Bug 647588
| Summary: | SELinux is preventing /usr/bin/gnome-screensaver "execute" access on /usr/bin/octave-3.2.4. | ||||||
|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | David <idht4n> | ||||
| Component: | gdm | Assignee: | Ray Strode [halfline] <rstrode> | ||||
| Status: | CLOSED WONTFIX | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||
| Severity: | medium | Docs Contact: | |||||
| Priority: | low | ||||||
| Version: | 14 | CC: | aaltmann, ajw7v3, bnocera, dannyel.olivares, dwalsh, dzrudy, edosurina, gregor, igeorgex, jbox_ny, jmccann, joostvandorp, kedarnp, mclasen, mdeggers, mgrepl, moritz, musa_abuh, nsoranzo, pkgale, rstrode, tsudakazuki | ||||
| Target Milestone: | --- | Keywords: | Reopened | ||||
| Target Release: | --- | ||||||
| Hardware: | All | ||||||
| OS: | Linux | ||||||
| Whiteboard: | setroubleshoot_trace_hash:375cdcffdcbb09f8eac25784486f0b248f4855ddfa64bc48991cab7b2808d79d | ||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2012-08-16 22:17:59 UTC | Type: | --- | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Attachments: |
|
||||||
|
Description
David
2010-10-28 20:33:15 UTC
Why is gnome-screensaver executing octave? You can easily add this with You can add these rules for now using # grep avc /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp But it might bring on additional avc's *** Bug 648308 has been marked as a duplicate of this bug. *** (In reply to comment #1) > Why is gnome-screensaver executing octave? You can easily add this with > I have no idea. I just saw a SELINUX warning and reported it. I can't imaging what the sreensaver is doing with octave... maybe generating some pretty plots? *** Bug 649329 has been marked as a duplicate of this bug. *** What is strange is gnome-screensaver is running as xdm_t. Which does not make much sense. What does ps -eZ |grep screensaver output (In reply to comment #5) > What does > ps -eZ |grep screensaver > > output ps -eZ | grep screensaver outputs nothing. ps -Zaux |grep screensaver outputs this: unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 idht4n 10165 0.0 0.4 30972 5028 ? Ss Oct30 0:32 gnome-screensaver Which is correct and would not cause the problem you saw. Lets close this and reopen if it happens again. it happens here too. I suggest reopening it. Which login manager are you using kde? gdm? The login program should not be execing the screensaver? gdm, and I agree it shouldn't start the screensaver which in turn should leave octave alone Do you have any idea what was going on when this happened? Switch user? Machine logged out? *** Bug 655378 has been marked as a duplicate of this bug. *** I have been auto-cc'd on a duplicate of this one (bug #649329). My gnome-screensaver apparently tried to access /usr/bin/consolehelper. What I did was to log in from GDM. I got a pop-up/tool-tip indicating a new security update, so I tried to double-click the status bar icon. The session was so fresh that the screensaver shouldn't even kicked in yet... This is a relatively fresh F14 install from scratch. $ rpm -qf /usr/bin/gnome-screensaver /usr/bin/consolehelper gnome-screensaver-2.30.2-2.fc14.i686 usermode-1.106.1-1.fc14.i686 $ ps Zaux |grep screensaver unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 barsnick 2286 0.0 0.2 30220 2660 ? Ss 07:56 0:00 gnome-screensaver Moritz Created attachment 463431 [details]
SELinux security alert from /usr/bin/gnome-screensaver executing /usr/bin/consolehelper
I wrote:
> I got a pop-up/tool-tip indicating a new security update, so I tried to double-click the status bar icon. The session was so fresh that the screensaver shouldn't even kicked in yet...
Totally wrong, that was the SELinux alert tool-tip, d'uh. So in conclusion, I didn't do anything but log on to get the error, unless it occurred in a previous session.
Any chance gnome-screensaver is being started before pam_selinux is being called? Although gnome-screensaver seems to be running with the correct context, unconfined_t. *** Bug 658679 has been marked as a duplicate of this bug. *** This package has changed ownership in the Fedora Package Database. Reassigning to the new owner of this component. This package has changed ownership in the Fedora Package Database. Reassigning to the new owner of this component. This package has changed ownership in the Fedora Package Database. Reassigning to the new owner of this component. This package has changed ownership in the Fedora Package Database. Reassigning to the new owner of this component. This package has changed ownership in the Fedora Package Database. Reassigning to the new owner of this component. This package has changed ownership in the Fedora Package Database. Reassigning to the new owner of this component. This package has changed ownership in the Fedora Package Database. Reassigning to the new owner of this component. This package has changed ownership in the Fedora Package Database. Reassigning to the new owner of this component. This message is a notice that Fedora 14 is now at end of life. Fedora has stopped maintaining and issuing updates for Fedora 14. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At this time, all open bugs with a Fedora 'version' of '14' have been closed as WONTFIX. (Please note: Our normal process is to give advanced warning of this occurring, but we forgot to do that. A thousand apologies.) Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, feel free to reopen this bug and simply change the 'version' to a later Fedora version. Bug Reporter: Thank you for reporting this issue and we are sorry that we were unable to fix it before Fedora 14 reached end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged to click on "Clone This Bug" (top right of this page) and open it against that version of Fedora. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete. The process we are following is described here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping |