Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-138731

SELinux policy blocks TPM access to gnome-remote-desktop

Linking RHIVOS CVEs to...Migration: Automation ...SWIFT: POC ConversionSync from "Extern...XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Minor Minor
    • rhel-10.3
    • rhel-10.1
    • selinux-policy
    • None
    • rhel-security-selinux
    • 2
    • False
    • False
    • Hide

      None

      Show
      None
    • No
    • None
    • None
    • None
    • Unspecified Release Note Type - Unknown
    • Unspecified
    • Unspecified
    • Unspecified
    • None

      What were you trying to do that didn't work?

      When attempting to start the gnome-remote-desktop-daemon service, SELinux denies allowing access to the Trusted Platform Module, blocking the service from starting.

      What is the impact of this issue to you?

      High. Prevents GNOME RDP service from being accessed.

      Please provide the package NVR for which the bug is seen:

      42.1.7-1

      How reproducible is this bug?: 100%

      Steps to reproduce

      1. Install the GUI per this KCS article.
      2. Configure the RDP service per the documentation .
      3. Start the RDP service.

      Expected results

      Connection attempts to RDP are successful.

      Actual results

      Connection fails with the following AVC message:

      {{Dec 18 12:43:53 04327741 setroubleshoot[4319]: SELinux is preventing /usr/libexec/gnome-remote-desktop-daemon from getattr access on the chr_file /dev/tpm0. For complete SELinux messages run: sealert -l 02b1f630-9b38-48ec-8814-d2bfc9679bc6
      Dec 18 12:43:53 04327741 setroubleshoot[4319]: SELinux is preventing /usr/libexec/gnome-remote-desktop-daemon from getattr access on the chr_file /dev/tpm0.#012#012***** Plugin catchall (100. confidence) suggests **************************#012#012If you believe that gnome-remote-desktop-daemon should be allowed getattr access on the tpm0 chr_file by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'gnome-remote-de' --raw | audit2allow -M my-gnomeremotede#012# semodule -X 300 -i my-gnomeremotede.pp#012
      Dec 18 12:43:53 04327741 setroubleshoot[4319]: SELinux is preventing /usr/libexec/gnome-remote-desktop-daemon from getattr access on the chr_file /dev/tpmrm0. For complete SELinux messages run: sealert -l 02b1f630-9b38-48ec-8814-d2bfc9679bc6
      Dec 18 12:43:53 04327741 setroubleshoot[4319]: SELinux is preventing /usr/libexec/gnome-remote-desktop-daemon from getattr access on the chr_file /dev/tpmrm0.#012#012***** Plugin catchall (100. confidence) suggests **************************#012#012If you believe that gnome-remote-desktop-daemon should be allowed getattr access on the tpmrm0 chr_file by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'gnome-remote-de' --raw | audit2allow -M my-gnomeremotede#012# semodule -X 300 -i my-gnomeremotede.pp#012}}

        1. messages.txt
          46 kB
          Andrew Mike
        2. audit.txt
          13 kB
          Andrew Mike

              rhn-support-zpytela Zdenek Pytela
              rhn-support-amike Andrew Mike
              Zdenek Pytela Zdenek Pytela
              SSG Security QE SSG Security QE
              Votes:
              0 Vote for this issue
              Watchers:
              7 Start watching this issue

                Created:
                Updated: