epel9 KDE Plasma Desktop was rendered inoperable by an selinux change at the end of February. Discussion in the bug[1] say that this was an intentional change that will not be reverted. Plasma needs to put the fix(es) in it's %post script(s). This type of change usually goes through Fedora first before going into RHEL, but it didn't due to deadlines. It would be good if we could fix it in both Fedora and EPEL builds the same way.
[1] - https://bugzilla.redhat.com/show_bug.cgi?id=2058657
The generic workaround, that works is setsebool -P selinuxuser_execmod 1
setsebool -P selinuxuser_execmod 1
This is a nice, fast solution, but it ignores the fact that execmod was tightened down for a reason. It would be good to figure out what the right solution is for this.
Troy, could you try running a machine with Plasma on RHEL 9 in permissive mode so we could catch all these? If you can get all the audit2allow output for that, I can turn it into a policy module.
This is what I get when I do a login, open several various things (konsole, kate, settings, character-selector, dolphin) and then logout.
#============= groupadd_t ============== allow groupadd_t self:capability setgid; #============= modemmanager_t ============== #!!!! This avc is allowed in the current policy allow modemmanager_t self:qipcrtr_socket create; #============= passwd_t ============== allow passwd_t etc_t:file unlink; #============= systemd_logind_t ============== #!!!! This avc is allowed in the current policy allow systemd_logind_t session_dbusd_tmp_t:sock_file unlink; #============= unconfined_t ============== #!!!! This avc can be allowed using the boolean 'selinuxuser_execstack' allow unconfined_t self:process execstack; #!!!! This avc can be allowed using the boolean 'selinuxuser_execmod' allow unconfined_t user_tmp_t:file execmod; #============= useradd_t ============== allow useradd_t self:capability setgid; #============= xdm_t ============== #!!!! This avc is allowed in the current policy allow xdm_t session_dbusd_tmp_t:sock_file write; allow xdm_t tmp_t:sock_file write;
We would need the full audit log for those:
#============= unconfined_t ============== #!!!! This avc can be allowed using the boolean 'selinuxuser_execstack' allow unconfined_t self:process execstack; #!!!! This avc can be allowed using the boolean 'selinuxuser_execmod' allow unconfined_t user_tmp_t:file execmod;
It's in the parent bug. I'll take a look.
Metadata Update from @siosm: - Issue tagged with: need-work, packaging
Metadata Update from @siosm: - Issue untagged with: packaging
Metadata Update from @siosm: - Issue tagged with: packaging
This has been fixed with this pull request that has been merged. https://src.fedoraproject.org/rpms/plasma-workspace/pull-request/16
Metadata Update from @tdawson: - Issue close_status updated to: Fixed - Issue status updated to: Closed (was: Open)
Issue status updated to: Open (was: Closed)
Issue status updated to: Closed (was: Open) Issue close_status updated to: Fixed
Login to comment on this ticket.