Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-150271

fapolicyd denies multiple trusted applications in GUI mode

Linking RHIVOS CVEs to...Migration: Automation ...Sync from "Extern...XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Major Major
    • None
    • rhel-10.1, rhel-9.7
    • fapolicyd
    • None
    • Important
    • rhel-security-selinux
    • None
    • False
    • False
    • Hide

      None

      Show
      None
    • None
    • None
    • None
    • None
    • Unspecified
    • Unspecified
    • Unspecified
    • None

      What were you trying to do that didn't work?

      On a freshly installed "Server with GUI" system, many applications get denied by fapolicyd with default rules.

      For example, as soon as logged in, /usr/share/gnome-shell/org.gnome.Shell.Screencast fails to execute:

      type=PROCTITLE msg=audit(02/17/2026 09:19:02.205:462) : proctitle=/usr/bin/gjs -m /usr/share/gnome-shell/org.gnome.Shell.Screencast
type=PATH msg=audit(02/17/2026 09:19:02.205:462) : item=0 name=/usr/share/gnome-shell/org.gnome.Shell.Screencast inode=51548238 dev=fd:00 mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:usr_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(02/17/2026 09:19:02.205:462) : cwd=/home/admin
type=SYSCALL msg=audit(02/17/2026 09:19:02.205:462) : arch=x86_64 syscall=openat success=no exit=EPERM(Operation not permitted) a0=AT_FDCWD a1=0x5644e8c68800 a2=O_RDONLY|O_CLOEXEC a3=0x0 items=1 ppid=2864 pid=3050 auid=admin uid=admin gid=admin euid=admin suid=admin fsuid=admin egid=admin sgid=admin fsgid=admin tty=(none) ses=5 comm=gjs exe=/usr/bin/gjs-console subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
type=FANOTIFY msg=audit(02/17/2026 09:19:02.205:462) : resp=deny fan_type=rule_info fan_info=11 subj_trust=unknown obj_trust=no

      Here above the file is not trusted, despite it being delivered by gnome-shell RPM.

      Another example: starting Emacs fails because Lisp scripts are not trusted even though they are delivered by emacs-common RPM:

      type=PROCTITLE msg=audit(02/17/2026 09:29:05.936:567) : proctitle=emacs 
type=PATH msg=audit(02/17/2026 09:29:05.936:567) : item=0 name=/usr/share/emacs/site-lisp/site-start.el inode=18423990 dev=fd:00 mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:usr_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(02/17/2026 09:29:05.936:567) : cwd=/home/admin
type=SYSCALL msg=audit(02/17/2026 09:29:05.936:567) : arch=x86_64 syscall=openat success=no exit=EPERM(Operation not permitted) a0=AT_FDCWD a1=0x561ee53e31b0 a2=O_RDONLY|O_CLOEXEC a3=0x0 items=1 ppid=2864 pid=4970 auid=admin uid=admin gid=admin euid=admin suid=admin fsuid=admin egid=admin sgid=admin fsgid=admin tty=(none) ses=5 comm=emacs exe=/usr/bin/emacs-29.4 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) 
type=FANOTIFY msg=audit(02/17/2026 09:29:05.936:567) : resp=deny fan_type=rule_info fan_info=11 subj_trust=unknown obj_trust=no

      Yet another example: /usr/bin/gnome-characters cannot be executed by systemd-executor because, again, it's not trusted:

      type=PROCTITLE msg=audit(02/17/2026 09:37:33.626:589) : proctitle=(aracters)
type=PATH msg=audit(02/17/2026 09:37:33.626:589) : item=0 name=/usr/bin/gnome-characters inode=17879788 dev=fd:00 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:usr_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(02/17/2026 09:37:33.626:589) : cwd=/home/admin
type=SYSCALL msg=audit(02/17/2026 09:37:33.626:589) : arch=x86_64 syscall=execve success=no exit=EPERM(Operation not permitted) a0=0x55bf2bf3b680 a1=0x55bf2bf3b660 a2=0x55bf2bf3aec0 a3=0x0 items=1 ppid=2864 pid=5730 auid=admin uid=admin gid=admin euid=admin suid=admin fsuid=admin egid=admin sgid=admin fsgid=admin tty=(none) ses=5 comm=(aracters) exe=/usr/lib/systemd/systemd-executor subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
type=FANOTIFY msg=audit(02/17/2026 09:37:33.626:589) : resp=deny fan_type=rule_info fan_info=11 subj_trust=unknown obj_trust=no

      /usr/bin/gnome-characters is not trusted because it's a symlink to a Javascript source:

      # ls -l /usr/bin/gnome-characters
lrwxrwxrwx. 1 root root 52 Oct 29  2024 /usr/bin/gnome-characters -> /usr/share/org.gnome.Characters/org.gnome.Characters
# file /usr/share/org.gnome.Characters/org.gnome.Characters
/usr/share/org.gnome.Characters/org.gnome.Characters: Java source, ASCII text

      All this is due to filtering the content of the RPMs to avoid having a large database in memory.
      From the examples above, we can deduce that filtering is not a possibility.

      What is the impact of this issue to you?

      Can't run a GUI properly

      Please provide the package NVR for which the bug is seen:

      fapolicyd-1.3.3-107.el10

      How reproducible is this bug?

      Always

      Steps to reproduce

      1. Install a "Server with GUI"
      2. Start a session
      3. Execute emacs from a terminal
      4. Execute Characters application from menu launcher

      Expected results

      No denial on a stock RHEL10 installation

      Actual results

      Lots of denials (attaching a report)

        1. ausearch_m_fanotify.out
          20 kB

              rhn-engineering-plautrba Petr Lautrbach
              rhn-support-rmetrich Renaud Métrich
              Petr Lautrbach Petr Lautrbach
              SSG Security QE SSG Security QE
              Votes:
              0 Vote for this issue
              Watchers:
              7 Start watching this issue

                Created:
                Updated: