Bug 2003451 - SELinux is preventing at-spi-bus-laun from 'getattr' accesses on the filesystem /dev/shm.
Summary: SELinux is preventing at-spi-bus-laun from 'getattr' accesses on the filesyst...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 34
Hardware: x86_64
OS: Unspecified
medium
medium
Target Milestone: ---
Assignee: Zdenek Pytela
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: abrt_hash:c7861513aace37d3e8216e6ed8b...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2021-09-12 12:40 UTC by Iman M. Dezfuly
Modified: 2021-10-01 11:01 UTC (History)
8 users (show)

Fixed In Version: selinux-policy-34.21-1.fc34
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-09-30 01:13:59 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)

Description Iman M. Dezfuly 2021-09-12 12:40:03 UTC
Description of problem:
upgraded to fedora34
system froze for couple of times and I restarted.
after third reboot I see this in Selinux alert
SELinux is preventing at-spi-bus-laun from 'getattr' accesses on the filesystem /dev/shm.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that at-spi-bus-laun should be allowed getattr access on the shm filesystem by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'at-spi-bus-laun' --raw | audit2allow -M my-atspibuslaun
# semodule -X 300 -i my-atspibuslaun.pp

Additional Information:
Source Context                system_u:system_r:gnome_atspi_t:s0-s0:c0.c1023
Target Context                system_u:object_r:tmpfs_t:s0
Target Objects                /dev/shm [ filesystem ]
Source                        at-spi-bus-laun
Source Path                   at-spi-bus-laun
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
SELinux Policy RPM            selinux-policy-targeted-34.18-1.fc34.noarch
Local Policy RPM              selinux-policy-targeted-34.18-1.fc34.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 5.13.14-200.fc34.x86_64+debug #1
                              SMP Fri Sep 3 15:15:57 UTC 2021 x86_64 x86_64
Alert Count                   4
First Seen                    2021-09-12 22:17:03 AEST
Last Seen                     2021-09-12 22:26:12 AEST
Local ID                      03f02571-f37b-448e-b8f4-ca7e3ac25fc8

Raw Audit Messages
type=AVC msg=audit(1631449572.228:294): avc:  denied  { getattr } for  pid=2647 comm="at-spi-bus-laun" name="/" dev="tmpfs" ino=1 scontext=system_u:system_r:gnome_atspi_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tmpfs_t:s0 tclass=filesystem permissive=0


Hash: at-spi-bus-laun,gnome_atspi_t,tmpfs_t,filesystem,getattr

Version-Release number of selected component:
selinux-policy-targeted-34.18-1.fc34.noarch

Additional info:
component:      selinux-policy
reporter:       libreport-2.15.2
hashmarkername: setroubleshoot
kernel:         5.13.14-200.fc34.x86_64+debug
type:           libreport

Comment 1 Michael 2021-09-20 07:08:42 UTC
Similar problem has been detected:

Plugged in Phone

hashmarkername: setroubleshoot
kernel:         5.13.16-200.fc34.x86_64
package:        selinux-policy-targeted-34.19-1.fc34.noarch
reason:         SELinux is preventing at-spi-bus-laun from 'getattr' accesses on the filesystem /dev/shm.
type:           libreport

Comment 2 Zdenek Pytela 2021-09-20 07:16:01 UTC
Hi folks,

When you see this denial, do you also notice some functionality problem?

Comment 3 Iman M. Dezfuly 2021-09-21 01:42:55 UTC
Hi  Michael

Yes, I see problems with my Touch pad and mouse movements. Freeze , release, freeze, release .... kind of sequences in mouse moves / non-functional Touch pad.
 
```iman@ImanHPCorei7:~ $ uname -a 
Linux ImanHPCorei7 5.13.14-200.fc34.x86_64+debug #1 SMP Fri Sep 3 15:15:57 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
iman@ImanHPCorei7:~ $ ```

```
iman@ImanHPCorei7:~ $ uname -a 
Linux ImanHPCorei7 5.13.14-200.fc34.x86_64+debug #1 SMP Fri Sep 3 15:15:57 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
iman@ImanHPCorei7:~ $ lsusb
Bus 002 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub
Bus 001 Device 003: ID 0bda:b00a Realtek Semiconductor Corp. Realtek Bluetooth 4.2 Adapter
Bus 001 Device 002: ID 0408:5365 Quanta Computer, Inc. HP TrueVision HD Camera
Bus 001 Device 036: ID 0c45:652f Microdia Backlit Gaming Keyboard
Bus 001 Device 035: ID 25a7:fa76 Areson Technology Corp 2.4G Wireless Receiver
Bus 001 Device 034: ID 1a40:0101 Terminus Technology Inc. Hub
Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
iman@ImanHPCorei7:~ $ lspci
00:00.0 Host bridge: Intel Corporation Xeon E3-1200 v6/7th Gen Core Processor Host Bridge/DRAM Registers (rev 08)
00:02.0 VGA compatible controller: Intel Corporation UHD Graphics 620 (rev 07)
00:04.0 Signal processing controller: Intel Corporation Xeon E3-1200 v5/E3-1500 v5/6th Gen Core Processor Thermal Subsystem (rev 08)
00:08.0 System peripheral: Intel Corporation Xeon E3-1200 v5/v6 / E3-1500 v5 / 6th/7th/8th Gen Core Processor Gaussian Mixture Model
00:14.0 USB controller: Intel Corporation Sunrise Point-LP USB 3.0 xHCI Controller (rev 21)
00:14.2 Signal processing controller: Intel Corporation Sunrise Point-LP Thermal subsystem (rev 21)
00:16.0 Communication controller: Intel Corporation Sunrise Point-LP CSME HECI #1 (rev 21)
00:17.0 RAID bus controller: Intel Corporation 82801 Mobile SATA Controller [RAID mode] (rev 21)
00:1c.0 PCI bridge: Intel Corporation Sunrise Point-LP PCI Express Root Port #1 (rev f1)
00:1c.4 PCI bridge: Intel Corporation Sunrise Point-LP PCI Express Root Port #5 (rev f1)
00:1c.5 PCI bridge: Intel Corporation Sunrise Point-LP PCI Express Root Port #6 (rev f1)
00:1d.0 PCI bridge: Intel Corporation Sunrise Point-LP PCI Express Root Port #9 (rev f1)
00:1f.0 ISA bridge: Intel Corporation Sunrise Point LPC Controller/eSPI Controller (rev 21)
00:1f.2 Memory controller: Intel Corporation Sunrise Point-LP PMC (rev 21)
00:1f.3 Audio device: Intel Corporation Sunrise Point-LP HD Audio (rev 21)
00:1f.4 SMBus: Intel Corporation Sunrise Point-LP SMBus (rev 21)
01:00.0 3D controller: NVIDIA Corporation GM108M [GeForce MX130] (rev a2)
02:00.0 Ethernet controller: Realtek Semiconductor Co., Ltd. RTL8111/8168/8411 PCI Express Gigabit Ethernet Controller (rev 15)
03:00.0 Network controller: Realtek Semiconductor Co., Ltd. RTL8821CE 802.11ac PCIe Wireless Network Adapter
04:00.0 Non-Volatile memory controller: Intel Corporation SSD 660P Series (rev 03)
iman@ImanHPCorei7:~ $ 
```

Comment 4 Zdenek Pytela 2021-09-21 06:43:33 UTC
As I cannot directly reproduce it, I'd like to ask someone to insert a local policy as a workaround:

  # cat local_atspi_tmpfs.cil
(allow gnome_atspi_t tmpfs_t (filesystem (getattr)))
  # semodule -i local_atspi_tmpfs.cil

and see if the problems are gone or some additional AVCs pop up.

Comment 5 Iman M. Dezfuly 2021-09-21 07:58:39 UTC
I did the above and I can say the Selinux is not complaining or giving warnings anymore, 
still I get a non-functional tochpad time to time

Comment 6 Zdenek Pytela 2021-09-21 09:55:25 UTC
I've submitted a Fedora PR to address the issue:
https://github.com/fedora-selinux/selinux-policy/pull/880

and let's see what happens. Intermittent problems are usually troublesome to debug.

If SELinux was set to permissive for a while, would the problems still be there?

  # setenforce 0

Comment 7 Fedora Update System 2021-09-24 09:55:39 UTC
FEDORA-2021-a15b7e7314 has been submitted as an update to Fedora 34. https://bodhi.fedoraproject.org/updates/FEDORA-2021-a15b7e7314

Comment 8 Fedora Update System 2021-09-24 21:48:50 UTC
FEDORA-2021-a15b7e7314 has been pushed to the Fedora 34 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-a15b7e7314`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-a15b7e7314

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 9 Fedora Update System 2021-09-30 01:13:59 UTC
FEDORA-2021-a15b7e7314 has been pushed to the Fedora 34 stable repository.
If problem still persists, please make note of it in this bug report.

Comment 10 Michael 2021-10-01 09:35:31 UTC
Fixed it for me

Comment 11 Iman M. Dezfuly 2021-10-01 11:01:03 UTC
Fixed for me as well


Note You need to log in before you can comment on or make changes to this bug.