1972994 – SELinux is preventing gnome-shell from write access on the sock_file dbus-3Txx19aEpJ.

Bug 1972994 - SELinux is preventing gnome-shell from write access on the sock_file dbus-3Txx19aEpJ.

Summary: SELinux is preventing gnome-shell from write access on the sock_file dbus-3Tx...

Keywords:
Status:	CLOSED DUPLICATE of bug 1941853
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	34
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Zdenek Pytela
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2021-06-17 03:51 UTC by 319513897
Modified:	2021-08-24 00:09 UTC (History)
CC List:	8 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2021-08-24 00:09:20 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
log exported from GNOME-log's important section. (1.40 KB, text/plain) 2021-06-17 03:51 UTC, 319513897	no flags	Details
View All

Description 319513897 2021-06-17 03:51:27 UTC

Created attachment 1791669 [details]
log exported from GNOME-log's important section.

Created attachment 1791669 [details]
log exported from GNOME-log's important section.

Description of problem:
=====================================================================================================================
SELinux is preventing gnome-shell from write access on the sock_file dbus-3Txx19aEpJ.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that gnome-shell should be allowed write access on the dbus-3Txx19aEpJ sock_file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'gnome-shell' --raw | audit2allow -M my-gnomeshell
# semodule -X 300 -i my-gnomeshell.pp


Additional Information:
Source Context                system_u:system_r:xdm_t:s0-s0:c0.c1023
Target Context                system_u:object_r:tmp_t:s0
Target Objects                dbus-3Txx19aEpJ [ sock_file ]
Source                        gnome-shell
Source Path                   gnome-shell
Port                          <Unknown>
Host                          dragon
Source RPM Packages           
Target RPM Packages           
SELinux Policy RPM            selinux-policy-targeted-34.11-1.fc34.noarch
Local Policy RPM              selinux-policy-targeted-34.11-1.fc34.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     dragon
Platform                      Linux dragon 5.12.10-300.fc34.x86_64 #1 SMP Thu
                              Jun 10 14:21:36 UTC 2021 x86_64 x86_64
Alert Count                   53
First Seen                    2021-06-16 21:01:47 CST
Last Seen                     2021-06-17 10:59:39 CST
Local ID                      dc673629-1c13-40f0-9631-eaf628a0f944

Raw Audit Messages
type=AVC msg=audit(1623898779.336:1070): avc:  denied  { write } for  pid=3166 comm="gsd-color" name="dbus-3Txx19aEpJ" dev="tmpfs" ino=47 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tmp_t:s0 tclass=sock_file permissive=0


Hash: gnome-shell,xdm_t,tmp_t,sock_file,write




How reproducible:
=====================================================================================================================

Steps to Reproduce:
1. Install fedora 34
2. login GNOME and wait a minutes
3. error happend


Additional info:
=====================================================================================================================

audit log:
=====================================================================================================================

```
type=AVC msg=audit(1623898779.336:1070): avc: denied { write } for pid=3166 comm="gsd-color" name="dbus-3Txx19aEpJ" dev="tmpfs" ino=47 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tmp_t:s0 tclass=sock_file permissive=0 
```

dbus-broker.service log:
=====================================================================================================================

```
● dbus-broker.service - D-Bus System Message Bus
     Loaded: loaded (/usr/lib/systemd/system/dbus-broker.service; enabled; vendor preset: enabled)
     Active: active (running) since Thu 2021-06-17 10:59:24 CST; 42min ago
TriggeredBy: ● dbus.socket
       Docs: man:dbus-broker-launch(1)
   Main PID: 817 (dbus-broker-lau)
      Tasks: 2 (limit: 19045)
     Memory: 6.5M
        CPU: 1.330s
     CGroup: /system.slice/dbus-broker.service
             ├─817 /usr/bin/dbus-broker-launch --scope system --audit
             └─822 dbus-broker --log 4 --controller 9 --machine-id 704e146b70ff4a37923780ee456d4667 --max-bytes 536870912 --max-fds 4096 --max-matches 131072 --audit

6月 17 10:59:24 dragon systemd[1]: Starting D-Bus System Message Bus...
6月 17 10:59:24 dragon systemd[1]: Started D-Bus System Message Bus.
6月 17 10:59:24 dragon dbus-broker-lau[817]: Ready
6月 17 10:59:39 dragon dbus-broker[822]: A security policy denied :1.41 to send method call /org/freedesktop/PackageKit:org.freedesktop.DBus.Properties.GetAll to :1.64.
6月 17 10:59:39 dragon dbus-broker[822]: A security policy denied :1.41 to send method call /org/freedesktop/PackageKit:org.freedesktop.DBus.Properties.GetAll to :1.64.
```

log of dbus.service
=====================================================================================================================

```
● dbus-broker.service - D-Bus System Message Bus
     Loaded: loaded (/usr/lib/systemd/system/dbus-broker.service; enabled; vendor preset: enabled)
     Active: active (running) since Thu 2021-06-17 10:59:24 CST; 45min ago
TriggeredBy: ● dbus.socket
       Docs: man:dbus-broker-launch(1)
   Main PID: 817 (dbus-broker-lau)
      Tasks: 2 (limit: 19045)
     Memory: 6.4M
        CPU: 1.374s
     CGroup: /system.slice/dbus-broker.service
             ├─817 /usr/bin/dbus-broker-launch --scope system --audit
             └─822 dbus-broker --log 4 --controller 9 --machine-id 704e146b70ff4a37923780ee456d4667 --max-bytes 536870912 --max-fds 4096 --max-matches 131072 --audit

6月 17 10:59:24 dragon systemd[1]: Starting D-Bus System Message Bus...
6月 17 10:59:24 dragon systemd[1]: Started D-Bus System Message Bus.
6月 17 10:59:24 dragon dbus-broker-lau[817]: Ready
6月 17 10:59:39 dragon dbus-broker[822]: A security policy denied :1.41 to send method call /org/freedesktop/PackageKit:org.freedesktop.DBus.Properties.GetAll to :1.64.
6月 17 10:59:39 dragon dbus-broker[822]: A security policy denied :1.41 to send method call /org/freedesktop/PackageKit:org.freedesktop.DBus.Properties.GetAll to :1.64.
```

Comment 1 Adam Williamson 2021-08-24 00:06:41 UTC

Saw this on current F35 as well:

SELinux is preventing gnome-shell from write access on the sock_file dbus-SJQtBR21nt.
Additional Information:
Source Context                system_u:system_r:xdm_t:s0-s0:c0.c1023
Target Context                system_u:object_r:tmp_t:s0
Target Objects                dbus-SJQtBR21nt [ sock_file ]
Source                        gnome-shell
Source Path                   gnome-shell
Port                          <Unknown>
Host                          <Unknown>
Source RPM Packages           
Target RPM Packages           
SELinux Policy RPM            selinux-policy-targeted-34.16-1.fc35.noarch
Local Policy RPM              selinux-policy-targeted-34.16-1.fc35.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     fedora
Platform                      Linux fedora 5.14.0-0.rc6.46.fc35.x86_64 #1 SMP
                              Mon Aug 16 20:02:52 UTC 2021 x86_64 x86_64
Alert Count                   2
First Seen                    2021-08-23 16:05:52 PDT
Last Seen                     2021-08-23 16:05:54 PDT
Local ID                      9f8e1043-41dd-4f03-9d95-1c6e510e4646

Raw Audit Messages
type=AVC msg=audit(1629759954.924:211): avc:  denied  { write } for  pid=1243 comm="ibus-x11" name="dbus-SJQtBR21nt" dev="tmpfs" ino=44 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tmp_t:s0 tclass=sock_file permissive=1


Hash: gnome-shell,xdm_t,tmp_t,sock_file,write

Comment 2 Adam Williamson 2021-08-24 00:09:20 UTC

Actually, this is almost certainly the same as 1941853 .

*** This bug has been marked as a duplicate of bug 1941853 ***

Note You need to log in before you can comment on or make changes to this bug.