a1=0x7ffe227cffd0 a2=0x16 a3=0x55bfe0943e50 items=1 ppid=32043 pid=32126 auid=unset uid=gdm gid=gdm euid=gdm suid=gdm fsuid=gdm egid=gdm sgid=gdm fsgid=gdm tty=tty1 ses=unset comm=gnome-shell exe=/usr/bin/gnome-shell subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(05/13/2021 11:58:55.717:529) : avc:  denied  { write } for  pid=32126 comm=gnome-shell name=dbus-L81sgOGwlG dev="tmpfs" ino=3567 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tmp_t:s0 tclass=sock_file permissive=0 
----
type=PROCTITLE msg=audit(05/13/2021 11:58:56.107:530) : proctitle=/usr/bin/gnome-shell 
type=PATH msg=audit(05/13/2021 11:58:56.107:530) : item=0 name=/var/lib/flatpak inode=27195052 dev=fd:02 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:var_lib_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(05/13/2021 11:58:56.107:530) : cwd=/var/lib/gdm 
type=SYSCALL msg=audit(05/13/2021 11:58:56.107:530) : arch=x86_64 syscall=inotify_add_watch success=no exit=EACCES(Permission denied) a0=0x19 a1=0x55bfe134cc70 a2=0x1002fce a3=0x0 items=1 ppid=32043 pid=32126 auid=unset uid=gdm gid=gdm euid=gdm suid=gdm fsuid=gdm egid=gdm sgid=gdm fsgid=gdm tty=tty1 ses=unset comm=gnome-shell exe=/usr/bin/gnome-shell subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(05/13/2021 11:58:56.107:530) : avc:  denied  { watch } for  pid=32126 comm=gnome-shell path=/var/lib/flatpak dev="vda2" ino=27195052 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=dir permissive=0 
----
type=PROCTITLE msg=audit(05/13/2021 11:58:58.288:544) : proctitle=/usr/libexec/gsd-media-keys 
type=PATH msg=audit(05/13/2021 11:58:58.288:544) : item=0 name=/tmp/dbus-L81sgOGwlG inode=3567 dev=00:22 mode=socket,777 ouid=gdm ogid=gdm rdev=00:00 obj=system_u:object_r:tmp_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(05/13/2021 11:58:58.288:544) : cwd=/var/lib/gdm 
type=SOCKADDR msg=audit(05/13/2021 11:58:58.288:544) : saddr={ saddr_fam=local path=/tmp/dbus-L81sgOGwlG } 
type=SYSCALL msg=audit(05/13/2021 11:58:58.288:544) : arch=x86_64 syscall=connect success=no exit=EACCES(Permission denied) a0=0xc a1=0x7ffc97119710 a2=0x16 a3=0x31 items=1 ppid=32043 pid=32274 auid=unset uid=gdm gid=gdm euid=gdm suid=gdm fsuid=gdm egid=gdm sgid=gdm fsgid=gdm tty=tty1 ses=unset comm=gsd-media-keys exe=/usr/libexec/gsd-media-keys subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(05/13/2021 11:58:58.288:544) : avc:  denied  { write } for  pid=32274 comm=gsd-media-keys name=dbus-L81sgOGwlG dev="tmpfs" ino=3567 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tmp_t:s0 tclass=sock_file permissive=0 
----
type=PROCTITLE msg=audit(05/13/2021 11:58:58.303:546) : proctitle=/usr/libexec/gsd-wacom 
type=PATH msg=audit(05/13/2021 11:58:58.303:546) : item=0 name=/tmp/dbus-L81sgOGwlG inode=3567 dev=00:22 mode=socket,777 ouid=gdm ogid=gdm rdev=00:00 obj=system_u:object_r:tmp_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(05/13/2021 11:58:58.303:546) : cwd=/var/lib/gdm 
type=SOCKADDR msg=audit(05/13/2021 11:58:58.303:546) : saddr={ saddr_fam=local path=/tmp/dbus-L81sgOGwlG } 
type=SYSCALL msg=audit(05/13/2021 11:58:58.303:546) : arch=x86_64 syscall=connect success=no exit=EACCES(Permission denied) a0=0xc a1=0x7ffd90eb97a0 a2=0x16 a3=0x31 items=1 ppid=32043 pid=32255 auid=unset uid=gdm gid=gdm euid=gdm suid=gdm fsuid=gdm egid=gdm sgid=gdm fsgid=gdm tty=tty1 ses=unset comm=gsd-wacom exe=/usr/libexec/gsd-wacom subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(05/13/2021 11:58:58.303:546) : avc:  denied  { write } for  pid=32255 comm=gsd-wacom name=dbus-L81sgOGwlG dev="tmpfs" ino=3567 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tmp_t:s0 tclass=sock_file permissive=0 
----
type=PROCTITLE msg=audit(05/13/2021 11:58:58.304:547) : proctitle=/usr/libexec/gsd-power 
type=PATH msg=audit(05/13/2021 11:58:58.304:547) : item=0 name=/tmp/dbus-L81sgOGwlG inode=3567 dev=00:22 mode=socket,777 ouid=gdm ogid=gdm rdev=00:00 obj=system_u:object_r:tmp_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(05/13/2021 11:58:58.304:547) : cwd=/var/lib/gdm 
type=SOCKADDR msg=audit(05/13/2021 11:58:58.304:547) : saddr={ saddr_fam=local path=/tmp/dbus-L81sgOGwlG } 
type=SYSCALL msg=audit(05/13/2021 11:58:58.304:547) : arch=x86_64 syscall=connect success=no exit=EACCES(Permission denied) a0=0xc a1=0x7ffd37cf2200 a2=0x16 a3=0x55c6a719ccc0 items=1 ppid=32043 pid=32285 auid=unset uid=gdm gid=gdm euid=gdm suid=gdm fsuid=gdm egid=gdm sgid=gdm fsgid=gdm tty=tty1 ses=unset comm=gsd-power exe=/usr/libexec/gsd-power subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(05/13/2021 11:58:58.304:547) : avc:  denied  { write } for  pid=32285 comm=gsd-power name=dbus-L81sgOGwlG dev="tmpfs" ino=3567 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tmp_t:s0 tclass=sock_file permissive=0 
----
type=PROCTITLE msg=audit(05/13/2021 11:58:58.304:548) : proctitle=/usr/libexec/gsd-color 
type=PATH msg=audit(05/13/2021 11:58:58.304:548) : item=0 name=/tmp/dbus-L81sgOGwlG inode=3567 dev=00:22 mode=socket,777 ouid=gdm ogid=gdm rdev=00:00 obj=system_u:object_r:tmp_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(05/13/2021 11:58:58.304:548) : cwd=/var/lib/gdm 
type=SOCKADDR msg=audit(05/13/2021 11:58:58.304:548) : saddr={ saddr_fam=local path=/tmp/dbus-L81sgOGwlG } 
type=SYSCALL msg=audit(05/13/2021 11:58:58.304:548) : arch=x86_64 syscall=connect success=no exit=EACCES(Permission denied) a0=0xc a1=0x7ffd9b8a41f0 a2=0x16 a3=0x21 items=1 ppid=32043 pid=32259 auid=unset uid=gdm gid=gdm euid=gdm suid=gdm fsuid=gdm egid=gdm sgid=gdm fsgid=gdm tty=tty1 ses=unset comm=gsd-color exe=/usr/libexec/gsd-color subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(05/13/2021 11:58:58.304:548) : avc:  denied  { write } for  pid=32259 comm=gsd-color name=dbus-L81sgOGwlG dev="tmpfs" ino=3567 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tmp_t:s0 tclass=sock_file permissive=0 
----
type=PROCTITLE msg=audit(05/13/2021 11:58:58.308:549) : proctitle=/usr/libexec/gsd-keyboard 
type=PATH msg=audit(05/13/2021 11:58:58.308:549) : item=0 name=/tmp/dbus-L81sgOGwlG inode=3567 dev=00:22 mode=socket,777 ouid=gdm ogid=gdm rdev=00:00 obj=system_u:object_r:tmp_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(05/13/2021 11:58:58.308:549) : cwd=/var/lib/gdm 
type=SOCKADDR msg=audit(05/13/2021 11:58:58.308:549) : saddr={ saddr_fam=local path=/tmp/dbus-L81sgOGwlG } 
type=SYSCALL msg=audit(05/13/2021 11:58:58.308:549) : arch=x86_64 syscall=connect success=no exit=EACCES(Permission denied) a0=0xc a1=0x7ffc1065b690 a2=0x16 a3=0x563bffa0b460 items=1 ppid=32043 pid=32260 auid=unset uid=gdm gid=gdm euid=gdm suid=gdm fsuid=gdm egid=gdm sgid=gdm fsgid=gdm tty=tty1 ses=unset comm=gsd-keyboard exe=/usr/libexec/gsd-keyboard subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(05/13/2021 11:58:58.308:549) : avc:  denied  { write } for  pid=32260 comm=gsd-keyboard name=dbus-L81sgOGwlG dev="tmpfs" ino=3567 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tmp_t:s0 tclass=sock_file permissive=0 
----
type=PROCTITLE msg=audit(05/13/2021 11:58:59.041:551) : proctitle=/usr/libexec/ibus-x11 --kill-daemon 
type=PATH msg=audit(05/13/2021 11:58:59.041:551) : item=0 name=/tmp/dbus-L81sgOGwlG inode=3567 dev=00:22 mode=socket,777 ouid=gdm ogid=gdm rdev=00:00 obj=system_u:object_r:tmp_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(05/13/2021 11:58:59.041:551) : cwd=/var/lib/gdm 
type=SOCKADDR msg=audit(05/13/2021 11:58:59.041:551) : saddr={ saddr_fam=local path=/tmp/dbus-L81sgOGwlG } 
type=SYSCALL msg=audit(05/13/2021 11:58:59.041:551) : arch=x86_64 syscall=connect success=no exit=EACCES(Permission denied) a0=0x6 a1=0x7ffd66099c40 a2=0x16 a3=0x31 items=1 ppid=1 pid=32468 auid=unset uid=gdm gid=gdm euid=gdm suid=gdm fsuid=gdm egid=gdm sgid=gdm fsgid=gdm tty=tty1 ses=unset comm=ibus-x11 exe=/usr/libexec/ibus-x11 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(05/13/2021 11:58:59.041:551) : avc:  denied  { write } for  pid=32468 comm=ibus-x11 name=dbus-L81sgOGwlG dev="tmpfs" ino=3567 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tmp_t:s0 tclass=sock_file permissive=0 
----
type=PROCTITLE msg=audit(05/13/2021 11:59:00.457:552) : proctitle=/usr/bin/gnome-shell 
type=PATH msg=audit(05/13/2021 11:59:00.457:552) : item=0 name=/var/lib/flatpak inode=27195052 dev=fd:02 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:var_lib_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(05/13/2021 11:59:00.457:552) : cwd=/var/lib/gdm 
type=SYSCALL msg=audit(05/13/2021 11:59:00.457:552) : arch=x86_64 syscall=inotify_add_watch success=no exit=EACCES(Permission denied) a0=0x19 a1=0x55bfe134cc70 a2=0x1002fce a3=0x7ffe227f4080 items=1 ppid=32043 pid=32126 auid=unset uid=gdm gid=gdm euid=gdm suid=gdm fsuid=gdm egid=gdm sgid=gdm fsgid=gdm tty=tty1 ses=unset comm=gmain exe=/usr/bin/gnome-shell subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(05/13/2021 11:59:00.457:552) : avc:  denied  { watch } for  pid=32126 comm=gmain path=/var/lib/flatpak dev="vda2" ino=27195052 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=dir permissive=0 
----

After installation of packages from the "Server with GUI" group, I executed the following command:
# telinit 5

The GDM session started successfully.
Comment 3 Milos Malik 2021-05-13 10:16:00 UTC 
Previous comment shows SELinux denials collected after an unconfined user (unconfined_u) logged in and logged out.
When confined users (staff_u, sysadm_u, xguest_u) do the same, there are different SELinux denials.
Comment 4 Milos Malik 2021-05-13 12:11:39 UTC 
I just want to point out that flatpak component brings its own policy module (in flatpak-selinux package), which means that default SELinux label for /var/lib/flatpak directory should be defined there.
Comment 6 Milos Malik 2021-06-17 08:52:16 UTC 
Does "graphical installation, use the default package set (Server with GUI)" mean that Xwayland is running (instead of Xorg) when the SELinux denials appear?
Comment 9 Jan Stodola 2021-06-17 10:30:24 UTC 
Created attachment 1791780 [details]
ps auxf

(In reply to Milos Malik from comment #6)
> Does "graphical installation, use the default package set (Server with GUI)"
> mean that Xwayland is running (instead of Xorg) when the SELinux denials
> appear?

Xwayland is running.
Comment 12 Milos Malik 2021-06-17 13:18:11 UTC 
If we cannot persuade the at-spi-bus-launcher process (or its parent process) to run the dbus-daemon the right way (using systemctl which leads to correctly labeled processes), it's very difficult to get rid of the SELinux denials visible in comment#0 or comment#2, because they are triggered by the incorrectly labeled dbus-daemon process.
Comment 13 Zdenek Pytela 2021-06-17 14:01:25 UTC 
# systemctl cat at-spi-dbus-bus.service --user
# /usr/lib/systemd/user/at-spi-dbus-bus.service
[Unit]
Description=Accessibility services bus

[Service]
Type=dbus
BusName=org.a11y.Bus
ExecStart=/usr/libexec/at-spi-bus-launcher

# /usr/lib/systemd/user/at-spi-dbus-bus.service.d/00-uresourced.conf
[Service]
Slice=session.slice

# rpm -qf /usr/lib/systemd/user/at-spi-dbus-bus.service.d/00-uresourced.conf 
uresourced-0.4.0-1.fc34.x86_64

After uninstalling uresourced or disabling the service snippet, there are no unconfined_service_t processes:

#  ps axfZ | grep -B 1 dbus-broke[r]
system_u:system_r:devicekit_power_t:s0 693 ?     Ssl    0:00 /usr/libexec/upowerd
system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 698 ? Ss   0:00 /usr/bin/dbus-broker-launch --scope system --audit
system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 714 ? S   0:00  \_ dbus-broker --log 4 --controller 9 --machine-id bf6e64eca39a4a69b0b1d58bec31bfb7 --max-bytes 536870912 --max-fds 4096 --max-matches 131072 --audit
--
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 2484 ? S<sl   0:00  \_ /usr/bin/pipewire-pulse
unconfined_u:unconfined_r:unconfined_dbusd_t:s0-s0:c0.c1023 5067 ? Ss   0:00  \_ /usr/bin/dbus-broker-launch --scope user
unconfined_u:unconfined_r:unconfined_dbusd_t:s0-s0:c0.c1023 5068 ? S   0:00  |   \_ dbus-broker --log 4 --controller 11 --machine-id bf6e64eca39a4a69b0b1d58bec31bfb7 --max-bytes 100000000000000 --max-fds 25000000000000 --max-matches 5000000000
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 5153 ? Ssl   0:00  \_ /usr/libexec/at-spi-bus-launcher
unconfined_u:unconfined_r:unconfined_dbusd_t:s0-s0:c0.c1023 5158 ? S   0:00  |   \_ /usr/bin/dbus-broker-launch --config-file=/usr/share/defaults/at-spi2/accessibility.conf --scope user
unconfined_u:unconfined_r:unconfined_dbusd_t:s0-s0:c0.c1023 5159 ? S   0:00  |       \_ dbus-broker --log 4 --controller 9 --machine-id bf6e64eca39a4a69b0b1d58bec31bfb7 --max-bytes 100000000000000 --max-fds 6400000 --max-matches 5000000000

Also note:
# cat /usr/share/doc/uresourced/README
UResourced
==========

NOTE: This daemon is designed for obsoletion. The codebase is not supposed to
be pretty, it just needs to do the one job until other components are able
to take over in the long run.
Comment 16 Zdenek Pytela 2021-09-02 16:08:43 UTC 
Majority of the denials were resolved in bz#1972655.
These remain:

----
type=PROCTITLE msg=audit(05/13/2021 11:58:56.107:530) : proctitle=/usr/bin/gnome-shell 
type=PATH msg=audit(05/13/2021 11:58:56.107:530) : item=0 name=/var/lib/flatpak inode=27195052 dev=fd:02 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:var_lib_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(05/13/2021 11:58:56.107:530) : cwd=/var/lib/gdm 
type=SYSCALL msg=audit(05/13/2021 11:58:56.107:530) : arch=x86_64 syscall=inotify_add_watch success=no exit=EACCES(Permission denied) a0=0x19 a1=0x55bfe134cc70 a2=0x1002fce a3=0x0 items=1 ppid=32043 pid=32126 auid=unset uid=gdm gid=gdm euid=gdm suid=gdm fsuid=gdm egid=gdm sgid=gdm fsgid=gdm tty=tty1 ses=unset comm=gnome-shell exe=/usr/bin/gnome-shell subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(05/13/2021 11:58:56.107:530) : avc:  denied  { watch } for  pid=32126 comm=gnome-shell path=/var/lib/flatpak dev="vda2" ino=27195052 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=dir permissive=0 
----
type=AVC msg=audit(1620846116.598:548): avc:  denied  { watch } for  pid=1211 comm="gsd-xsettings" path="/usr/share/fonts" dev="dm-0" ino=33575060 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:fonts_t:s0 tcl
ass=dir permissive=0
----
type=AVC msg=audit(12.5.2021 21:03:36.627:1522) : avc:  denied  { watch } for  pid=1211 comm=gmain path=/usr/lib64/gnome-settings-daemon-3.0/gtk-modules dev="dm-0" ino=34198403 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lib_t:s0 tclass=dir permissive=0
----
Comment 19 Zdenek Pytela 2021-11-26 16:59:42 UTC 
To backport:
commit 09d6db05fd99a4fe1ac7f35576229d88ae20951d
Author: Zdenek Pytela <zpytela>
Date:   Wed Oct 6 20:25:15 2021 +0200

    Allow xdm_t watch fonts directories

commit a53e7cfb01ba48a50a70ae77f9579fb199f14d14
Author: Zdenek Pytela <zpytela>
Date:   Wed Oct 6 20:22:38 2021 +0200

    Allow xdm_t watch generic directories in /lib

and
https://github.com/fedora-selinux/selinux-policy/pull/956
Comment 31 errata-xmlrpc 2022-05-17 15:49:27 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (new packages: selinux-policy), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:3918
Note You need to log in before you can comment on or make changes to this bug.