Description of problem: Reproduction steps: Just connect to local cockpit using username/password SELinux is preventing cockpit-session from 'execute' accesses on the file /usr/bin/gnome-keyring-daemon. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that cockpit-session should be allowed execute access on the gnome-keyring-daemon file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'cockpit-session' --raw | audit2allow -M my-cockpitsession # semodule -X 300 -i my-cockpitsession.pp Additional Information: Source Context system_u:system_r:cockpit_session_t:s0 Target Context system_u:object_r:gkeyringd_exec_t:s0 Target Objects /usr/bin/gnome-keyring-daemon [ file ] Source cockpit-session Source Path cockpit-session Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages gnome-keyring-42.1-2.fc37.x86_64 SELinux Policy RPM selinux-policy-targeted-37.18-1.fc37.noarch Local Policy RPM cockpit-ws-283-1.fc37.x86_64 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 6.1.7-200.fc37.x86_64 #1 SMP PREEMPT_DYNAMIC Wed Jan 18 17:11:49 UTC 2023 x86_64 x86_64 Alert Count 12 First Seen 2023-01-26 19:39:53 CET Last Seen 2023-01-31 17:18:49 CET Local ID bcfabe43-10d1-453a-bff4-4176d1543550 Raw Audit Messages type=AVC msg=audit(1675181929.352:978): avc: denied { execute } for pid=82943 comm="cockpit-session" name="gnome-keyring-daemon" dev="nvme0n1p5" ino=7645081 scontext=system_u:system_r:cockpit_session_t:s0 tcontext=system_u:object_r:gkeyringd_exec_t:s0 tclass=file permissive=0 Hash: cockpit-session,cockpit_session_t,gkeyringd_exec_t,file,execute Version-Release number of selected component: selinux-policy-targeted-37.18-1.fc37.noarch Additional info: component: cockpit reporter: libreport-2.17.4 hashmarkername: setroubleshoot kernel: 6.1.7-200.fc37.x86_64 type: libreport
Lukas, Zdenek, do you have any guidance for us here? It's not clear to me how to write such gnome specific transitions in our https://github.com/cockpit-project/cockpit/blob/main/selinux/cockpit.te , it seems there is no previous case for that. Would that be something like can_exec(cockpit_session_t,gkeyringd_exec_t)? Can I just declare such "foreign"/external types? Thanks! This feels a bit odd -- certainly lots of people and our own developers have connected to their own laptop with GNOME..
There does not seem to be a generic domain to transition to, only user ones: f37# sesearch -T -t gkeyringd_exec_t -c process type_transition staff_dbusd_t gkeyringd_exec_t:process staff_gkeyringd_t; type_transition staff_t gkeyringd_exec_t:process staff_gkeyringd_t; type_transition sysadm_dbusd_t gkeyringd_exec_t:process sysadm_gkeyringd_t; type_transition sysadm_t gkeyringd_exec_t:process sysadm_gkeyringd_t; type_transition unconfined_dbusd_t gkeyringd_exec_t:process unconfined_t; type_transition user_dbusd_t gkeyringd_exec_t:process user_gkeyringd_t; type_transition user_t gkeyringd_exec_t:process user_gkeyringd_t; type_transition xguest_dbusd_t gkeyringd_exec_t:process xguest_gkeyringd_t; type_transition xguest_t gkeyringd_exec_t:process xguest_gkeyringd_t; f37# seinfo -xa gkeyringd_domain Type Attributes: 1 attribute gkeyringd_domain; staff_gkeyringd_t sysadm_gkeyringd_t user_gkeyringd_t xguest_gkeyringd_t Do you think you need a transition and gnome_exec_keyringd() is not sufficient?
Zdenek: TBH I have absolutely no idea what I need here :-) Would that be something like in ssh.te? optional_policy(` gnome_exec_keyringd(cockpit_session_t) ') This looks plausible at least and builds. I sent it to https://github.com/cockpit-project/cockpit/pull/18279 to get CI's opinion. Thanks!
Martin, That's correct, I'm sorry a will be more verbose next time.
That fix landed some months ago.