Bug 515629

Summary: setroubleshoot: SELinux is preventing the polkitd from using potentially mislabeled files (user-dirs.dirs).
Product: [Fedora] Fedora Reporter: Vikas Bhargava <lionking_1996-redhatbugzilla>
Component: selinux-policyAssignee: Daniel Walsh <dwalsh>
Status: CLOSED NOTABUG QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: rawhideCC: dwalsh, jkubin, mgrepl
Target Milestone: ---   
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard: setroubleshoot_trace_hash:0180b4475e92d427884ba5bc257c4724dbf3cd635d6f2495f76005df9c84e0fb
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-08-10 10:26:34 EDT Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Bug Depends On:    
Bug Blocks: 473303    

Description Vikas Bhargava 2009-08-04 23:04:08 EDT
The following was filed automatically by setroubleshoot:

Summary:

SELinux is preventing the polkitd from using potentially mislabeled files
(user-dirs.dirs).

Detailed Description:

[SELinux is in permissive mode, the operation would have been denied but was
permitted due to permissive mode.]

SELinux has denied polkitd access to potentially mislabeled file(s)
(user-dirs.dirs). This means that SELinux will not allow polkitd to use these
files. It is common for users to edit files in their home directory or tmp
directories and then move (mv) them to system directories. The problem is that
the files end up with the wrong file context which confined applications are not
allowed to access.

Allowing Access:

If you want polkitd to access this files, you need to relabel them using
restorecon -v 'user-dirs.dirs'. You might want to relabel the entire directory
using restorecon -R -v ''.

Additional Information:

Source Context                system_u:system_r:policykit_t:s0-s0:c0.c1023
Target Context                unconfined_u:object_r:admin_home_t:s0
Target Objects                user-dirs.dirs [ file ]
Source                        polkitd
Source Path                   /usr/libexec/polkit-1/polkitd
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           polkit-0.93-3.fc12
Target RPM Packages           
Policy RPM                    selinux-policy-3.6.26-2.fc12
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Permissive
Plugin Name                   home_tmp_bad_labels
Host Name                     (removed)
Platform                      Linux (removed)
                              2.6.31-0.122.rc5.git2.fc12.i686.PAE #1 SMP Mon Aug
                              3 12:59:02 EDT 2009 i686 i686
Alert Count                   6
First Seen                    Sat 01 Aug 2009 09:50:39 PM EDT
Last Seen                     Tue 04 Aug 2009 10:37:39 PM EDT
Local ID                      302a633b-442a-41ca-a5c6-b7551d474a1d
Line Numbers                  

Raw Audit Messages            

node=(removed) type=AVC msg=audit(1249439859.255:23361): avc:  denied  { read } for  pid=1735 comm="polkitd" name="user-dirs.dirs" dev=sdc3 ino=4776102 scontext=system_u:system_r:policykit_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file

node=(removed) type=AVC msg=audit(1249439859.255:23361): avc:  denied  { open } for  pid=1735 comm="polkitd" name="user-dirs.dirs" dev=sdc3 ino=4776102 scontext=system_u:system_r:policykit_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file

node=(removed) type=SYSCALL msg=audit(1249439859.255:23361): arch=40000003 syscall=5 success=yes exit=7 a0=88ec0b8 a1=8000 a2=0 a3=88ec0e0 items=0 ppid=1734 pid=1735 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="polkitd" exe="/usr/libexec/polkit-1/polkitd" subj=system_u:system_r:policykit_t:s0-s0:c0.c1023 key=(null)


audit2allow suggests:

#============= policykit_t ==============
allow policykit_t admin_home_t:file { read open };
Comment 1 Vikas Bhargava 2009-08-04 23:07:39 EDT
Rebooted PC after today's rawhide updates and logged into KDE session using kdm as login manager.
Comment 2 Daniel Walsh 2009-08-05 16:50:38 EDT
Are you attempting to login in as root?  This is not supported by selinux.
Comment 3 Vikas Bhargava 2009-08-05 22:24:35 EDT
No, I am trying to login as a regular user. 

I use sudo to run any root privileged commands, but I get this alert as soon as I login.

The only application that is setup to autostart on login is Gkrellm.
Comment 4 Daniel Walsh 2009-08-06 08:11:53 EDT
Do you have a user-dirs.dirs in /root?  If you remove it does the AVC go away.  If you put the machine into enforcing mode, does the AVC go away?
Comment 5 Vikas Bhargava 2009-08-06 09:26:52 EDT
I do not have the file in the /root directory, but in /root/.config/ directory.

Renaming that file to user-dirs.dirs.old and rebooting does not cause the alert in either enforcing or permissive mode.
Comment 6 Daniel Walsh 2009-08-10 10:26:34 EDT
If you were running in enforcing mode, this avc would not have come up, and removing the file seems to eliminate the AVC.  So I am going to close as not a bug.