Bug 1223145 - [SELinux] AVC denial on tw + gnome startup relating to xdm_t
Summary: [SELinux] AVC denial on tw + gnome startup relating to xdm_t
Status: RESOLVED FIXED
Alias: None
Product: openSUSE Tumbleweed
Classification: openSUSE
Component: Security (show other bugs)
Version: Current
Hardware: Other Other
: P5 - None : Normal (vote)
Target Milestone: ---
Assignee: Cathy Hu
QA Contact: Security Team bot
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2024-04-19 12:18 UTC by Cathy Hu
Modified: 2024-06-18 09:07 UTC (History)
1 user (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Cathy Hu 2024-04-19 12:18:33 UTC 
Operating System: tumbleweed with gnome desktop

SELinux policy version and repository: the one currently in security:SELinux containing the /var/run change (commit in factory branch: 7eb64de2191880e9d2207fa60c9605268d6fc8ce)

The software (incl. version) that is affected by the SELinux issue and the error message: 
gnome 46 + wayland

SELinux Audit log:

----
time->Fri Apr 19 13:58:55 2024
type=AVC msg=audit(1713527935.206:83): avc:  denied  { getattr } for  pid=1019 comm="startproc" path=2F7573722F7362696E2F706C796D6F75746864202864656C6574656429 dev="rootfs" ino=2256 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:root_t:s0 tclass=file permissive=0


Any other important details: 
install tumbleweed with gnome desktop over regular installer
enable selinux, add security:SELinux repo, install selinux-policy + selinux-policy targeted from repo, reboot, AVC happens on every boot


low prio, does not break functionality on a quick look
Comment 1 Filippo Bonazzi 2024-06-18 09:07:22 UTC 
Fix submitted in https://build.opensuse.org/request/show/1181332