On Mon, May 25, 2020 at 5:49 PM Corey Penford <coreypenford@xxxxxxxx> wrote:
>
> This is happening on Fedora MATE, release 31. This workstation is domain joined via realm/sssd. Latest updates are all installed and workstation was rebooted.
>
> This only started happening recently enough, but it’s hard to tell if it was a regression in a selinux policy update, or if the behaviour is related to working from home.. I am running XRDP on the Linux workstation at the office, and using a Windows laptop using the Windows RDP client to connect to it from home.
>
> This seems to happen every time the screen locks via timeout on the Linux workstation over my RDP connection. I can’t reproduce it by locking manually, it seems to only happen when the screen locks via the 15 minute inactivity timer, and then goes black from no mouse movement.
>
> Any further info I can provide let me know
> ------------------------------------------------
>
> SELinux is preventing krb5_child from read access on the key labeled unconfined_service_t.
>
> ***** Plugin catchall (100. confidence) suggests **************************
>
> If you believe that krb5_child should be allowed read access on key labeled unconfined_service_t by default.
> Then you should report this as a bug.
> You can generate a local policy module to allow this access.
> Do
> allow this access for now by executing:
> # ausearch -c 'krb5_child' --raw | audit2allow -M my-krb5child
> # semodule -X 300 -i my-krb5child.pp
>
> Additional Information:
> Source Context system_u:system_r:sssd_t:s0
> Target Context system_u:system_r:unconfined_service_t:s0
> Target Objects Unknown [ key ]
> Source krb5_child
> Source Path krb5_child
> Port <Unknown>
> Host PW948
> Source RPM Packages
> Target RPM Packages
> SELinux Policy RPM selinux-policy-targeted-3.14.4-50.fc31.noarch
> Local Policy RPM selinux-policy-targeted-3.14.4-50.fc31.noarch
> Selinux Enabled True
> Policy Type targeted
> Enforcing Mode Enforcing
> Host Name PW948
> Platform Linux PW948 5.6.13-200.fc31.x86_64 #1 SMP Thu May
> 14 23:26:14 UTC 2020 x86_64 x86_64
> Alert Count 4
> First Seen 2020-05-25 14:57:27 EDT
> Last Seen 2020-05-25 14:57:27 EDT
> Local ID d1ee27bb-6ce3-401d-ba7f-45935ad0c3d2
>
> Raw Audit Messages
> type=AVC msg=audit(1590433047.446:422): avc: denied { read } for pid=12279 comm="krb5_child" scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=key permissive=0
>
>
> Hash: krb5_child,sssd_t,unconfined_service_t,key,read
Fedora selinux policy issues should be reported to the Fedora selinux
list, see https://lists.fedoraproject.org/admin/lists/selinux.lists.fedoraproject.org/,
and/or bugzilla.redhat.com against its policy.
