Description of problem: SELinux is preventing /usr/bin/gnome-shell from using the signull access on a process. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that gnome-shell should be allowed signull access on processes labeled gnome_atspi_t by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'gnome-shell' --raw | audit2allow -M my-gnomeshell # semodule -X 300 -i my-gnomeshell.pp Additional Information: Source Context system_u:system_r:xdm_t:s0-s0:c0.c1023 Target Context system_u:system_r:gnome_atspi_t:s0-s0:c0.c1023 Target Objects Unknown [ process ] Source gnome-shell Source Path /usr/bin/gnome-shell Port <Unknown> Host localhost.localdomain Source RPM Packages ibus-1.5.25-2.el9.x86_64 Target RPM Packages SELinux Policy RPM selinux-policy-targeted-34.1.43-1.el9.noarch Local Policy RPM selinux-policy-targeted-34.1.43-1.el9.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name localhost.localdomain Platform Linux localhost.localdomain 5.14.0-162.12.1.el9_1.x86_64 #1 SMP PREEMPT_DYNAMIC Tue Dec 20 06:06:30 EST 2022 x86_64 x86_64 Alert Count 2 First Seen 2023-02-03 11:56:51 CET Last Seen 2023-02-03 11:56:51 CET Local ID b32e5a0b-2a16-459b-a32a-eb594cc6916e Raw Audit Messages type=AVC msg=audit(1675421811.813:100): avc: denied { signull } for pid=2849 comm="ibus-daemon" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:gnome_atspi_t:s0-s0:c0.c1023 tclass=process permissive=0 type=SYSCALL msg=audit(1675421811.813:100): arch=x86_64 syscall=kill success=no exit=EACCES a0=b0c a1=0 a2=55945b4e1d57 a3=7f3c36c17ac0 items=0 ppid=2684 pid=2849 auid=4294967295 uid=42 gid=42 euid=42 suid=42 fsuid=42 egid=42 sgid=42 fsgid=42 tty=tty1 ses=4294967295 comm=ibus-daemon exe=/usr/bin/ibus-daemon subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null) Hash: gnome-shell,xdm_t,gnome_atspi_t,process,signull Version-Release number of selected component (if applicable): Name : gnome-shell Version : 40.10 Release : 4.el9_1 Architecture : x86_64 Name : ibus Version : 1.5.25 Release : 2.el9 Architecture : x86_64 How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info:
Hi, can you please reproduce the issue in permissive mode? # setenforce 0
Could not trace back what triggered the issue in the first place. Had only 1 occasion that it occurred. Did not see it back so far. Could not trigger the issue again after many attempts in enforcing mode so don't know how to trigger it in permissive mode. I think gnome-shell is now allowed access as I found the following: $ sudo audit2allow -a ... #============= xdm_t ============== allow xdm_t gnome_atspi_t:process signull; allow xdm_t unlabeled_t:file getattr; -> If I'm correct then the first allow line prevents the issue to occur. However semodule does not show me that it was manually added: $ sudo semodule -lfull |grep 300 300 my-6 pp 300 my-python pp 300 my-raster2dymolw pp 300 my-rhsmcertdworke pp 300 my-snap pp 300 my-snapconfine pp 300 my-snapd pp 300 my-snapseccomp pp 300 my-systemduserru pp None of the my-*.pp files contains anything about gnome, xdm, or signull. I have no idea how the allow line below, as presented by audit2allow, was implemented and how I can remove it to test if I can trigger the issue again: allow xdm_t gnome_atspi_t:process signull;