Bug 559574
| Summary: | SELinux is preventing /usr/libexec/polkit-1/polkitd "search" access on /root/.config. | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Elad Alfassa <elad> |
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | medium | Docs Contact: | |
| Priority: | low | ||
| Version: | 12 | CC: | b2062407, bioreef, bnrj.rudra, boeuf32, bucky, c.cerbo, christopher10316, chrisw01, cia.watson, cierta, dan, daryl.francis.thompson, drag.os79, drfudgeboy, dvdriddell, dwalsh, ehicks, ezequiel.caridad, flbrasov, gaetan, gdt, idht4n, jduttontwo, jl.deloos, jocagovi, john, joropo, joy.career, jugon9002, julian.amani, keith.flynn, leoncogs, luis_1320005, martin.nad89, matt, mgrepl, michkin_a, pablo.lona, panormitis, ralf.schneider, ranban282, red.ostrava, rep01, rippeltippel, rnichols42, sergmerkelov, stephan.rozendaal, the_djmaze, todhunter, unix63, wikouk, zikamev, Zscoundrel |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | setroubleshoot_trace_hash:6c76d2f99eff04581b0e904a8e6dc484230a9ea9e325a6ebbaf4de589678c23d | ||
| Fixed In Version: | 3.6.32-84.fc12 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2010-02-11 14:41:06 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Elad Alfassa
2010-01-28 14:26:46 UTC
Miroslav, I think we should change to gnome_read_config(policykit_t) elad, did you log in as root via X? Not a good idea. You can just remove that directory and policykit will stop complaining. rm -R /root/.config the last time i connected as root via X was two years ago, when i was new to Linux. and i did it only once. I saw this message when I logged in as my normal user (not root). Right but I think the file might be left around since then. Anyways it would have been blocked if you were in enforcing mode and removing the directory should not cause you a problem. Miroslav will have a fix out in a couple of weeks, I am sure. Fixed in selinux-policy-3.6.32-79.fc12 selinux-policy-3.6.32-82.fc12 has been submitted as an update for Fedora 12. http://admin.fedoraproject.org/updates/selinux-policy-3.6.32-82.fc12 selinux-policy-3.6.32-84.fc12 has been pushed to the Fedora 12 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update selinux-policy'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F12/FEDORA-2010-1492 I tried to install the update and got an error. Here is a copy of the yum session: su -c 'yum --enablerepo=updates-testing update selinux-policy' Password: Loaded plugins: dellsysidplugin2, presto, refresh-packagekit updates-testing/metalink | 6.7 kB 00:00 http://fedora.fastsoft.net/pub/linux/fedora/linux/updates/testing/12/i386/repodata/repomd.xml: [Errno 14] PYCURL ERROR 6 - "" Trying other mirror. updates-testing | 4.4 kB 00:00 updates-testing/primary_db | 921 kB 00:27 Setting up Update Process No Packages marked for Update It probably has not reached your mirror yet. Successfully installed the update, but still get the same warnings at startup. Do I need to force relabel? I've tried a couple times but not since I applied updated policies. I'll also remove the /root/.config file again. Are you sure you are getting the same error? What does this output? # ausearch -m avc -ts recent -i I shall muddy the waters a bit. When I received the first selinux report of this problem I was running with selinux set to permissive and during the next boot I received another selinux warning. I then changed selinux to enforcing. It seems strange - but, I have not received any selinux interventions on numerous subsequent boots. And I have not installed the update. That is because permissive and enforcing work slightly differently. If I am enforcing mode and mypolicy dontaudit's search by process a_t of a directory of type b_t, the app a_t will stop and go down a different code path. In permissive mode a_t will be allowed to read b_t directory and will proceed to try to read files label b_t. If we don't have dontaudit rules for process a_t reading files b_t, avc messages will get generated. >> Are you sure you are getting the same error?
>>
>> What does this output?
>> # ausearch -m avc -ts recent -i
$ ausearch -m avc -ts recent -i
Error opening config file (Permission denied)
NOTE - using built-in logs: /var/log/audit/audit.log
Error opening /var/log/audit/audit.log (Permission denied)
$
Set selinux to enforcing mode. Upon reboot, SELinux popped up with a message about two warnings about potential issues. However, when I click to show the error details, SELinux pops up with a 0 problems detected, 0 of 0 display. I'm a bit confused. Chris you need to run ausearch as root. There is a new setroubleshoot bug which will stop reporting old avcs as new. I installed the update with su -c 'yum --enablerepo=updates-testing update selinux-policy' and got no more complaints since then. Thanks a lot for the fix ! Daniel: Ran ausearch as root: [chris@ChrisDELL ~]$ su Password: [root@ChrisDELL chris]# ausearch -m avc -ts recent -i <no matches> [root@ChrisDELL chris]# exit exit Good that means SELinux is not complaining about anything. You can also try the new setroubleshoot. #yum update setroubleshoot\* --enablerepo=updates-testing selinux-policy-3.6.32-84.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report. |