Bug 444408

Summary: SELinux is preventing polkit-resolve- (gnomeclock_t) "getattr" to <Unknown> (gnomeclock_t).
Product: [Fedora] Fedora Reporter: Ruben Kerkhof <ruben>
Component: selinux-policyAssignee: Daniel Walsh <dwalsh>
Status: CLOSED RAWHIDE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: low Docs Contact:
Priority: low    
Version: rawhideCC: jkubin
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-04-28 14:32:36 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Ruben Kerkhof 2008-04-28 09:13:43 UTC 
Summary:

SELinux is preventing polkit-resolve- (gnomeclock_t) "getattr" to <Unknown>
(gnomeclock_t).

Detailed Description:

SELinux denied access requested by polkit-resolve-. It is not expected that this
access is required by polkit-resolve- and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                system_u:system_r:gnomeclock_t:s0-s0:c0.c1023
Target Context                system_u:system_r:gnomeclock_t:s0-s0:c0.c1023
Target Objects                None [ process ]
Source                        polkit-resolve-
Source Path                   /usr/libexec/polkit-resolve-exe-helper
Port                          <Unknown>
Host                          kl1017dv.cs.ad.klmcorp.net
Source RPM Packages           PolicyKit-0.8-2.fc9
Target RPM Packages           
Policy RPM                    selinux-policy-3.3.1-35.fc9
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     kl1017dv.cs.ad.klmcorp.net
Platform                      Linux kl1017dv.cs.ad.klmcorp.net 2.6.25-1.fc9.i686
                              #1 SMP Thu Apr 17 01:47:10 EDT 2008 i686 i686
Alert Count                   1
First Seen                    Mon 28 Apr 2008 11:08:58 AM CEST
Last Seen                     Mon 28 Apr 2008 11:08:58 AM CEST
Local ID                      c313b0cc-97b7-4aa4-80ea-d5a39f6a336f
Line Numbers                  

Raw Audit Messages            

host=kl1017dv.cs.ad.klmcorp.net type=AVC msg=audit(1209373738.254:96): avc: 
denied  { getattr } for  pid=10270 comm="polkit-resolve-"
scontext=system_u:system_r:gnomeclock_t:s0-s0:c0.c1023
tcontext=system_u:system_r:gnomeclock_t:s0-s0:c0.c1023 tclass=process

host=kl1017dv.cs.ad.klmcorp.net type=SYSCALL msg=audit(1209373738.254:96):
arch=40000003 syscall=3 success=no exit=-13 a0=4 a1=8ec15d0 a2=fff a3=bf9c64ac
items=0 ppid=10241 pid=10270 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="polkit-resolve-"
exe="/usr/libexec/polkit-resolve-exe-helper"
subj=system_u:system_r:gnomeclock_t:s0-s0:c0.c1023 key=(null)
Comment 1 Daniel Walsh 2008-04-28 14:32:36 UTC 
You can allow this for now.

# audit2allow -M mypol -l -i /var/log/audit/audit.log
# semodule -i mypol.pp

Fixed in selinux-policy-3.3.1-43.fc9.noarch