I thought it'd be prudent to ask the list's opinion before opening a bug report.
I'm not experiencing any visible issues, but can repeatedly generate this AVC, one
that only seems to be generated since I've enabled pam_yubico on my laptop. I'm
fine adding a dontaudit rule to my local policy but should I send a bug report for this?
If so, is this an SELinux report or one to Yubico?
SELinux is preventing gdm-session-wor from using the wake_alarm capability.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that gdm-session-wor should have the wake_alarm capability by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'gdm-session-wor' --raw | audit2allow -M my-gdmsessionwor
# semodule -X 300 -i my-gdmsessionwor.pp
Additional Information:
Source Context system_u:system_r:xdm_t:s0-s0:c0.c1023
Target Context system_u:system_r:xdm_t:s0-s0:c0.c1023
Target Objects Unknown [ capability2 ]
Source gdm-session-wor
Source Path gdm-session-wor
Port <Unknown>
Host (removed)
Source RPM Packages
Target RPM Packages
Policy RPM selinux-policy-3.13.1-225.6.fc25.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name (removed)
Platform Linux HOSTNAME 4.9.8-201.fc25.x86_64 #1 SMP
Tue Feb 7 11:28:07 UTC 2017 x86_64 x86_64
Alert Count 1228
First Seen 2017-02-13 07:43:45 CST
Last Seen 2017-02-14 08:36:50 CST
Local ID 55722700-2042-427e-911c-5ed8fe9aaf8b
Raw Audit Messages
type=AVC msg=audit(1487083010.410:7611): avc: denied { wake_alarm } for pid=699
comm="gdm-session-wor" capability=35
scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023
tcontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tclass=capability2 permissive=0
Hash: gdm-session-wor,xdm_t,xdm_t,capability2,wake_alarm