SELinux is preventing login from getattr access on the filesystem /dev/shm

neongreeneggplant · December 10, 2020, 6:17pm

Hi there,

I have a problem with my current fedora.

My desktop freezes and I run a killall -HUP gnome-shell to be able to continue to work.
This works.

After the system is responsible again, I discover this SELinux alert:

SELinux is preventing login from getattr access on the filesystem /dev/shm.

***** Plugin catchall (100. confidence) suggests **************************

If you believe that login should be allowed getattr access on the shm filesystem by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:

ausearch -c ‘login’ --raw | audit2allow -M my-login

semodule -X 300 -i my-login.pp

Additional Information:
Source Context system_u:system_r:local_login_t:s0-s0:c0.c1023
Target Context system_u:object_r:tmpfs_t:s0
Target Objects /dev/shm [ filesystem ]
Source login
Source Path login
Port
Host xxx
Source RPM Packages
Target RPM Packages
SELinux Policy RPM selinux-policy-targeted-3.14.5-45.fc32.noarch
Local Policy RPM selinux-policy-targeted-3.14.5-45.fc32.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name precision
Platform Linux xxx 5.9.11-100.fc32.x86_64 #1 SMP Tue
Nov 24 19:16:53 UTC 2020 x86_64 x86_64
Alert Count 8
First Seen 2020-11-01 09:55:36 CET
Last Seen 2020-12-10 12:08:06 CET
Local ID 0455cc3c-28fd-4ede-b7d1-b4d823a21ef5

Raw Audit Messages
type=AVC msg=audit(1607598486.668:2330): avc: denied { getattr } for pid=153936 comm=“login” name="/" dev=“tmpfs” ino=1 scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tmpfs_t:s0 tclass=filesystem permissive=0

Hash: login,local_login_t,tmpfs_t,filesystem,getattr

What is the login process doing there? Is it legit to allow it?

Another question: Is this really related to the freeze? How can I check this hypothesis.

Best regards
Benjamin

rele · December 10, 2020, 7:41pm

Hi @neongreeneggplant, welcome to the community! Please take a minute to go through the introductory post in the #start-here category if you’ve not had a chance to do so yet. It includes information on how to use the forum effectively.

Did this problem start right after a clean install?

neongreeneggplant · December 10, 2020, 10:05pm

Hi @rele

I have setup the system in May 2019, it is not a clean install.

Here is some additional information:

uname -a
Linux xxx 5.9.11-100.fc32.x86_64 #1 SMP Tue Nov 24 19:16:53 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux

cat /etc/redhat-release
Fedora release 32 (Thirty Two)

rele · December 11, 2020, 9:29am

When did the problem start? What were you doing? What is the ouput of dnf repolist ?

To find out if the freeze is related to the selinux alert you could temporary set selinux to permissive, you can do that by editing /etc/selinux/config and change the line SELINUX=enforcing to SELINUX=permissive. After a reboot this change will take effect.

Have you considered upgrading to Fedora 33?

neongreeneggplant · December 15, 2020, 6:10pm

I first noticed the freeze a couple of weeks ago while using Firefox.

The freeze is happening really rarely, so I will not be able to tell for a possible long time unless it happens again.

Completely disabling SELinux is not something I consider an option. I’d prefer to minimally adjust the SELinux policy - if I ever find out whether the access which triggered the alert “SELinux is preventing login from getattr access on the filesystem /dev/shm” should be considered “legit” or not.

> dnf repolist
repo id                                               repo name
Dropbox                                               Dropbox Repository
azure-cli                                             Azure CLI
code                                                  Visual Studio Code
fedora                                                Fedora 32 - x86_64
fedora-cisco-openh264                                 Fedora 32 openh264 (From Cisco) - x86_64
fedora-modular                                        Fedora Modular 32 - x86_64
google-chrome                                         google-chrome
hashicorp                                             Hashicorp Stable - x86_64
keybase                                               keybase
kubernetes                                            Kubernetes
rpmfusion-free                                        RPM Fusion for Fedora 32 - Free
rpmfusion-free-updates                                RPM Fusion for Fedora 32 - Free - Updates
rpmfusion-nonfree                                     RPM Fusion for Fedora 32 - Nonfree
rpmfusion-nonfree-nvidia-driver                       RPM Fusion for Fedora 32 - Nonfree - NVIDIA Driver
rpmfusion-nonfree-steam                               RPM Fusion for Fedora 32 - Nonfree - Steam
rpmfusion-nonfree-updates                             RPM Fusion for Fedora 32 - Nonfree - Updates
scootersoftware                                       Scooter Software
tailscale-stable                                      Tailscale stable
teams                                                 teams
updates                                               Fedora 32 - x86_64 - Updates
updates-modular                                       Fedora Modular 32 - x86_64 - Updates

I will install Fedora 33 soon. For now I am still searching a hint