Attachment 595767 Details for Bug 837072 – File: description

File: description

description (text/plain), 5.13 KB, created by rnakamoto on 2012-07-02 16:29:57 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: rnakamoto

Created: 2012-07-02 16:29:57 UTC

Size: 5.13 KB

patch

obsolete

>SELinux is preventing /usr/libexec/kde4/lnusertemp from 'getattr' accesses on the directory /var/tmp/kdecache-root.
>
>*****  Plugin catchall_labels (83.8 confidence) suggests  ********************
>
>If you want to allow lnusertemp to have getattr access on the kdecache-root directory
>Then you need to change the label on /var/tmp/kdecache-root
>Do
># semanage fcontext -a -t FILE_TYPE '/var/tmp/kdecache-root'
>where FILE_TYPE is one of the following: sysctl_dev_t, sysctl_net_t, dbusd_etc_t, user_home_t, tmp_t, var_t, security_t, cache_home_t, userdomain, pulseaudio_home_t, gconf_etc_t, rpm_var_cache_t, faillog_t, data_home_t, var_spool_t, proc_net_t, proc_afs_t, var_log_t, policykit_reload_t, var_lib_t, var_run_t, textrel_shlib_t, xdm_etc_t, xdm_log_t, gnome_home_type, xdm_tmp_t, user_home_type, xserver_t, configfile, samba_var_t, openct_var_run_t, domain, samba_etc_t, config_usr_t, init_var_run_t, rpm_script_tmp_t, pcscd_var_run_t, smbd_var_run_t, pam_var_run_t, rpm_var_lib_t, xdm_var_lib_t, xdm_var_run_t, udev_var_run_t, xkb_var_lib_t, winbind_var_run_t, security_t, xdm_rw_etc_t, inotifyfs_t, plymouthd_spool_t, etc_t, systemd_logind_var_run_t, anon_inodefs_t, cert_t, gconf_home_t, sysctl_kernel_t, default_t, home_root_t, gnome_home_t, rpm_log_t, var_t, var_log_t, local_login_home_t, cfengine_var_lib_t, var_run_t, systemd_logind_sessions_t, admin_home_t, system_dbusd_var_lib_t, system_dbusd_var_run_t, rhev_agentd_var_run_t, sssd_public_t, user_tmpfs_type, abrt_var_run_t, accountsd_var_lib_t, var_run_t, selinux_config_t, abrt_var_run_t, xdm_home_t, pam_var_console_t, likewise_var_lib_t, user_home_dir_t, default_context_t, vdagent_var_run_t, winbind_var_run_t, sysctl_crypto_t, autofs_t, cgroup_t, device_t, hwdata_t, gpmctl_t, locale_t, var_auth_t, var_lock_t, krb5_conf_t, sysctl_t, etc_t, fonts_t, bin_t, cert_t, init_t, proc_t, lib_t, man_t, mnt_t, sysfs_t, tmpfs_t, xdm_t, root_t, tmp_t, usr_t, var_t, system_cronjob_var_lib_t, policykit_var_lib_t, user_tmp_t, cfengine_var_lib_t, auth_home_t, user_fonts_t, setrans_var_run_t, auth_cache_t, xdm_tmpfs_t, pulseaudio_var_run_t, var_lib_t, var_run_t, xdm_dbusd_t, xdm_spool_t, device_t, fonts_cache_t, samba_var_t, sysctl_t, consolekit_log_t, etc_t, abrt_t, bin_t, samba_etc_t, plymouthd_var_log_t, proc_t, avahi_var_run_t, lib_t, mnt_t, sysfs_t, crack_db_t, nscd_var_run_t, nslcd_var_run_t, root_t, ssh_home_t, smbd_var_run_t, sssd_var_lib_t, tmp_t, usr_t, var_t, net_conf_t, cpu_online_t, alsa_etc_rw_t, systemd_unit_file_type, xserver_log_t, security_t, var_lib_t, var_run_t, krb5_host_rcache_t, init_var_run_t, file_context_t, systemd_logind_var_run_t, var_t, var_t, krb5_host_rcache_t, selinux_config_t, default_context_t, cgroup_t, etc_t, bin_t, init_t, init_t, sysfs_t, sysfs_t, tmpfs_t, tmp_t, var_t, var_run_t, var_run_t, nscd_var_run_t, pcscd_var_run_t, systemd_unit_file_type. 
>Then execute: 
>restorecon -v '/var/tmp/kdecache-root'
>
>
>*****  Plugin catchall (17.1 confidence) suggests  ***************************
>
>If you believe that lnusertemp should be allowed getattr access on the kdecache-root directory by default.
>Then you should report this as a bug.
>You can generate a local policy module to allow this access.
>Do
>allow this access for now by executing:
># grep lnusertemp /var/log/audit/audit.log | audit2allow -M mypol
># semodule -i mypol.pp
>
>Additional Information:
>Source Context                system_u:system_r:xdm_t:s0-s0:c0.c1023
>Target Context                system_u:object_r:unlabeled_t:s0
>Target Objects                /var/tmp/kdecache-root [ dir ]
>Source                        lnusertemp
>Source Path                   /usr/libexec/kde4/lnusertemp
>Port                          <Unknown>
>Host                          (removed)
>Source RPM Packages           kdelibs-4.8.4-5.fc17.x86_64
>Target RPM Packages           
>Policy RPM                    selinux-policy-3.10.0-134.fc17.noarch
>Selinux Enabled               True
>Policy Type                   targeted
>Enforcing Mode                Enforcing
>Host Name                     (removed)
>Platform                      Linux (removed) 3.4.4-3.fc17.x86_64 #1 SMP Tue Jun 26
>                              20:54:56 UTC 2012 x86_64 x86_64
>Alert Count                   1
>First Seen                    Sun 01 Jul 2012 06:47:14 PM PDT
>Last Seen                     Sun 01 Jul 2012 06:47:14 PM PDT
>Local ID                      b46b0d73-3c34-4f98-b746-d76cb16fb4c2
>
>Raw Audit Messages
>type=AVC msg=audit(1341193634.101:28): avc:  denied  { getattr } for  pid=919 comm="lnusertemp" path="/var/tmp/kdecache-root" dev="dm-1" ino=262167 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir
>
>
>type=SYSCALL msg=audit(1341193634.101:28): arch=x86_64 syscall=lstat success=no exit=EACCES a0=7fffd4565730 a1=7fffd45621b0 a2=7fffd45621b0 a3=ff2 items=0 ppid=911 pid=919 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=lnusertemp exe=/usr/libexec/kde4/lnusertemp subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)
>
>Hash: lnusertemp,xdm_t,unlabeled_t,dir,getattr
>
>audit2allowunable to open /sys/fs/selinux/policy:  Permission denied
>
>
>audit2allow -Runable to open /sys/fs/selinux/policy:  Permission denied

Actions: View

Attachments on bug 837072: 595767