Bug 1157256

Summary: SELinux is preventing /usr/libexec/kde4/polkit-kde-authentication-agent-1 from 'write' accesses on the directory /home/bodhi.
Product: [Fedora] Fedora Reporter: bodhi.zazen <bodhi.zazen>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 21CC: dominick.grift, dwalsh, lvrabec, mgrepl, plautrba
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Unspecified   
Whiteboard: abrt_hash:1cada8cfdab928adb5f0521eae6ee94d6f33ec344b2f9157be9b7a4c7797fc9b
Fixed In Version: selinux-policy-3.13.1-99.fc21 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-12-03 17:15:17 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description bodhi.zazen 2014-10-26 17:52:51 UTC 
Description of problem:
Fresh install, problem with confined users perhpas
SELinux is preventing /usr/libexec/kde4/polkit-kde-authentication-agent-1 from 'write' accesses on the directory /home/bodhi.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that polkit-kde-authentication-agent-1 should be allowed write access on the bodhi directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep polkit-kde-auth /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                staff_u:staff_r:policykit_auth_t:s0
Target Context                staff_u:object_r:user_home_dir_t:s0
Target Objects                /home/bodhi [ dir ]
Source                        polkit-kde-auth
Source Path                   /usr/libexec/kde4/polkit-kde-authentication-
                              agent-1
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           polkit-kde-0.99.1-4.20130311git.fc21.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-85.fc21.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 3.17.1-302.fc21.x86_64 #1 SMP Fri
                              Oct 17 20:05:46 UTC 2014 x86_64 x86_64
Alert Count                   2
First Seen                    2014-10-26 11:47:01 MDT
Last Seen                     2014-10-26 11:47:01 MDT
Local ID                      e022714b-7933-4ded-8506-9b508223c5df

Raw Audit Messages
type=AVC msg=audit(1414345621.533:404): avc:  denied  { write } for  pid=1796 comm="polkit-kde-auth" name="bodhi" dev="dm-3" ino=7077889 scontext=staff_u:staff_r:policykit_auth_t:s0 tcontext=staff_u:object_r:user_home_dir_t:s0 tclass=dir permissive=0


type=SYSCALL msg=audit(1414345621.533:404): arch=x86_64 syscall=access success=no exit=EACCES a0=c5db08 a1=2 a2=200 a3=4 items=0 ppid=1781 pid=1796 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=1 comm=polkit-kde-auth exe=/usr/libexec/kde4/polkit-kde-authentication-agent-1 subj=staff_u:staff_r:policykit_auth_t:s0 key=(null)

Hash: polkit-kde-auth,policykit_auth_t,user_home_dir_t,dir,write

Version-Release number of selected component:
selinux-policy-3.13.1-85.fc21.noarch

Additional info:
reporter:       libreport-2.3.0
hashmarkername: setroubleshoot
kernel:         3.17.1-302.fc21.x86_64
type:           libreport
Comment 1 Miroslav Grepl 2014-10-27 07:48:03 UTC 
This is just access check.
Comment 2 Lukas Vrabec 2014-11-07 22:13:30 UTC 
commit 2e4c4c79692ff74fa6005aa87ca67a2d65e04f78
Author: Lukas Vrabec <lvrabec>
Date:   Fri Nov 7 22:33:39 2014 +0100

    Dontaudit policykit_auth_t to write to user home dirs. BZ (1157256)
Comment 3 Miroslav Grepl 2014-11-10 08:46:50 UTC 
(In reply to Lukas Vrabec from comment #2)
> commit 2e4c4c79692ff74fa6005aa87ca67a2d65e04f78
> Author: Lukas Vrabec <lvrabec>
> Date:   Fri Nov 7 22:33:39 2014 +0100
> 
>     Dontaudit policykit_auth_t to write to user home dirs. BZ (1157256)

Lukas,
you want to dontaudit audit_acess.


syscall=access
Comment 4 Lukas Vrabec 2014-11-10 10:36:19 UTC 
commit 65537985563f209294b7e1edc2a82b91d130d67b
Author: Lukas Vrabec <lvrabec>
Date:   Mon Nov 10 11:34:33 2014 +0100

    Dontaudit policykit_auth_t to access to user home dirs. BZ (1157256)
Comment 5 Fedora Update System 2014-11-21 12:23:57 UTC 
selinux-policy-3.13.1-99.fc21 has been submitted as an update for Fedora 21.
https://admin.fedoraproject.org/updates/selinux-policy-3.13.1-99.fc21
Comment 6 Fedora Update System 2014-12-03 17:15:17 UTC 
selinux-policy-3.13.1-99.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.