Bug 441261

Summary: Upstart causes multiple AVCs
Product: [Fedora] Fedora Reporter: Anne <lists>
Component: selinux-policyAssignee: Daniel Walsh <dwalsh>
Status: CLOSED RAWHIDE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: low Docs Contact:
Priority: low    
Version: rawhideCC: dwalsh, jkubin
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-04-17 12:19:56 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Complete audit log. none

Description Anne 2008-04-07 13:33:41 UTC 
Description of problem:
Many AVCs are logged at upstart.  This morning listed 38 of them.


Version-Release number of selected component (if applicable):
Rawhide updated to 6th April

How reproducible:

Every day so far

Steps to Reproduce:
1.Log in normally and watch the AVC icon come up.
2.
3.
  
Actual results:

Running in permissive mode, so none visible

Expected results:


Additional info:
Comment 1 Anne 2008-04-07 13:33:41 UTC 
Created attachment 301517 [details]
Complete audit log.
Comment 2 Daniel Walsh 2008-04-08 13:22:46 UTC 
I think most of these are fixed in selinux-policy-3.3.1-29.fc9

Please update and report if you are seeing any?
Comment 3 Anne 2008-04-08 17:59:12 UTC 
Far fewer.  Those remaining are:
SELinux is preventing 05-netfs (NetworkManager_t) "getattr" 
to /var/lock/subsys/netfs (var_lock_t). 
SELinux is preventing kdm_greet (xdm_t) "write" to ./Oxygen.colors (usr_t).
SELinux is preventing kdm_greet (xdm_t) "write" to ./kde.desktop (usr_t). 
SELinux is preventing kdm_greet (xdm_t) "write" to ./entry.desktop (locale_t). 
SELinux is preventing the lnusertemp from using potentially mislabeled files 
(cache-david.lydgate.lan). 
SELinux is preventing the lnusertemp from using potentially mislabeled files 
(/root/.kde/cache-david.lydgate.lan).
SELinux is preventing kdm_greet (xdm_t) "write" to ./kde.desktop (usr_t).
SELinux is preventing the lnusertemp from using potentially mislabeled files 
(tmp-david.lydgate.lan).
SELinux is preventing the lnusertemp from using potentially mislabeled files 
(/root/.kde/tmp-david.lydgate.lan).

Incidentally, the postfix one seems to have disappeared.  I'll report that to 
bug #441130
Comment 4 Daniel Walsh 2008-04-08 18:11:08 UTC 
restorecon -R -v /etc/NetworkManager

Should clean up var_lock.

What diectory are all of these kde.desktop stuff in?  Are these in
/usr/share/xsessions/kde.desktop?   Does kdm really need to write these files?

Also are you logging in as root?
Comment 5 Anne 2008-04-16 15:26:58 UTC 
Sorry this has not been answered.  For some reason I'm not getting any bug
notifications at all.

The multiple AVCs disappeared a few days ago,  I'd guess about the 11th or 12th.
 I no longer have the AVC reports, but IIRC many referred to /tmp/ksocket-anne,
and /tmp/orbit-anne.  I believe write access is necessary.

I never log in as root, though I do use a root konsole fairly often.
Comment 6 Daniel Walsh 2008-04-16 18:16:32 UTC 
Well I have no idea what caused these then.   Seems something wanted to write to
/root/.kde/tmp-david.lydgate.lan  which is why I thought you were logging in as
root.  The apps requestiong access to write to /usr also seem weird, unless this
is some kind of python optimization code.
Comment 7 Anne 2008-04-16 18:46:25 UTC 
Since they are no longer happening I'd be inclined to close this bug.  I'll 
report any specific ones that occur later.