Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 1931131 - Can' start sway wm as user_u
Summary: Can' start sway wm as user_u
Keywords:
Status: CLOSED DUPLICATE of bug 1878094
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: rawhide
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Zdenek Pytela
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2021-02-20 20:41 UTC by Petr Lautrbach
Modified: 2021-06-09 06:05 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-06-09 06:05:01 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)

Description Petr Lautrbach 2021-02-20 20:41:31 UTC 
Description of problem:

1. Run 'exec systemctl --wait --user start sway.service'

2. 'ausearch -m avc,user_avc,selinux_err -ts boot | audit2allow -M localfromaudit2allow'  

3. # /usr/libexec/selinux/hll/pp localfromaudit2allow.pp
(typeattributeset cil_gen_require user_tmp_t)
(typeattributeset cil_gen_require fonts_t)
(typeattributeset cil_gen_require utempter_t)
(typeattributeset cil_gen_require sysfs_t)
(typeattributeset cil_gen_require user_dbusd_t)
(typeattributeset cil_gen_require user_t)
(typeattributeset cil_gen_require user_gkeyringd_t)
(typeattributeset cil_gen_require device_t)
(typeattributeset cil_gen_require etc_t)
(typeattributeset cil_gen_require gpg_agent_t)
(typeattributeset cil_gen_require avahi_t)
(allow avahi_t etc_t (dir (watch)))
(allow gpg_agent_t sysfs_t (filesystem (getattr)))
(allow gpg_agent_t user_t (unix_stream_socket (getattr ioctl)))
(allow user_gkeyringd_t self (process (setsched)))
(allow user_gkeyringd_t user_dbusd_t (unix_stream_socket (getattr)))
(allow user_t device_t (dir (watch)))
(allow user_t fonts_t (dir (watch)))
(allow user_t self (netlink_generic_socket (bind create setopt)))
(allow user_t sysfs_t (dir (watch)))
(allow user_t sysfs_t (file (watch watch_reads)))
(allow user_t user_tmp_t (chr_file (create)))
(allow user_t user_tmp_t (dir (create)))
(allow user_t user_tmp_t (fifo_file (create)))
(allow user_t user_tmp_t (file (create)))
(allow user_t user_tmp_t (lnk_file (create)))
(allow user_t user_tmp_t (sock_file (create)))
(allow utempter_t user_t (unix_stream_socket (getattr)))


Version-Release number of selected component (if applicable):
selinux-policy-3.14.8-2.20210219_212512.b471a50.fc35.noarch

How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:
Comment 1 Petr Lautrbach 2021-02-21 07:45:31 UTC 
#============= user_t ==============

#!!!! This avc is a constraint violation.  You would need to modify the attributes of either the source or target types to allow this access.
#Constraint rule: 
#       constrain chr_file { create relabelfrom relabelto } ((u1 == u2 -Fail-)  or (t1 == can_change_object_identity -Fail-) ); Constraint DENIED

#       Possible cause is the source user (user_u) and target user (system_u) are different.
allow user_t user_tmp_t:chr_file create;

#!!!! This avc is a constraint violation.  You would need to modify the attributes of either the source or target types to allow this access.
#Constraint rule: 
#       constrain dir { create relabelfrom relabelto } ((u1 == u2 -Fail-)  or (t1 == can_change_object_identity -Fail-) ); Constraint DENIED

#       Possible cause is the source user (user_u) and target user (system_u) are different.
allow user_t user_tmp_t:dir create;

#!!!! This avc is a constraint violation.  You would need to modify the attributes of either the source or target types to allow this access.
#Constraint rule: 
#       constrain fifo_file { create relabelfrom relabelto } ((u1 == u2 -Fail-)  or (t1 == can_change_object_identity -Fail-) ); Constraint DENIED

#       Possible cause is the source user (user_u) and target user (system_u) are different.
allow user_t user_tmp_t:fifo_file create;

#!!!! This avc is a constraint violation.  You would need to modify the attributes of either the source or target types to allow this access.
#Constraint rule: 
#       constrain file { create relabelfrom relabelto } ((u1 == u2 -Fail-)  or (t1 == can_change_object_identity -Fail-) ); Constraint DENIED

#       Possible cause is the source user (user_u) and target user (system_u) are different.
allow user_t user_tmp_t:file create;

#!!!! This avc is a constraint violation.  You would need to modify the attributes of either the source or target types to allow this access.
#Constraint rule: 
#       constrain lnk_file { create relabelfrom relabelto } ((u1 == u2 -Fail-)  or (t1 == can_change_object_identity -Fail-) ); Constraint DENIED

#       Possible cause is the source user (user_u) and target user (system_u) are different.
allow user_t user_tmp_t:lnk_file create;

#!!!! This avc is a constraint violation.  You would need to modify the attributes of either the source or target types to allow this access.
#Constraint rule: 
#       constrain sock_file { create relabelfrom relabelto } ((u1 == u2 -Fail-)  or (t1 == can_change_object_identity -Fail-) ); Constraint DENIED

#       Possible cause is the source user (user_u) and target user (system_u) are different.
allow user_t user_tmp_t:sock_file create;
Comment 2 Milos Malik 2021-02-22 16:39:14 UTC 
Can you check if the SELinux denials on your machine are similar to those mentioned in comment#4 of https://bugzilla.redhat.com/show_bug.cgi?id=1878094 ?
Comment 3 Petr Lautrbach 2021-06-09 06:05:01 UTC 

*** This bug has been marked as a duplicate of bug 1878094 ***
Note You need to log in before you can comment on or make changes to this bug.