Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 1943574
| Summary: | SELinux is preventing gnome-shell from 'connectto' accesses on the unix_stream_socket /tmp/dbus-ufLMg28o5I. | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Andras Feher <afeher> |
| Component: | selinux-policy | Assignee: | Zdenek Pytela <zpytela> |
| Status: | ASSIGNED --- | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 34 | CC: | ajtbecool, aqaruoti21, bojan, dwalsh, Gecko8211, grepl.miroslav, hlopes, ilaurie, joardar73, luizfercp, lvrabec, me+fedoraproject, mikhail.v.gavrilov, mmalik, omosnace, plautrba, redhat74, shawn, vmojzis, zpytela |
| Target Milestone: | --- | Keywords: | Triaged |
| Target Release: | --- | ||
| Hardware: | aarch64 | ||
| OS: | Unspecified | ||
| Whiteboard: | abrt_hash:55d30bfde59b26775ef0646555081e56dfd3c23a0e8c631c10fcfcbeaa4ab794;VARIANT_ID=workstation; | ||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | --- | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
*** Bug 1945270 has been marked as a duplicate of this bug. *** Similar problem has been detected: Booted fc34 WS and logged in. hashmarkername: setroubleshoot kernel: 5.11.14-300.fc34.x86_64 package: selinux-policy-targeted-34.3-1.fc34.noarch reason: SELinux is preventing gnome-shell from 'connectto' accesses on the unix_stream_socket /tmp/dbus-fGwdvY3I84. type: libreport Similar problem has been detected: Upgrade to F34. hashmarkername: setroubleshoot kernel: 5.11.16-300.fc34.x86_64 package: selinux-policy-targeted-34.3-1.fc34.noarch reason: SELinux is preventing gnome-shell from 'connectto' accesses on the unix_stream_socket /tmp/dbus-b8KDrikwqA. type: libreport Similar problem has been detected: Happened after upgrade from F33 to F34. hashmarkername: setroubleshoot kernel: 5.11.18-300.fc34.x86_64 package: selinux-policy-targeted-34.5-1.fc34.noarch reason: SELinux is preventing gnome-shell from 'connectto' accesses on the unix_stream_socket /tmp/dbus-ZsyysHDIwE. type: libreport *** Bug 1963074 has been marked as a duplicate of this bug. *** Similar problem has been detected:
SELinux is preventing gnome-shell from connectto access on the unix_stream_socket /tmp/dbus-RcST4EcrmP.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that gnome-shell should be allowed connectto access on the dbus-RcST4EcrmP unix_stream_socket by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'gnome-shell' --raw | audit2allow -M my-gnomeshell
# semodule -X 300 -i my-gnomeshell.pp
Additional Information:
Source Context system_u:system_r:xdm_t:s0-s0:c0.c1023
Target Context system_u:system_r:unconfined_service_t:s0-s0:c0.c1
023
Target Objects /tmp/dbus-RcST4EcrmP [ unix_stream_socket ]
Source gnome-shell
Source Path gnome-shell
Port <Unknown>
Host (removed)
Source RPM Packages
Target RPM Packages
SELinux Policy RPM selinux-policy-targeted-34.7-1.fc34.noarch
Local Policy RPM selinux-policy-targeted-34.7-1.fc34.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name (removed)
Platform Linux fedora 5.12.6-300.fc34.x86_64 #1 SMP Sat May
22 20:42:55 UTC 2021 x86_64 x86_64
Alert Count 7
First Seen 2021-05-27 17:22:58 EDT
Last Seen 2021-05-27 17:23:02 EDT
Local ID 4cf34877-a9ed-4324-a42d-1ffeeeceecb8
Raw Audit Messages
type=AVC msg=audit(1622150582.606:752): avc: denied { connectto } for pid=2452 comm="ibus-x11" path="/tmp/dbus-RcST4EcrmP" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:unconfined_service_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=0
Hash: gnome-shell,xdm_t,unconfined_service_t,unix_stream_socket,connectto
hashmarkername: setroubleshoot
kernel: 5.12.6-300.fc34.x86_64
package: selinux-policy-targeted-34.7-1.fc34.noarch
reason: SELinux is preventing gnome-shell from 'connectto' accesses on the unix_stream_socket /tmp/dbus-RcST4EcrmP.
type: libreport
Similar problem has been detected: - Installed Fedora Workstation 34 - Replace gnome shell with xfce shell - installed snapd - installed icloud-for-linux hashmarkername: setroubleshoot kernel: 5.12.13-300.fc34.x86_64 package: selinux-policy-targeted-34.12-1.fc34.noarch reason: SELinux is preventing gnome-shell from 'connectto' accesses on the unix_stream_socket /tmp/dbus-iaa4NpKPWv. type: libreport |
Description of problem: install bete and update SELinux is preventing gnome-shell from 'connectto' accesses on the unix_stream_socket /tmp/dbus-ufLMg28o5I. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that gnome-shell should be allowed connectto access on the dbus-ufLMg28o5I unix_stream_socket by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'gnome-shell' --raw | audit2allow -M my-gnomeshell # semodule -X 300 -i my-gnomeshell.pp Additional Information: Source Context system_u:system_r:xdm_t:s0-s0:c0.c1023 Target Context system_u:system_r:unconfined_service_t:s0-s0:c0.c1 023 Target Objects /tmp/dbus-ufLMg28o5I [ unix_stream_socket ] Source gnome-shell Source Path gnome-shell Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages SELinux Policy RPM selinux-policy-targeted-3.14.7-27.fc34.noarch Local Policy RPM selinux-policy-targeted-3.14.7-27.fc34.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 5.11.9-300.fc34.aarch64 #1 SMP Wed Mar 24 11:48:39 UTC 2021 aarch64 aarch64 Alert Count 14 First Seen 2021-03-26 12:49:34 CET Last Seen 2021-03-26 14:36:43 CET Local ID 043a4c80-0f03-40a5-a1b8-2d4ef6832f42 Raw Audit Messages type=AVC msg=audit(1616765803.444:586): avc: denied { connectto } for pid=1403 comm="ibus-x11" path="/tmp/dbus-ufLMg28o5I" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:unconfined_service_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=0 Hash: gnome-shell,xdm_t,unconfined_service_t,unix_stream_socket,connectto Version-Release number of selected component: selinux-policy-targeted-3.14.7-27.fc34.noarch Additional info: component: selinux-policy reporter: libreport-2.14.0 hashmarkername: setroubleshoot kernel: 5.11.9-300.fc34.aarch64 type: libreport