Bug 1015728
| Summary: | SELinux is preventing /usr/bin/gnome-keyring-daemon from 'getattr' accesses on the unix_stream_socket unix_stream_socket. | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | William Brown <william> |
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
| Status: | CLOSED NOTABUG | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 19 | CC: | dominick.grift, dwalsh, lvrabec, mgrepl |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Unspecified | ||
| Whiteboard: | abrt_hash:a91e0d464d754ddbf4b6b613d53c872e1352d67e3d050afff16e507e702b3cd8 | ||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2013-10-25 10:30:02 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
We have this rule in F20 policy. $ audit2allow -i avc #============= staff_gkeyringd_t ============== #!!!! This avc has a dontaudit rule in the current policy allow staff_gkeyringd_t staff_t:unix_stream_socket getattr; |
Description of problem: Attempting to use my account as an SELinux user of staff_u. Post login I recieve this error, as well as the following: SELinux is preventing /usr/bin/pactl from connectto access on the unix_stream_socket /run/user/2000/pulse/native. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that pactl should be allowed connectto access on the native unix_stream_socket by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep pactl /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context staff_u:staff_r:staff_t:s0-s0:c0.c1023 Target Context unconfined_u:system_r:unconfined_t:s0-s0:c0.c1023 Target Objects /run/user/2000/pulse/native [ unix_stream_socket ] Source pactl Source Path /usr/bin/pactl Port <Unknown> Host ammy.firstyear.id.au Source RPM Packages gnome-settings-daemon-3.8.5-1.fc19.x86_64 Target RPM Packages Policy RPM selinux-policy-3.12.1-74.8.fc19.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name ammy.firstyear.id.au Platform Linux ammy.firstyear.id.au 3.10.11-200.fc19.x86_64 #1 SMP Mon Sep 9 13:03:01 UTC 2013 x86_64 x86_64 Alert Count 53 First Seen 2013-10-05 10:13:49 CST Last Seen 2013-10-05 10:19:49 CST Local ID bc1c8ce7-e785-43d7-a758-a92f21549652 Raw Audit Messages type=AVC msg=audit(1380934189.246:695): avc: denied { connectto } for pid=5167 comm="gnome-settings-" path="/run/user/2000/pulse/native" scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=SYSCALL msg=audit(1380934189.246:695): arch=x86_64 syscall=connect success=yes exit=0 a0=18 a1=7fff1c72e120 a2=6e a3=7fff1c72e06c items=0 ppid=4997 pid=5167 auid=2000 uid=2000 gid=2000 euid=2000 suid=2000 fsuid=2000 egid=2000 sgid=2000 fsgid=2000 ses=4 tty=(none) comm=gnome-settings- exe=/usr/libexec/gnome-settings-daemon subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key=(null) Hash: pactl,staff_t,unconfined_t,unix_stream_socket,connectto SELinux is preventing /usr/bin/gnome-keyring-daemon from 'getattr' accesses on the unix_stream_socket unix_stream_socket. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that gnome-keyring-daemon should be allowed getattr access on the unix_stream_socket unix_stream_socket by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep gnome-keyring-d /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context staff_u:staff_r:staff_gkeyringd_t:s0-s0:c0.c1023 Target Context staff_u:staff_r:staff_t:s0-s0:c0.c1023 Target Objects unix_stream_socket [ unix_stream_socket ] Source gnome-keyring-d Source Path /usr/bin/gnome-keyring-daemon Port <Unknown> Host (removed) Source RPM Packages gnome-keyring-3.8.2-1.fc19.x86_64 Target RPM Packages Policy RPM selinux-policy-3.12.1-74.8.fc19.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name (removed) Platform Linux (removed) 3.10.11-200.fc19.x86_64 #1 SMP Mon Sep 9 13:03:01 UTC 2013 x86_64 x86_64 Alert Count 1 First Seen 2013-10-05 10:19:48 CST Last Seen 2013-10-05 10:19:48 CST Local ID 3845d897-16d9-463f-a0e3-2d3691777c6f Raw Audit Messages type=AVC msg=audit(1380934188.986:693): avc: denied { getattr } for pid=5172 comm="gnome-keyring-d" path="socket:[62702]" dev="sockfs" ino=62702 scontext=staff_u:staff_r:staff_gkeyringd_t:s0-s0:c0.c1023 tcontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=SYSCALL msg=audit(1380934188.986:693): arch=x86_64 syscall=fstat success=yes exit=0 a0=1 a1=7fff95c74dc0 a2=7fff95c74dc0 a3=0 items=0 ppid=4997 pid=5172 auid=2000 uid=2000 gid=2000 euid=2000 suid=2000 fsuid=2000 egid=2000 sgid=2000 fsgid=2000 ses=4 tty=(none) comm=gnome-keyring-d exe=/usr/bin/gnome-keyring-daemon subj=staff_u:staff_r:staff_gkeyringd_t:s0-s0:c0.c1023 key=(null) Hash: gnome-keyring-d,staff_gkeyringd_t,staff_t,unix_stream_socket,getattr Additional info: reporter: libreport-2.1.7 hashmarkername: setroubleshoot kernel: 3.10.11-200.fc19.x86_64 type: libreport