[Bug 1210207] New: selinux: missing policy for dbus allow msg for xdm_t
https://bugzilla.suse.com/show_bug.cgi?id=1210207 Bug ID: 1210207 Summary: selinux: missing policy for dbus allow msg for xdm_t Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: MicroOS Assignee: kubic-bugs@opensuse.org Reporter: luca.dimaio1@gmail.com QA Contact: qa-bugs@suse.de Found By: --- Blocker: --- Created attachment 866166 --> https://bugzilla.suse.com/attachment.cgi?id=866166&action=edit generated rule for selinux with audit2allow After latest update of either gpg or selinux, now communication with gpg-agent is denied by selinux: Apr 06 09:47:58 localhost dbus-daemon[1914]: avc: denied { send_msg } for msgtype=method_return dest=:1.1048 spid=1892 tpid=5585 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:spc_t:s0 tclass=dbus permissive=0 Running audit2why avc: denied { send_msg } for msgtype=method_return dest=:1.1048 spid=1892 tpid=5585 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:spc_t:s0 tclass=dbus permissive=0 Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. In fact, audit2allow generates a valid module, and everything works like before Attaching here the generated modules, loading them fixes the issue -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1210207 Thorsten Kukuk <kukuk@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Component|MicroOS |Security Assignee|kubic-bugs@opensuse.org |security-team@suse.de -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1210207 Thorsten Kukuk <kukuk@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Summary|selinux: missing policy for |[SELinux] missing policy |dbus allow msg for xdm_t |for dbus allow msg for | |xdm_t -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1210207 Matej Cepl <mcepl@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |mcepl@suse.com -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1210207 https://bugzilla.suse.com/show_bug.cgi?id=1210207#c1 --- Comment #1 from Matej Cepl <mcepl@suse.com> --- Is that what I see here (current Greybeard, MicroOS with selinux-policy-targeted-20230321-1.1)? root@stitny ~# ausearch -m AVC -ts today| audit2allow #============= local_login_t ============== allow local_login_t xserver_t:process signal; root@stitny ~# ausearch -m AVC -ts today ---- time->Thu Apr 6 04:29:42 2023 type=AVC msg=audit(1680748182.835:702): avc: denied { signal } for pid=1056 comm="login" scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:xserver_t:s0-s0:c0.c1023 tclass=process permissive=0 ---- ... [ it repeats multiple times ] ... root@stitny ~# -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1210207 https://bugzilla.suse.com/show_bug.cgi?id=1210207#c2 --- Comment #2 from Matej Cepl <mcepl@suse.com> --- And yes, I have terrible problems with gpg-agent and ssh-agent asking for password on wrong terminals as if the communication was somehow hampered. -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1210207 https://bugzilla.suse.com/show_bug.cgi?id=1210207#c3 --- Comment #3 from Johannes Segitz <jsegitz@suse.com> --- These seem to be two different issues. The original reporter is having some issue with a container running on the system. Please provide the information outlined in https://en.opensuse.org/openSUSE:Bugreport_SELinux especially the steps on how to trigger the AVC. Thanks -- You are receiving this mail because: You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@suse.com