Bug 442585

Summary: SELinux policy prevents clock applet from setting timezone
Product: [Fedora] Fedora Reporter: Jason Boyles <jboyles>
Component: selinux-policy-targetedAssignee: Daniel Walsh <dwalsh>
Status: CLOSED RAWHIDE QA Contact: Ben Levenson <benl>
Severity: medium Docs Contact:
Priority: low    
Version: rawhide   
Target Milestone: ---   
Target Release: ---   
Hardware: i686   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-04-28 12:27:16 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 235706, 529959    
Attachments:
Description Flags
SELinux troubleshooter ourput for denial when 'Set' button clicked none

Description Jason Boyles 2008-04-15 17:48:12 UTC 
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9pre) Gecko/2008041504 Minefield/3.0pre

Description of problem:
In the calendar/locations popup you get when right-clicking the clock applet, if you attempt to set the timezone to a location listed there by clicking the 'Set' button (which should appear when hovering over the location entry), an SELinux error prevents this from being set. (selinux trouble shooter output is attached)

This not only prevents you from setting the time zone from the clock applet, but it prevents you from seeing the weather and temperature for your location in the panel applet.

Also note that there is no policykit dialog presented to authenticate this timezone change.

Possibly applicable package installed versions:

PolicyKit-0.8-0.git20080404.3.fc9.i386
PolicyKit-gnome-0.7-3.fc9.i386
PolicyKit-gnome-libs-0.7-3.fc9.i386
selinux-policy-targeted-3.3.1-33.fc9.noarch

Version-Release number of selected component (if applicable):
gnome-panel-2.22.1.2-1.fc9

How reproducible:
Always


Steps to Reproduce:
1. Ensure SELinux enforcement policy is 'Enforcing'
2. Ensure locations have been added to clock preferences 
3. right-click clock
4. hover over location to reveal 'Set' button
5. click 'Set' button

Actual Results:
An SELinux denial is thrown, timezone and current location are not set, so no weather can be displayed in the clock applet.

Expected Results:
policykit authentication dialog should appear, Timezone should be set, current location should be set (resulting in a house icon shown next to the location in the popup), and weather and temp info should appear in the task bar if the clock is configured to show weather and temp in the preferences.

Additional info:
I filed a gnome bug on this initially (http://bugzilla.gnome.org/show_bug.cgi?id=528145) before deducing that this was an SELinux policy issue.
Comment 1 Jason Boyles 2008-04-15 17:49:54 UTC 
Created attachment 302498 [details]
SELinux troubleshooter ourput for denial when 'Set' button clicked

This is the SELinux output when the denial is thrown.

Changing selinux enforcement to 'Permissive' allows this to work just fine, but
the same error is thrown.
Comment 2 Daniel Walsh 2008-04-15 19:53:35 UTC 
Why would gnomeclock need sys_ptrace?

selinux-policy-3.3.1-36.fc9
Comment 3 Jason Boyles 2008-04-15 21:40:10 UTC 
I believe it has to do with policykit, which is what
gnome-clock-applet-mechanism is responsible for

Could policykit's use of the prctl() system call (to prevent ptrace from being
used to snoop on policykit support programs) have something to do with this?
Comment 4 Jason Boyles 2008-04-16 01:49:01 UTC 
After some testing, I believe the context of
/usr/libexec/gnome-clock-applet-mechanism is is wrong, or the context
system_u:object_r:gnomeclock_exec_t:s0 needs more capabilities.

By default, /usr/libexec/gnome-clock-applet-mechanism has the context 
system_u:object_r:gnomeclock_exec_t:s0. If I set the context to
system_u:object_r:bin_t:s0, like other similar policykit helpers, then the clock
applet allows me to set the timezone with no SELinux errors.
Comment 5 Daniel Walsh 2008-04-16 12:47:53 UTC 
Ok, I have added that capability (sys_ptrace) to gnomeclock_t, which the file
context on disk requires.  

gnomeclock is also allowed to change the system time which polickit helpers are
not allowed to do.

Fixed in selinux-policy-3.3.1-36.fc9