Description of problem: I upgraded from Fedora 33 to 35 , I use confined users, and selinux alert browser is going crazy Version-Release number of selected component (if applicable): How reproducible: Always Steps to Reproduce: 1.Log in 2.Selinux alert browser is flashing non-stop 3. Actual results: Selinux alert browser is flashing non-stop Expected results: No selinux alerts Additional info: Endless output: type=AVC msg=audit(1643765589.633:566): avc: denied { watch } for pid=3619 comm="xdg-desktop-por" path="/usr/share/fonts/vlgothic" dev="dm-0" ino=4194591 scontext=staff_u:staff_r:staff_t:s0 tcontext=system_u:object_r:fonts_t:s0 tclass=dir permissive=0 appears I am getting this message for every font in /usr/share/fonts
Additional information: ausearch -m avc -ts boot | audit2allow -a -M upgrade cat upgrade.te [0] module upgrade 1.0; require { type root_t; type var_log_t; type staff_t; type fonts_t; type system_conf_t; type bin_t; type lib_t; class dir watch; class sock_file write; } #============= staff_t ============== allow staff_t bin_t:dir watch; allow staff_t fonts_t:dir watch; allow staff_t lib_t:dir watch; allow staff_t root_t:dir watch; allow staff_t system_conf_t:dir watch; allow staff_t var_log_t:sock_file write; I am 99.9% certain the last line regarding "allow staff_t var_log_t:sock_file write;" is related to the citrix clinet and unrelated to the upgrade, but I included it to be complete . It looks as if selinux policy does not like the "watch" I relabeled the files after upgrade prior to reboot
Thank you for reporting the issue. Could you include more details? Have something changed in your configuration? I cannot see such denials in my environment, staff has already been allowed to watch a bunch of directories. The "staff_t var_log_t:sock_file write" is unlikely to be allowed, but the rest is if there is a reason. To find out what is actually going on, full auditing enabled is very helpful. Please do the following: 1) Open the /etc/audit/rules.d/audit.rules file in an editor. 2) Remove the following line if it exists: -a task,never 3) Add the following line to the end of the file: -w /etc/shadow -p w 4) Restart the audit daemon: # service auditd restart 5) Re-run your scenario. 6) Collect AVC denials: # ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts today
Thank you for looking at this and your advice. I have not changed any configuration or selinux settings. For what it is worth , my understanding is semanage export will show any local changes thus : semanage export [0] boolean -D login -D interface -D user -D port -D node -D fcontext -D module -D ibendport -D ibpkey -D permissive -D boolean -m -1 domain_can_mmap_files login -a -s staff_u -r 's0' bodhi fcontext -a -f a -t chrome_sandbox_exec_t -r 's0' '/usr/lib/chrome-sandbox' fcontext -a -f a -t bin_t -r 's0' '/usr/lib/chromium-browser' fcontext -a -f a -t bin_t -r 's0' '/usr/lib/chromium-browser/chromium-browser.sh' fcontext -a -f a -t rpm_exec_t -r 's0' '/usr/share/dnfdaemon/dnfdaemon-system' The selinux alerts are continuous so I piped the output to a text file I will upload as "avc_denials".
Created attachment 1858747 [details] avc denials
Created attachment 1858748 [details] avc denials
Well something has to be done as these selinux alerts are filling my logs and thus hard drive.
There is a PR to address this and similar permissions: https://github.com/fedora-selinux/selinux-policy/pull/1061