Description of problem: upgraded to fedora34 system froze for couple of times and I restarted. after third reboot I see this in Selinux alert SELinux is preventing at-spi-bus-laun from 'getattr' accesses on the filesystem /dev/shm. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that at-spi-bus-laun should be allowed getattr access on the shm filesystem by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'at-spi-bus-laun' --raw | audit2allow -M my-atspibuslaun # semodule -X 300 -i my-atspibuslaun.pp Additional Information: Source Context system_u:system_r:gnome_atspi_t:s0-s0:c0.c1023 Target Context system_u:object_r:tmpfs_t:s0 Target Objects /dev/shm [ filesystem ] Source at-spi-bus-laun Source Path at-spi-bus-laun Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages SELinux Policy RPM selinux-policy-targeted-34.18-1.fc34.noarch Local Policy RPM selinux-policy-targeted-34.18-1.fc34.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 5.13.14-200.fc34.x86_64+debug #1 SMP Fri Sep 3 15:15:57 UTC 2021 x86_64 x86_64 Alert Count 4 First Seen 2021-09-12 22:17:03 AEST Last Seen 2021-09-12 22:26:12 AEST Local ID 03f02571-f37b-448e-b8f4-ca7e3ac25fc8 Raw Audit Messages type=AVC msg=audit(1631449572.228:294): avc: denied { getattr } for pid=2647 comm="at-spi-bus-laun" name="/" dev="tmpfs" ino=1 scontext=system_u:system_r:gnome_atspi_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tmpfs_t:s0 tclass=filesystem permissive=0 Hash: at-spi-bus-laun,gnome_atspi_t,tmpfs_t,filesystem,getattr Version-Release number of selected component: selinux-policy-targeted-34.18-1.fc34.noarch Additional info: component: selinux-policy reporter: libreport-2.15.2 hashmarkername: setroubleshoot kernel: 5.13.14-200.fc34.x86_64+debug type: libreport
Similar problem has been detected: Plugged in Phone hashmarkername: setroubleshoot kernel: 5.13.16-200.fc34.x86_64 package: selinux-policy-targeted-34.19-1.fc34.noarch reason: SELinux is preventing at-spi-bus-laun from 'getattr' accesses on the filesystem /dev/shm. type: libreport
Hi folks, When you see this denial, do you also notice some functionality problem?
Hi Michael Yes, I see problems with my Touch pad and mouse movements. Freeze , release, freeze, release .... kind of sequences in mouse moves / non-functional Touch pad. ```iman@ImanHPCorei7:~ $ uname -a Linux ImanHPCorei7 5.13.14-200.fc34.x86_64+debug #1 SMP Fri Sep 3 15:15:57 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux iman@ImanHPCorei7:~ $ ``` ``` iman@ImanHPCorei7:~ $ uname -a Linux ImanHPCorei7 5.13.14-200.fc34.x86_64+debug #1 SMP Fri Sep 3 15:15:57 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux iman@ImanHPCorei7:~ $ lsusb Bus 002 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub Bus 001 Device 003: ID 0bda:b00a Realtek Semiconductor Corp. Realtek Bluetooth 4.2 Adapter Bus 001 Device 002: ID 0408:5365 Quanta Computer, Inc. HP TrueVision HD Camera Bus 001 Device 036: ID 0c45:652f Microdia Backlit Gaming Keyboard Bus 001 Device 035: ID 25a7:fa76 Areson Technology Corp 2.4G Wireless Receiver Bus 001 Device 034: ID 1a40:0101 Terminus Technology Inc. Hub Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub iman@ImanHPCorei7:~ $ lspci 00:00.0 Host bridge: Intel Corporation Xeon E3-1200 v6/7th Gen Core Processor Host Bridge/DRAM Registers (rev 08) 00:02.0 VGA compatible controller: Intel Corporation UHD Graphics 620 (rev 07) 00:04.0 Signal processing controller: Intel Corporation Xeon E3-1200 v5/E3-1500 v5/6th Gen Core Processor Thermal Subsystem (rev 08) 00:08.0 System peripheral: Intel Corporation Xeon E3-1200 v5/v6 / E3-1500 v5 / 6th/7th/8th Gen Core Processor Gaussian Mixture Model 00:14.0 USB controller: Intel Corporation Sunrise Point-LP USB 3.0 xHCI Controller (rev 21) 00:14.2 Signal processing controller: Intel Corporation Sunrise Point-LP Thermal subsystem (rev 21) 00:16.0 Communication controller: Intel Corporation Sunrise Point-LP CSME HECI #1 (rev 21) 00:17.0 RAID bus controller: Intel Corporation 82801 Mobile SATA Controller [RAID mode] (rev 21) 00:1c.0 PCI bridge: Intel Corporation Sunrise Point-LP PCI Express Root Port #1 (rev f1) 00:1c.4 PCI bridge: Intel Corporation Sunrise Point-LP PCI Express Root Port #5 (rev f1) 00:1c.5 PCI bridge: Intel Corporation Sunrise Point-LP PCI Express Root Port #6 (rev f1) 00:1d.0 PCI bridge: Intel Corporation Sunrise Point-LP PCI Express Root Port #9 (rev f1) 00:1f.0 ISA bridge: Intel Corporation Sunrise Point LPC Controller/eSPI Controller (rev 21) 00:1f.2 Memory controller: Intel Corporation Sunrise Point-LP PMC (rev 21) 00:1f.3 Audio device: Intel Corporation Sunrise Point-LP HD Audio (rev 21) 00:1f.4 SMBus: Intel Corporation Sunrise Point-LP SMBus (rev 21) 01:00.0 3D controller: NVIDIA Corporation GM108M [GeForce MX130] (rev a2) 02:00.0 Ethernet controller: Realtek Semiconductor Co., Ltd. RTL8111/8168/8411 PCI Express Gigabit Ethernet Controller (rev 15) 03:00.0 Network controller: Realtek Semiconductor Co., Ltd. RTL8821CE 802.11ac PCIe Wireless Network Adapter 04:00.0 Non-Volatile memory controller: Intel Corporation SSD 660P Series (rev 03) iman@ImanHPCorei7:~ $ ```
As I cannot directly reproduce it, I'd like to ask someone to insert a local policy as a workaround: # cat local_atspi_tmpfs.cil (allow gnome_atspi_t tmpfs_t (filesystem (getattr))) # semodule -i local_atspi_tmpfs.cil and see if the problems are gone or some additional AVCs pop up.
I did the above and I can say the Selinux is not complaining or giving warnings anymore, still I get a non-functional tochpad time to time
I've submitted a Fedora PR to address the issue: https://github.com/fedora-selinux/selinux-policy/pull/880 and let's see what happens. Intermittent problems are usually troublesome to debug. If SELinux was set to permissive for a while, would the problems still be there? # setenforce 0
FEDORA-2021-a15b7e7314 has been submitted as an update to Fedora 34. https://bodhi.fedoraproject.org/updates/FEDORA-2021-a15b7e7314
FEDORA-2021-a15b7e7314 has been pushed to the Fedora 34 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-a15b7e7314` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-a15b7e7314 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2021-a15b7e7314 has been pushed to the Fedora 34 stable repository. If problem still persists, please make note of it in this bug report.
Fixed it for me
Fixed for me as well