Bug 1263256

Summary: SELinux is preventing /usr/libexec/colord from 'search' accesses on the directory 19155.
Product: Red Hat Enterprise Linux 7 Reporter: Radovan Drazny <rdrazny>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED NOTABUG QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.2CC: lvrabec, mgrepl, mmalik, plautrba, pvrabec, rdrazny, ssekidde
Target Milestone: rc   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-04-28 12:42:52 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Radovan Drazny 2015-09-15 12:49:11 UTC 
I'm seeing an error very similar to the Bug #1205022 on RHEL 7.2 Server.

Install Gnome desktop, tiger-vnc server, and get it setup: 

# yum groupinstall graphical-server-environment
...
# yum install tigervnc-server
...
# echo -e "redhatqa\nredhatqa\n" | vncpasswd
...
# echo -e "VNCSERVERS=\"1:root\"\nVNCSERVERARGS[1]=\"securitytypes=none\"" > /etc/sysconfig/vncservers
# mkdir /root/.config
# echo 'yes' >> ~/.config/gnome-initial-setup-done
# cp /usr/lib/systemd/system/vncserver\@.service /etc/systemd/system
# sed -i -e "s/\/home\/<USER>/\/root/g" -e "s/<USER>/root/" /etc/systemd/system/vncserver\@.service
# systemctl daemon-reload
# service vncserver@:1 restart

# sealert -a /var/log/audit/audit.log

100% done'list' object has no attribute 'split'
100% done
found 1 alerts in /var/log/audit/audit.log
--------------------------------------------------------------------------------

SELinux is preventing /usr/libexec/colord from search access on the directory 19155.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that colord should be allowed search access on the 19155 directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep colord /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp


Additional Information:
Source Context                system_u:system_r:colord_t:s0
Target Context                system_u:system_r:unconfined_service_t:s0
Target Objects                19155 [ dir ]
Source                        colord
Source Path                   /usr/libexec/colord
Port                          <Unknown>
Host                          <Unknown>
Source RPM Packages           colord-1.2.7-2.el7.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-49.el7.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     smqa-r210-06-vm05.lab.eng.brq.redhat.com
Platform                      Linux smqa-r210-06-vm05.lab.eng.brq.redhat.com
                              3.10.0-315.el7.x86_64 #1 SMP Tue Sep 8 15:38:35
                              EDT 2015 x86_64 x86_64
Alert Count                   2
First Seen                    2015-09-15 13:58:57 CEST
Last Seen                     2015-09-15 13:58:57 CEST
Local ID                      a8c7bc6b-038a-41f3-b6c5-e47fe2a51892

Raw Audit Messages
type=AVC msg=audit(1442318337.946:364): avc:  denied  { search } for  pid=19180 comm="colord" name="19155" dev="proc" ino=90661 scontext=system_u:system_r:colord_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=dir


type=SYSCALL msg=audit(1442318337.946:364): arch=x86_64 syscall=open success=no exit=EACCES a0=7ffe251ea300 a1=80000 a2=1b6 a3=24 items=0 ppid=1 pid=19180 auid=4294967295 uid=992 gid=990 euid=992 suid=992 fsuid=992 egid=990 sgid=990 fsgid=990 tty=(none) ses=4294967295 comm=colord exe=/usr/libexec/colord subj=system_u:system_r:colord_t:s0 key=(null)

Hash: colord,colord_t,unconfined_service_t,dir,search

# ps -efZ |grep unconfined_servic[e]

system_u:system_r:unconfined_service_t:s0 root 4155 1  0 12:56 ?       00:00:00 /usr/bin/python /usr/bin/beah-beaker-backend
system_u:system_r:unconfined_service_t:s0 root 4157 1  0 12:56 ?       00:00:00 /usr/bin/python /usr/bin/beah-fwd-backend
system_u:system_r:unconfined_service_t:s0 root 4158 1  0 12:56 ?       00:00:00 /usr/bin/python /usr/bin/beah-srv
system_u:system_r:unconfined_service_t:s0 root 12320 4158  0 12:57 ?   00:00:01 /usr/bin/python /usr/bin/beah-rhts-task
system_u:system_r:unconfined_service_t:s0 root 18984 1  0 13:58 ?      00:00:00 /usr/bin/Xvnc :1 -desktop smqa-r210-06-vm05.lab.eng.brq.redhat.com:1 (root) -auth /root/.Xauthority -geometry 1024x768 -rfbwait 30000 -rfbauth /root/.vnc/passwd -rfbport 5901 -fp catalogue:/etc/X11/fontpath.d -pn
system_u:system_r:unconfined_service_t:s0 root 18991 1  0 13:58 ?      00:00:00 /usr/bin/vncconfig -iconic
system_u:system_r:unconfined_service_t:s0 root 18993 1  0 13:58 ?      00:00:00 /bin/gnome-session --session=gnome-classic
system_u:system_r:unconfined_service_t:s0 root 19000 1  0 13:58 ?      00:00:00 dbus-launch --sh-syntax --exit-with-session
system_u:system_r:unconfined_service_t:s0 root 19001 1  0 13:58 ?      00:00:00 /bin/dbus-daemon --fork --print-pid 4 --print-address 6 --session
system_u:system_r:unconfined_service_t:s0 root 19068 1  0 13:58 ?      00:00:00 /usr/libexec/imsettings-daemon
system_u:system_r:unconfined_service_t:s0 root 19071 1  0 13:58 ?      00:00:00 /usr/libexec/gvfsd
system_u:system_r:unconfined_service_t:s0 root 19075 1  0 13:58 ?      00:00:00 /usr/libexec/gvfsd-fuse /run/user/0/gvfs -f -o big_writes
system_u:system_r:unconfined_service_t:s0 root 19119 18993  0 13:58 ?  00:00:00 /usr/bin/ssh-agent /etc/X11/xinit/Xclients
system_u:system_r:unconfined_service_t:s0 root 19130 1  0 13:58 ?      00:00:00 /usr/libexec/at-spi-bus-launcher
system_u:system_r:unconfined_service_t:s0 root 19134 19130  0 13:58 ?  00:00:00 /bin/dbus-daemon --config-file=/etc/at-spi2/accessibility.conf --nofork --print-address 3
system_u:system_r:unconfined_service_t:s0 root 19138 1  0 13:58 ?      00:00:00 /usr/libexec/at-spi2-registryd --use-gnome-session
system_u:system_r:unconfined_service_t:s0 root 19155 18993  0 13:58 ?  00:00:00 /usr/libexec/gnome-settings-daemon
system_u:system_r:unconfined_service_t:s0 root 19162 1  0 13:58 ?      00:00:00 /usr/bin/gnome-keyring-daemon --start --components=secrets
system_u:system_r:unconfined_service_t:s0 root 19176 18993  0 13:58 ?  00:00:03 /usr/bin/gnome-shell
system_u:system_r:unconfined_service_t:s0 root 19182 1  0 13:58 ?      00:00:00 /usr/libexec/gsd-printer
system_u:system_r:unconfined_service_t:s0 root 19200 1  0 13:58 ?      00:00:00 /usr/libexec/dconf-service
system_u:system_r:unconfined_service_t:s0 root 19208 19176  0 13:58 ?  00:00:00 ibus-daemon --xim --panel disable
system_u:system_r:unconfined_service_t:s0 root 19214 19208  0 13:58 ?  00:00:00 /usr/libexec/ibus-dconf
system_u:system_r:unconfined_service_t:s0 root 19215 1  0 13:58 ?      00:00:00 /usr/libexec/gnome-shell-calendar-server
system_u:system_r:unconfined_service_t:s0 root 19219 1  0 13:58 ?      00:00:00 /usr/libexec/ibus-x11 --kill-daemon
system_u:system_r:unconfined_service_t:s0 root 19227 1  0 13:58 ?      00:00:00 /usr/libexec/evolution-source-registry
system_u:system_r:unconfined_service_t:s0 root 19235 1  0 13:58 ?      00:00:00 /usr/libexec/mission-control-5
system_u:system_r:unconfined_service_t:s0 root 19237 1  0 13:58 ?      00:00:00 /usr/libexec/caribou
system_u:system_r:unconfined_service_t:s0 root 19245 1  0 13:58 ?      00:00:00 /usr/libexec/goa-daemon
system_u:system_r:unconfined_service_t:s0 root 19252 1  0 13:58 ?      00:00:00 /usr/libexec/gvfs-udisks2-volume-monitor
system_u:system_r:unconfined_service_t:s0 root 19257 1  0 13:58 ?      00:00:00 /usr/libexec/gvfs-goa-volume-monitor
system_u:system_r:unconfined_service_t:s0 root 19273 1  0 13:58 ?      00:00:00 /usr/libexec/goa-identity-service
system_u:system_r:unconfined_service_t:s0 root 19276 1  0 13:58 ?      00:00:00 /usr/libexec/gvfs-mtp-volume-monitor
system_u:system_r:unconfined_service_t:s0 root 19280 1  0 13:58 ?      00:00:00 /usr/libexec/gvfs-afc-volume-monitor
system_u:system_r:unconfined_service_t:s0 root 19285 1  0 13:58 ?      00:00:00 /usr/libexec/gvfs-gphoto2-volume-monitor
system_u:system_r:unconfined_service_t:s0 root 19291 18993  0 13:58 ?  00:00:00 nautilus --no-default-window --force-desktop
system_u:system_r:unconfined_service_t:s0 root 19302 18993  0 13:58 ?  00:00:00 rhsm-icon
system_u:system_r:unconfined_service_t:s0 root 19310 18993  0 13:58 ?  00:00:00 abrt-applet
system_u:system_r:unconfined_service_t:s0 root 19356 1  0 13:58 ?      00:00:00 /usr/libexec/gconfd-2
system_u:system_r:unconfined_service_t:s0 root 19361 1  0 13:58 ?      00:00:00 /usr/libexec/evolution-calendar-factory
system_u:system_r:unconfined_service_t:s0 root 19363 18993  0 13:58 ?  00:00:00 /usr/libexec/tracker-miner-user-guides
system_u:system_r:unconfined_service_t:s0 root 19371 19208  0 13:58 ?  00:00:00 /usr/libexec/ibus-engine-simple
system_u:system_r:unconfined_service_t:s0 root 19375 18993  0 13:58 ?  00:00:00 /usr/libexec/tracker-miner-fs
system_u:system_r:unconfined_service_t:s0 root 19379 1  0 13:58 ?      00:00:00 /usr/libexec/tracker-store
system_u:system_r:unconfined_service_t:s0 root 19387 18993  0 13:58 ?  00:00:00 /usr/libexec/tracker-extract
system_u:system_r:unconfined_service_t:s0 root 19389 18993  0 13:58 ?  00:00:00 /usr/libexec/tracker-miner-apps
system_u:system_r:unconfined_service_t:s0 root 19390 18993  0 13:58 ?  00:00:00 /usr/bin/seapplet
system_u:system_r:unconfined_service_t:s0 root 19393 18993  0 13:58 ?  00:00:00 /usr/bin/gnome-software --gapplication-service
system_u:system_r:unconfined_service_t:s0 root 19423 1  0 13:58 ?      00:00:00 /usr/libexec/gvfsd-trash --spawner :1.4 /org/gtk/gvfs/exec_spaw/0
system_u:system_r:unconfined_service_t:s0 root 19455 1  0 13:59 ?      00:00:00 /usr/libexec/gvfsd-metadata
Comment 1 Milos Malik 2015-09-15 12:56:07 UTC 
Why are so many processes running as unconfined_service_t ? Is Xvnc parent of them ?
Comment 4 Miroslav Grepl 2015-09-18 13:44:01 UTC 
Could you try to fix labeling on this system?
Comment 5 Miroslav Grepl 2016-04-28 12:42:52 UTC 
I believe this is labeling issue. Please reopen the bug if I am wrong.