Bug 443276
Summary: | SELinux denial when attempting to set system time with gnome-clock-app | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Michael Elkins <me> |
Component: | selinux-policy-targeted | Assignee: | Daniel Walsh <dwalsh> |
Status: | CLOSED RAWHIDE | QA Contact: | Ben Levenson <benl> |
Severity: | medium | Docs Contact: | |
Priority: | low | ||
Version: | rawhide | CC: | rlevi66 |
Target Milestone: | --- | Keywords: | Reopened |
Target Release: | --- | ||
Hardware: | i386 | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2008-05-06 20:31:02 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Michael Elkins
2008-04-20 03:13:27 UTC
you can allow this for now. # audit2allow -M mypol -l -i /var/log/audit/audit.log # semodule -i mypol.pp Fixed in selinux-policy-3.3.1-37.fc9.noarch Any idea when this rpm will be pushed to rawhide? It still hasn't shown up. I tried the command you listed, but I get an error: [root@localhost melkins]# audit2allow -M mypol -l -i /var/log/audit/audit.log compilation failed: mypol.te:6:ERROR 'syntax error' at token '' on line 6: /usr/bin/checkmodule: error(s) encountered while parsing configuration /usr/bin/checkmodule: loading policy configuration from mypol.te Ok, I had to trigger the error again for audit2allow to work. However, now SELinux gives me a different denial: host=localhost.localdomain type=AVC msg=audit(1209060116.849:27): avc: denied { ptrace } for pid=3690 comm="gnome-clock-app" scontext=system_u:system_r:gnomeclock_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process host=localhost.localdomain type=SYSCALL msg=audit(1209060116.849:27): arch=40000003 syscall=85 success=no exit=-13 a0=bf9b6dc8 a1=bf9b6ea8 a2=fff a3=bf9b6dc8 items=0 ppid=1 pid=3690 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="gnome-clock-app" exe="/usr/libexec/gnome-clock-applet-mechanism" subj=system_u:system_r:gnomeclock_t:s0-s0:c0.c1023 key=(null) Does the clock get set? No, the system clock does not get set. FWIW, I get this same error if I try to set the timezone as mentioned in bug 442585. I get the same error with selinux-policy-3.3.1-42.fc9.noarch. Source Context: system_u:system_r:gnomeclock_t:s0-s0:c0.c1023 Target Context: system_u:system_r:gnomeclock_t:s0-s0:c0.c1023 Target Objects: None [ process ] Source: polkit-resolve-Source Path: /usr/libexec/polkit-resolve-exe-helper Port: <Unknown>Host: buoySource RPM Packages: PolicyKit-0.8-2.fc9 Target RPM Packages: Policy RPM: selinux-policy-3.3.1-35.fc9 Selinux Enabled: True Policy Type: targeted MLS Enabled: True Enforcing Mode: Enforcing Plugin Name: catchall Host Name: buoy Platform: Linux buoy 2.6.25-1.fc9.i686 #1 SMP Thu Apr 17 01:47:10 EDT 2008 i686 i686 Alert Count: 5 First Seen: Sat 19 Apr 2008 02:00:47 AM CEST Last Seen: Sun 27 Apr 2008 02:47:54 PM CESTLocal ID: 7dd42aba-36bf-46e2-8c18-63da70bd42d7 Line Numbers: Raw Audit Messages :host=buoy type=AVC msg=audit(1209300474.4:23): avc: denied { getattr } for pid=32724 comm="polkit-resolve-" scontext=system_u:system_r:gnomeclock_t:s0-s0:c0.c1023 tcontext=system_u:system_r:gnomeclock_t:s0-s0:c0.c1023 tclass=process host=buoy type=SYSCALL msg=audit(1209300474.4:23): arch=40000003 syscall=3 success=no exit=-13 a0=4 a1=87f2598 a2=fff a3=bf81730c items=0 ppid=32722 pid=32724 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="polkit-resolve-" exe="/usr/libexec/polkit-resolve-exe-helper" subj=system_u:system_r:gnomeclock_t:s0-s0:c0.c1023 key=(null) fixed in selinux-policy-3.3.1-45.fc9.noarch |