DescriptionBruno Wolff III
2009-09-19 17:11:07 UTC
The following was filed automatically by setroubleshoot:
Summary:
SELinux is preventing /usr/libexec/polkit-1/polkitd "search" access on /root.
Detailed Description:
SELinux denied access requested by polkitd. It is not expected that this access
is required by polkitd and this access may signal an intrusion attempt. It is
also possible that the specific version or configuration of the application is
causing it to require additional access.
Allowing Access:
You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Please file a bug
report.
Additional Information:
Source Context system_u:system_r:policykit_t:s0-s0:c0.c1023
Target Context unconfined_u:object_r:user_home_dir_t:s0
Target Objects /root [ dir ]
Source polkitd
Source Path /usr/libexec/polkit-1/polkitd
Port <Unknown>
Host (removed)
Source RPM Packages polkit-0.95-0.git20090913.2.fc12
Target RPM Packages filesystem-2.4.30-2.fc12
Policy RPM selinux-policy-3.6.32-6.fc12
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name catchall
Host Name (removed)
Platform Linux games1.wolff.to 2.6.31-23.fc12.i686.PAE #1
SMP Wed Sep 16 15:53:47 EDT 2009 i686 i686
Alert Count 2
First Seen Sat 19 Sep 2009 10:31:57 AM CDT
Last Seen Sat 19 Sep 2009 11:39:03 AM CDT
Local ID 49ea7bb5-6e73-429f-9e99-38935fa1e36a
Line Numbers
Raw Audit Messages
node=games1.wolff.to type=AVC msg=audit(1253378343.997:12): avc: denied { search } for pid=1787 comm="polkitd" name="root" dev=dm-1 ino=89938 scontext=system_u:system_r:policykit_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir
node=games1.wolff.to type=SYSCALL msg=audit(1253378343.997:12): arch=40000003 syscall=5 success=no exit=-13 a0=8747ce0 a1=8000 a2=0 a3=8747d08 items=0 ppid=1786 pid=1787 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="polkitd" exe="/usr/libexec/polkit-1/polkitd" subj=system_u:system_r:policykit_t:s0-s0:c0.c1023 key=(null)
audit2allow suggests:
#============= policykit_t ==============
allow policykit_t user_home_dir_t:dir search;
This will be fixed by an update to libsemanage
libsemanage-2.0.38-2
genhomedircon
restorecon -R -v /root
This should happen automatically the next time libsemanage and selinux-policy get updated.