Bug 443276

Summary: SELinux denial when attempting to set system time with gnome-clock-app
Product: [Fedora] Fedora Reporter: Michael Elkins <me>
Component: selinux-policy-targetedAssignee: Daniel Walsh <dwalsh>
Status: CLOSED RAWHIDE QA Contact: Ben Levenson <benl>
Severity: medium Docs Contact:
Priority: low    
Version: rawhideCC: rlevi66
Target Milestone: ---Keywords: Reopened
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-05-06 20:31:02 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Michael Elkins 2008-04-20 03:13:27 UTC 
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9b5) Gecko/2008041301 Fedora/3.0-0.54.beta5.fc9 Firefox/3.0b5

Description of problem:
SELinux is denying the attempt to set the system date/time when using the GNOME clock applet when logged in as my normal user account.


Version-Release number of selected component (if applicable):
gnome-panel-2.22.1.2-3

How reproducible:
Always


Steps to Reproduce:
1. Log into to GNOME as normal user
2. Left click on clock applet on the GNOME panel
3. Select "Adjust Date & Time"
4. Click on "Set System Time..." button 

Actual Results:
A SELinux AVS denial message pops up on the GNOME panel.

Expected Results:
I would expect the dialog to adjust the system date & time to have be able to run.

Additional info:

Summary:

SELinux is preventing gnome-clock-app (gnomeclock_t) "sys_ptrace" to <Unknown>
(gnomeclock_t).

Detailed Description:

SELinux denied access requested by gnome-clock-app. It is not expected that this
access is required by gnome-clock-app and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                system_u:system_r:gnomeclock_t:s0-s0:c0.c1023
Target Context                system_u:system_r:gnomeclock_t:s0-s0:c0.c1023
Target Objects                None [ capability ]
Source                        gnome-clock-app
Source Path                   /usr/libexec/gnome-clock-applet-mechanism
Port                          <Unknown>
Host                          localhost.localdomain
Source RPM Packages           gnome-panel-2.22.1.2-3.fc9
Target RPM Packages           
Policy RPM                    selinux-policy-3.3.1-35.fc9
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     localhost.localdomain
Platform                      Linux localhost.localdomain 2.6.25-1.fc9.i686 #1
                              SMP Thu Apr 17 01:47:10 EDT 2008 i686 i686
Alert Count                   8
First Seen                    Sat 19 Apr 2008 04:06:32 PM EDT
Last Seen                     Sat 19 Apr 2008 10:59:56 PM EDT
Local ID                      b6c5ff35-7504-4347-bc96-782253f2345c
Line Numbers                  

Raw Audit Messages            

host=localhost.localdomain type=AVC msg=audit(1208660396.559:41): avc:  denied  { sys_ptrace } for  pid=9024 comm="gnome-clock-app" capability=19 scontext=system_u:system_r:gnomeclock_t:s0-s0:c0.c1023 tcontext=system_u:system_r:gnomeclock_t:s0-s0:c0.c1023 tclass=capability

host=localhost.localdomain type=SYSCALL msg=audit(1208660396.559:41): arch=40000003 syscall=85 success=no exit=-13 a0=bff7b388 a1=bff7b468 a2=fff a3=bff7b388 items=0 ppid=1 pid=9024 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="gnome-clock-app" exe="/usr/libexec/gnome-clock-applet-mechanism" subj=system_u:system_r:gnomeclock_t:s0-s0:c0.c1023 key=(null)
Comment 1 Daniel Walsh 2008-04-21 17:11:40 UTC 
you can allow this for now.

# audit2allow -M mypol -l -i /var/log/audit/audit.log
# semodule -i mypol.pp

Fixed in selinux-policy-3.3.1-37.fc9.noarch
Comment 2 Michael Elkins 2008-04-24 17:52:16 UTC 
Any idea when this rpm will be pushed to rawhide?  It still hasn't shown up.

I tried the command you listed, but I get an error:

[root@localhost melkins]# audit2allow -M mypol -l -i /var/log/audit/audit.log 
compilation failed:
mypol.te:6:ERROR 'syntax error' at token '' on line 6:


/usr/bin/checkmodule:  error(s) encountered while parsing configuration
/usr/bin/checkmodule:  loading policy configuration from mypol.te
Comment 3 Michael Elkins 2008-04-24 18:04:14 UTC 
Ok, I had to trigger the error again for audit2allow to work.

However, now SELinux gives me a different denial:

host=localhost.localdomain type=AVC msg=audit(1209060116.849:27): avc: denied {
ptrace } for pid=3690 comm="gnome-clock-app"
scontext=system_u:system_r:gnomeclock_t:s0-s0:c0.c1023
tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process 

host=localhost.localdomain type=SYSCALL msg=audit(1209060116.849:27):
arch=40000003 syscall=85 success=no exit=-13 a0=bf9b6dc8 a1=bf9b6ea8 a2=fff
a3=bf9b6dc8 items=0 ppid=1 pid=3690 auid=4294967295 uid=0 gid=0 euid=0 suid=0
fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="gnome-clock-app"
exe="/usr/libexec/gnome-clock-applet-mechanism"
subj=system_u:system_r:gnomeclock_t:s0-s0:c0.c1023 key=(null)
Comment 4 Daniel Walsh 2008-04-24 20:18:15 UTC 
Does the clock get set?
Comment 5 Michael Elkins 2008-04-24 20:23:24 UTC 
No, the system clock does not get set.

FWIW, I get this same error if I try to set the timezone as mentioned in bug 442585.
Comment 6 Rafael Levi 2008-05-06 20:00:10 UTC 
I get the same error with selinux-policy-3.3.1-42.fc9.noarch.

Source Context:  system_u:system_r:gnomeclock_t:s0-s0:c0.c1023
Target Context:  system_u:system_r:gnomeclock_t:s0-s0:c0.c1023
Target Objects:  None [ process ]
Source:  polkit-resolve-Source 
Path:  /usr/libexec/polkit-resolve-exe-helper
Port:  <Unknown>Host:  buoySource RPM Packages:  
PolicyKit-0.8-2.fc9
Target RPM Packages:  
Policy RPM:  selinux-policy-3.3.1-35.fc9
Selinux Enabled:  True
Policy Type:  targeted
MLS Enabled:  True
Enforcing Mode:  Enforcing
Plugin Name:  catchall
Host Name:  buoy
Platform:  Linux buoy 2.6.25-1.fc9.i686 #1 
SMP Thu Apr 17 01:47:10 EDT 2008 i686 i686
Alert Count:  5
First Seen:  Sat 19 Apr 2008 02:00:47 AM CEST
Last Seen:  Sun 27 Apr 2008 02:47:54 PM CESTLocal
ID:  7dd42aba-36bf-46e2-8c18-63da70bd42d7
Line Numbers:  Raw Audit Messages :host=buoy type=AVC
msg=audit(1209300474.4:23): avc: denied { getattr } for pid=32724
comm="polkit-resolve-" scontext=system_u:system_r:gnomeclock_t:s0-s0:c0.c1023
tcontext=system_u:system_r:gnomeclock_t:s0-s0:c0.c1023 tclass=process 

host=buoy type=SYSCALL msg=audit(1209300474.4:23): arch=40000003 syscall=3
success=no exit=-13 a0=4 a1=87f2598 a2=fff a3=bf81730c items=0 ppid=32722
pid=32724 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 tty=(none) ses=4294967295 comm="polkit-resolve-"
exe="/usr/libexec/polkit-resolve-exe-helper"
subj=system_u:system_r:gnomeclock_t:s0-s0:c0.c1023 key=(null)
Comment 7 Daniel Walsh 2008-05-06 20:31:02 UTC 
fixed in selinux-policy-3.3.1-45.fc9.noarch