Bug 464405
| Summary: | System-config-services: AVC denial | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Barry Clarke <clarke.barry> |
| Component: | system-config-services | Assignee: | Nils Philippsen <nphilipp> |
| Status: | CLOSED RAWHIDE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | rawhide | CC: | dwalsh, nphilipp, poelstra |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2008-10-29 08:57:50 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
The files on your Live CD seem to be mislabeled, does this happen with newer ISOs as well? Nils - Will check this in the next few days. http://ftp.linux.org.uk/pub/distributions/fedora/linux/releases/test/10-Beta/Live/x86_64/F10-Beta-x86_64-Live.iso has recently been updated, so I'll go with that. Barry Hi, Anything to report back? Thanks John Sorry, on a course at the moment... Barry Hi I finally managed to get this tested, and you'll be pleased to know I don't see this issue anymore! cheers |
Description of problem: system-config-services: AVC denial Version-Release number of selected component (if applicable): system-config-services 0.99.23 How reproducible: Consistent In case it's useful, this system was installed from the Fedora 10 x64 live/KDE image. Steps to Reproduce: 1.From console, `system-config-services` 2.Fails to open. AVC denial occurs. Expected results: system-config-services applet should appear. Additional info: Two setroubleshoot messages (below). Executing chcon -t bin_t '/usr/share/system-config-services/system-config-services-mechanism.py' as suggested allows the applet to open; presumably a duff context? +----------------------------+ Summary: SELinux is preventing the lnusertemp from using potentially mislabeled files (./root). Detailed Description: SELinux has denied lnusertemp access to potentially mislabeled file(s) (./root). This means that SELinux will not allow lnusertemp to use these files. It is common for users to edit files in their home directory or tmp directories and then move (mv) them to system directories. The problem is that the files end up with the wrong file context which confined applications are not allowed to access. Allowing Access: If you want lnusertemp to access this files, you need to relabel them using restorecon -v './root'. You might want to relabel the entire directory using restorecon -R -v './root'. Additional Information: Source Context system_u:system_r:xdm_t:s0-s0:c0.c1023 Target Context system_u:object_r:admin_home_t:s0 Target Objects ./root [ dir ] Source lnusertemp Source Path /usr/libexec/kde4/lnusertemp Port <Unknown> Host dell.home.0ctal.co.uk Source RPM Packages kdelibs-4.1.1-5.fc10 Target RPM Packages filesystem-2.4.19-1.fc10 Policy RPM selinux-policy-3.5.7-1.fc10 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name home_tmp_bad_labels Host Name dell.home.0ctal.co.uk Platform Linux dell.home.0ctal.co.uk 2.6.27-0.352.rc7.git1.fc10.x86_64 #1 SMP Tue Sep 23 21:13:29 EDT 2008 x86_64 x86_64 Alert Count 4 First Seen Thu 25 Sep 2008 10:37:39 PM BST Last Seen Sun 28 Sep 2008 10:08:37 AM BST Local ID 40a45840-27a5-4ee8-bbbc-9745ef97f526 Line Numbers Raw Audit Messages node=dell.home.0ctal.co.uk type=AVC msg=audit(1222592917.671:10): avc: denied { write } for pid=2593 comm="lnusertemp" name="root" dev=sda3 ino=98305 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:admin_home_t:s0 tclass=dir node=dell.home.0ctal.co.uk type=SYSCALL msg=audit(1222592917.671:10): arch=c000003e syscall=83 success=no exit=-13 a0=7fff19cba800 a1=1c0 a2=ffffffff a3=ff7 items=0 ppid=2429 pid=2593 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="lnusertemp" exe="/usr/libexec/kde4/lnusertemp" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null) +----------------------------+ Summary: SELinux is preventing the dbus-daemon-lau (system_dbusd_t) from executing ./system-config-services-mechanism.py. Detailed Description: SELinux has denied the dbus-daemon-lau from executing ./system-config-services-mechanism.py. If dbus-daemon-lau is supposed to be able to execute ./system-config-services-mechanism.py, this could be a labeling problem. Most confined domains are allowed to execute files labeled bin_t. So you could change the labeling on this file to bin_t and retry the application. If this dbus-daemon-lau is not supposed to execute ./system-config-services-mechanism.py, this could signal a intrusion attempt. Allowing Access: If you want to allow dbus-daemon-lau to execute ./system-config-services-mechanism.py: chcon -t bin_t './system-config-services-mechanism.py' If this fix works, please update the file context on disk, with the following command: semanage fcontext -a -t bin_t './system-config-services-mechanism.py' Please specify the full path to the executable, Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this selinux-policy to make sure this becomes the default labeling. Additional Information: Source Context system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 Target Context system_u:object_r:usr_t:s0 Target Objects ./system-config-services-mechanism.py [ file ] Source dbus-daemon-lau Source Path /lib64/dbus-1/dbus-daemon-launch-helper Port <Unknown> Host dell.home.0ctal.co.uk Source RPM Packages dbus-1.2.3-1.fc10 Target RPM Packages Policy RPM selinux-policy-3.5.7-1.fc10 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name execute Host Name dell.home.0ctal.co.uk Platform Linux dell.home.0ctal.co.uk 2.6.27-0.352.rc7.git1.fc10.x86_64 #1 SMP Tue Sep 23 21:13:29 EDT 2008 x86_64 x86_64 Alert Count 2 First Seen Fri 26 Sep 2008 10:09:59 PM BST Last Seen Sun 28 Sep 2008 10:10:43 AM BST Local ID a21e6a58-ae98-43f4-b4ce-c3563fdbde42 Line Numbers Raw Audit Messages node=dell.home.0ctal.co.uk type=AVC msg=audit(1222593043.167:15): avc: denied { execute } for pid=3024 comm="dbus-daemon-lau" name="system-config-services-mechanism.py" dev=sda3 ino=22914 scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:usr_t:s0 tclass=file node=dell.home.0ctal.co.uk type=SYSCALL msg=audit(1222593043.167:15): arch=c000003e syscall=59 success=no exit=-13 a0=6c77f0 a1=6c76e0 a2=6c6010 a3=696e616863656d2d items=0 ppid=3023 pid=3024 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="dbus-daemon-lau" exe="/lib64/dbus-1/dbus-daemon-launch-helper" subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 key=(null) +----------------------------+