Description of problem: Each boot, I see the following error in journal repeated ~15 times: čec 28 11:26:24 hydra systemd[1483]: selinux: avc: denied { status } for auid=1000 uid=1000 gid=1000 path="/proc/self/mountinfo" cmdline="/usr/bin/gnome-shell" function="mac_selinux_filter" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=service permissive=0 Quite interestingly, this error is not visible in ausearch nor SELinux Alert Browser. It was first reported at: https://bodhi.fedoraproject.org/updates/FEDORA-2022-320775eb9a I don't know if it happened before that (I can try to downgrade selinux-policy or some other package, if needed). Version-Release number of selected component (if applicable): selinux-policy-36.12-1.fc36.noarch gnome-shell-42.3.1-1.fc36.x86_64 systemd-250.8-1.fc36.x86_64 How reproducible: always Steps to Reproduce: 1. boot 2. journalctl -b | grep -i avc -or- 1. lock your screen, make it go blank 2. unlock your screen 3. journalctl -b | grep -i avc
Created attachment 1899891 [details] journal
Created attachment 1899892 [details] ausearch
I don't know why this error happens or how to trigger it. It is present immediately after boot.
I am unable to reproduce on a fully updated system. Could you do the following? 1) Open the /etc/audit/rules.d/audit.rules file in an editor. 2) Remove the following line if it exists: -a task,never 3) Add the following line to the end of the file: -w /etc/shadow -p w 4) Restart the audit daemon: # service auditd restart 5) Log in or reboot to trigger the denials 6) Collect AVC denials: # ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts today I suppose the events have the USER_AVC type. Additionaly, does some service fail to perform any task?
Is there a gnome-shell service?
These are messages were produced by the systemd process. We should ask the systemd guys to give us a detailed explanation of what was happening. # strings /usr/lib/systemd/systemd | grep mac_selinux mac_selinux_init mac_selinux_finish mac_selinux_retest mac_selinux_get_create_label_from_exe mac_selinux_maybe_reload mac_selinux_use mac_selinux_bind mac_selinux_create_file_prepare_at mac_selinux_create_file_clear mac_selinux_enforcing mac_selinux_free mac_selinux_get_our_label mac_selinux_get_child_mls_label mac_selinux_setup mac_selinux_filter mac_selinux_filter mac_selinux_access_check_internal mac_selinux_access_check_internal #
Performed the steps, ausearch doesn't seem to see it: $ sudo ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts today ---- type=AVC msg=audit(28.7.2022 10:34:24.736:251) : avc: denied { read } for pid=1454 comm=gdm-session-wor scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:kernel_t:s0 tclass=key permissive=0 ---- type=AVC msg=audit(28.7.2022 10:34:24.736:252) : avc: denied { read } for pid=1454 comm=gdm-session-wor scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:kernel_t:s0 tclass=key permissive=0 ---- type=AVC msg=audit(28.7.2022 11:26:22.159:250) : avc: denied { read } for pid=1467 comm=gdm-session-wor scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:kernel_t:s0 tclass=key permissive=0 ---- type=AVC msg=audit(28.7.2022 11:26:22.159:251) : avc: denied { read } for pid=1467 comm=gdm-session-wor scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:kernel_t:s0 tclass=key permissive=0 ---- type=USER_AVC msg=audit(28.7.2022 13:38:34.836:247) : pid=1 uid=root auid=unset ses=unset subj=system_u:system_r:init_t:s0 msg='avc: denied { status } for auid=unset uid=root gid=root path=/usr/lib/systemd/system/sendmail.service cmdline="" function="reply_unit_path" scontext=system_u:system_r:NetworkManager_dispatcher_sendmail_t:s0 tcontext=system_u:object_r:systemd_unit_file_t:s0 tclass=service permissive=0 exe=/usr/lib/systemd/systemd sauid=root hostname=? addr=? terminal=?' ---- type=PROCTITLE msg=audit(28.7.2022 13:38:34.889:250) : proctitle=gdm-session-worker [pam/gdm-autologin] type=SYSCALL msg=audit(28.7.2022 13:38:34.889:250) : arch=x86_64 syscall=keyctl success=yes exit=10 a0=0xb a1=0x1276ecec a2=0x0 a3=0x0 items=0 ppid=1417 pid=1455 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=gdm-session-wor exe=/usr/libexec/gdm-session-worker subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(28.7.2022 13:38:34.889:250) : avc: denied { read } for pid=1455 comm=gdm-session-wor scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:kernel_t:s0 tclass=key permissive=0 ---- type=PROCTITLE msg=audit(28.7.2022 13:38:34.889:251) : proctitle=gdm-session-worker [pam/gdm-autologin] type=SYSCALL msg=audit(28.7.2022 13:38:34.889:251) : arch=x86_64 syscall=keyctl success=yes exit=10 a0=0xb a1=0x1276ecec a2=0x55bcb1e4a7b0 a3=0xa items=0 ppid=1417 pid=1455 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=gdm-session-wor exe=/usr/libexec/gdm-session-worker subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(28.7.2022 13:38:34.889:251) : avc: denied { read } for pid=1455 comm=gdm-session-wor scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:kernel_t:s0 tclass=key permissive=0 But, I found out how to trigger it! Just locking my session, letting the screen go black, and the unlocking the session is enough to see the error printed again. > Is there a gnome-shell service? I don't think so. $ sudo systemctl status gnome-shell Unit gnome-shell.service could not be found. $ systemctl --user status gnome-shell Unit gnome-shell.service could not be found.
> Additionaly, does some service fail to perform any task? I haven't seen anything broken.
FEDORA-2022-70c63dd1e2 has been submitted as an update to Fedora 36. https://bodhi.fedoraproject.org/updates/FEDORA-2022-70c63dd1e2
FEDORA-2022-70c63dd1e2 has been pushed to the Fedora 36 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2022-70c63dd1e2` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2022-70c63dd1e2 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2022-70c63dd1e2 has been pushed to the Fedora 36 stable repository. If problem still persists, please make note of it in this bug report.
*** Bug 2127402 has been marked as a duplicate of this bug. ***