RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Created attachment 1823552 [details]
avc denials

Description of problem:
While starting the Xephyr window I get flooded with denials.

Version-Release number of selected component (if applicable):
Compose used RHEL-9.0.0-20210907.4
Scratch build from https://bugzilla.redhat.com/show_bug.cgi?id=1993855#c20

How reproducible:
100%

Steps to Reproduce:
1. $ Xephyr :99 -query localhost -fullscreen

(My only action is starting the Xephyr with the above command, I do not do anything else)

Actual results:
Journal flooded with denials.

Expected results:
No denials

Additional info:
This is only happening with Xephyr and with the new gdm version which fixes the previous issue with login, does NOT seem to be a blocker for now, I can still login and logout, but could be investigated.

i don't think this is related to the change really. The AVC says it's blocking at-spi from talking over a tcp socket.  With XDMCP, the X connection is a tcp socket.  Just seems like a bug in selinux policy we don't hit typically because X connections are usually over a local socket.

I've submitted a Fedora PR to address the issue:
https://github.com/fedora-selinux/selinux-policy/pull/896

Commit to backport:

Author: Zdenek Pytela <zpytela>
Date:   Thu Sep 23 16:00:21 2021 +0200

    Allow gnome at-spi processes create and use stream sockets

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (new packages: selinux-policy), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:3918