Bug 1211777 - [SELinux] strange AVC error with xserver_t on MicroOS
Summary: [SELinux] strange AVC error with xserver_t on MicroOS
Status: RESOLVED NORESPONSE
Alias: None
Product: openSUSE Tumbleweed
Classification: openSUSE
Component: Security (show other bugs)
Version: Current
Hardware: Other Other
: P5 - None : Normal (vote)
Target Milestone: ---
Assignee: Filippo Bonazzi
QA Contact: E-mail List
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2023-05-28 20:04 UTC by Matej Cepl
Modified: 2023-08-12 09:07 UTC (History)
4 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Matej Cepl 2023-05-28 20:04:15 UTC 
Where should I rant about a problem in MicroOS Desktop? 

stitny:~# ausearch -m AVC -ts today
----
time->Sat May 27 04:29:42 2023
type=AVC msg=audit(1685154582.182:1097): avc:  denied  { signal } for  pid=1073 comm="login" scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:xserver_t:s0-s0:c0.c1023 tclass=process permissive=0
----
time->Sat May 27 04:29:42 2023
type=AVC msg=audit(1685154582.186:1098): avc:  denied  { signal } for  pid=1073 comm="login" scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:xserver_t:s0-s0:c0.c1023 tclass=process permissive=0
----
time->Sat May 27 04:29:42 2023
type=AVC msg=audit(1685154582.198:1099): avc:  denied  { signal } for  pid=1073 comm="login" scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:xserver_t:s0-s0:c0.c1023 tclass=process permissive=0
stitny:~# 

ps auxZ gives me

unconfined_u:unconfined_r:xserver_t:s0-s0:c0.c1023 matej 4092 0.2  0.6 892896 110292 tty1 Sl+ 05:12   1:39 Xwayland :0 -rootless -core -terminate -listen 30 -listen 31 -displayfd 101 -wm 95

as the only xserver_t process.

I wonder whether it has any connection with my problems to connect my notebook to HDMI project (see https://www.reddit.com/r/swaywm/comments/13t89ub/no_autoconnect_with_hdmi/).

Unfortunately, the result is that I will have to present from PDF on the Internet.
Comment 1 Filippo Bonazzi 2023-05-29 09:34:52 UTC 
Hi Matej, I'm not sure this is related to connecting over HDMI. On Tumbleweed/sway I was able to connect to the projector on stage at openSUSEcon on the first try, it got auto-detected and auto-assigned a workspace. All of this without AVCs.

Also the AVCs are from 04:29 in the morning, so they are probably unrelated. I don't suppose you tried to set SELinux to permissive while fighting with the projector?

I think more likely this is some issue with Xwayland, but I'm not sure how to try to reproduce this. Were you running some specific Xwayland application?
Comment 2 Matej Cepl 2023-05-30 14:33:01 UTC 
(In reply to Filippo Bonazzi from comment #1)
> Hi Matej, I'm not sure this is related to connecting over HDMI. On
> Tumbleweed/sway I was able to connect to the projector on stage at
> openSUSEcon on the first try, it got auto-detected and auto-assigned a
> workspace. All of this without AVCs.

So, that must be some kind of difference between Tumbleweed and MicroOS?

> Also the AVCs are from 04:29 in the morning, so they are probably unrelated.
> I don't suppose you tried to set SELinux to permissive while fighting with
> the projector?

I am certain that I was not playing with the projector at 4:29 am, and yes I had trouble sleeping, but I really cannot remember what I actually did.

> I think more likely this is some issue with Xwayland, but I'm not sure how
> to try to reproduce this. Were you running some specific Xwayland
> application?

I hoped that I am completely XWayland free … and heh, I am wrong, apparently the Flatpak version of Thunderbird (https://flathub.org/apps/org.mozilla.Thunderbird) is actually X-app.
Comment 3 Filippo Bonazzi 2023-05-30 14:43:21 UTC 
Can you explain a little bit more about your setup?

Are you running a stock MicroOS Desktop with GNOME? Did you change anything in e.g. the way you log in to your graphical session? Did you change anything in the system SELinux setup?

Upon further discussions, I noticed that the target context in the AVCs looks somewhat odd (unconfined_u:unconfined_r:xserver_t:s0-s0:c0.c1023). The combination of unconfined_u and unconfined_r makes it look like this would be something pertaining to an unconfined user (i.e. your user), but I'm not sure that a user resource would have a xserver_t type.
Comment 4 Dario Faggioli 2023-06-01 07:23:11 UTC 
(In reply to Filippo Bonazzi from comment #3)
> Can you explain a little bit more about your setup?
> 
> Are you running a stock MicroOS Desktop with GNOME? Did you change anything
> in e.g. the way you log in to your graphical session? Did you change
> anything in the system SELinux setup?
> 
FWIW, HDMI oputpu/projector works on my (pretty) stock MicroOS Desktop with GNOME.

Let me know if I can provide any log or output to help...
Comment 5 Filippo Bonazzi 2023-06-19 17:27:02 UTC 
Closing this as the problem can't be reproduced and no information has been provided. Feel free to reopen this if it pops up again
Comment 6 Matej Cepl 2023-08-12 09:07:30 UTC 
(In reply to Filippo Bonazzi from comment #3)
> Are you running a stock MicroOS Desktop with GNOME? Did you change anything
> in e.g. the way you log in to your graphical session? Did you change
> anything in the system SELinux setup?
> 
> Upon further discussions, I noticed that the target context in the AVCs
> looks somewhat odd (unconfined_u:unconfined_r:xserver_t:s0-s0:c0.c1023). The
> combination of unconfined_u and unconfined_r makes it look like this would
> be something pertaining to an unconfined user (i.e. your user), but I'm not
> sure that a user resource would have a xserver_t type.

No, running Greybeard (https://build.opensuse.org/package/show/home:RBrownSUSE:Greybeard/greybeard) with Sway. And the problem might be in the fact we don’t run any login manager here (not even greetd). Hmm.