-
Bug
-
Resolution: Unresolved
-
Minor
-
rhel-10.0.beta
-
None
-
No
-
None
-
rhel-sst-security-selinux
-
ssg_security
-
3
-
False
-
-
None
-
None
-
None
-
None
-
None
What were you trying to do that didn't work?
I tried running a headless session and access it remotely.
What is the impact of this issue to you?
It caused the session to fault to launch.
Please provide the package NVR for which the bug is seen:
selinux-policy-40.13.13-1.el10.noarch
How reproducible is this bug?:
- It reproduces every time.
Steps to reproduce
- Configure gnome-remote-desktop headless mode.
- Generate tls key/cert
- grdctl --headless rdp set-tls-cert tls.crt
- grdctl --headless rdp set-tls-key tls.key
- grdctl --headless rdp enable
- grdctl --headless rdp set-credentials test test
- systemctl --user enable gnome-remote-desktop-headless.service
- Start headless session: sudo systemctl start gnome-headless-session@username.service
Expected results
The headless session properly starts.
Actual results
The session fails to start with the following in the journal:
Nov 27 17:03:15 localhost.localdomain systemd[1]: Failed to start gnome-headless-session@jonas.service - Headless desktop session.
Nov 27 17:03:16 localhost.localdomain setroubleshoot[3580]: SELinux is preventing /usr/bin/python3.12 from using the transition access on a process. For complete SELinux messages run: sealert -l daa515d9-545f-4dda-aa5e-0552b615fed6
Nov 27 17:03:16 localhost.localdomain setroubleshoot[3580]: SELinux is preventing /usr/bin/python3.12 from using the transition access on a process.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that python3.12 should be allowed transition access on processes labeled unconfined_t by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'gdm-headless-lo' --raw | audit2allow -M my-gdmheadlesslo
# semodule -X 300 -i my-gdmheadlesslo.pp
Nov 27 17:03:16 localhost.localdomain setroubleshoot[3580]: SELinux is preventing /usr/bin/python3.12 from using the transition access on a process. For complete SELinux messages run: sealert -l daa515d9-545f-4dda-aa5e-0552b615fed6
Nov 27 17:03:16 localhost.localdomain setroubleshoot[3580]: SELinux is preventing /usr/bin/python3.12 from using the transition access on a process.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that python3.12 should be allowed transition access on processes labeled unconfined_t by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'gdm-headless-lo' --raw | audit2allow -M my-gdmheadlesslo
# semodule -X 300 -i my-gdmheadlesslo.pp
Nov 27 17:03:16 localhost.localdomain setroubleshoot[3580]: SELinux is preventing /usr/bin/python3.12 from using the transition access on a process. For complete SELinux messages run: sealert -l daa515d9-545f-4dda-aa5e-0552b615fed6
Nov 27 17:03:16 localhost.localdomain setroubleshoot[3580]: SELinux is preventing /usr/bin/python3.12 from using the transition access on a process.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that python3.12 should be allowed transition access on processes labeled unconfined_t by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'gdm-headless-lo' --raw | audit2allow -M my-gdmheadlesslo
# semodule -X 300 -i my-gdmheadlesslo.pp
Nov 27 17:03:16 localhost.localdomain setroubleshoot[3580]: SELinux is preventing /usr/bin/python3.12 from using the transition access on a process. For complete SELinux messages run: sealert -l daa515d9-545f-4dda-aa5e-0552b615fed6
Nov 27 17:03:16 localhost.localdomain setroubleshoot[3580]: SELinux is preventing /usr/bin/python3.12 from using the transition access on a process.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that python3.12 should be allowed transition access on processes labeled unconfined_t by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'gdm-headless-lo' --raw | audit2allow -M my-gdmheadlesslo
# semodule -X 300 -i my-gdmheadlesslo.pp
Nov 27 17:03:16 localhost.localdomain setroubleshoot[3580]: SELinux is preventing /usr/bin/python3.12 from using the transition access on a process. For complete SELinux messages run: sealert -l daa515d9-545f-4dda-aa5e-0552b615fed6
Nov 27 17:03:16 localhost.localdomain setroubleshoot[3580]: SELinux is preventing /usr/bin/python3.12 from using the transition access on a process.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that python3.12 should be allowed transition access on processes labeled unconfined_t by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'gdm-headless-lo' --raw | audit2allow -M my-gdmheadlesslo
# semodule -X 300 -i my-gdmheadlesslo.pp
Nov 27 17:03:16 localhost.localdomain setroubleshoot[3580]: SELinux is preventing /usr/bin/python3.12 from using the transition access on a process. For complete SELinux messages run: sealert -l daa515d9-545f-4dda-aa5e-0552b615fed6
Nov 27 17:03:16 localhost.localdomain setroubleshoot[3580]: SELinux is preventing /usr/bin/python3.12 from using the transition access on a process.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that python3.12 should be allowed transition access on processes labeled unconfined_t by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'gdm-headless-lo' --raw | audit2allow -M my-gdmheadlesslo
# semodule -X 300 -i my-gdmheadlesslo.pp
Nov 27 17:03:16 localhost.localdomain setroubleshoot[3580]: SELinux is preventing /usr/bin/python3.12 from using the transition access on a process. For complete SELinux messages run: sealert -l daa515d9-545f-4dda-aa5e-0552b615fed6
Nov 27 17:03:16 localhost.localdomain setroubleshoot[3580]: SELinux is preventing /usr/bin/python3.12 from using the transition access on a process.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that python3.12 should be allowed transition access on processes labeled unconfined_t by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'gdm-headless-lo' --raw | audit2allow -M my-gdmheadlesslo
# semodule -X 300 -i my-gdmheadlesslo.pp
Nov 27 17:03:16 localhost.localdomain setroubleshoot[3580]: SELinux is preventing /usr/bin/python3.12 from using the transition access on a process. For complete SELinux messages run: sealert -l daa515d9-545f-4dda-aa5e-0552b615fed6
Nov 27 17:03:16 localhost.localdomain setroubleshoot[3580]: SELinux is preventing /usr/bin/python3.12 from using the transition access on a process.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that python3.12 should be allowed transition access on processes labeled unconfined_t by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'gdm-headless-lo' --raw | audit2allow -M my-gdmheadlesslo
# semodule -X 300 -i my-gdmheadlesslo.pp
Nov 27 17:03:16 localhost.localdomain setroubleshoot[3580]: SELinux is preventing /usr/bin/python3.12 from using the transition access on a process. For complete SELinux messages run: sealert -l daa515d9-545f-4dda-aa5e-0552b615fed6
Nov 27 17:03:16 localhost.localdomain setroubleshoot[3580]: SELinux is preventing /usr/bin/python3.12 from using the transition access on a process.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that python3.12 should be allowed transition access on processes labeled unconfined_t by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'gdm-headless-lo' --raw | audit2allow -M my-gdmheadlesslo
# semodule -X 300 -i my-gdmheadlesslo.pp
Nov 27 17:03:16 localhost.localdomain setroubleshoot[3580]: SELinux is preventing /usr/bin/python3.12 from using the transition access on a process. For complete SELinux messages run: sealert -l daa515d9-545f-4dda-aa5e-0552b615fed6
Nov 27 17:03:16 localhost.localdomain setroubleshoot[3580]: SELinux is preventing /usr/bin/python3.12 from using the transition access on a process.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that python3.12 should be allowed transition access on processes labeled unconfined_t by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'gdm-headless-lo' --raw | audit2allow -M my-gdmheadlesslo
# semodule -X 300 -i my-gdmheadlesslo.pp