Bug 662293
| Summary: | SELinux is preventing /usr/libexec/polkit-1/polkit-agent-helper-1 from 'write' accesses on the file /var/lib/abl/users.db. | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Nicolas Mailhot <nicolas.mailhot> |
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
| Status: | CLOSED RAWHIDE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | rawhide | CC: | dwalsh, mgrepl |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | setroubleshoot_trace_hash:f57b40a7cf4495f0ce9633af9c0544b95fef898cb7c6e4dd322a12ca17dbf177 | ||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2010-12-14 09:13:12 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Does it work with # grep -r policykit_auth_t /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Probably should be allowed. Yes, added to selinux-policy-3.9.10-11.fc15. |
SELinux is preventing /usr/libexec/polkit-1/polkit-agent-helper-1 from 'write' accesses on the file /var/lib/abl/users.db. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that polkit-agent-helper-1 should be allowed write access on the users.db file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep /usr/libexec/polkit-1/polkit-agent-helper-1 /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context unconfined_u:unconfined_r:policykit_auth_t:s0-s0:c 0.c1023 Target Context system_u:object_r:var_auth_t:s0 Target Objects /var/lib/abl/users.db [ file ] Source polkit-agent-he Source Path /usr/libexec/polkit-1/polkit-agent-helper-1 Port <Inconnu> Host (removed) Source RPM Packages polkit-0.98-5.fc15 Target RPM Packages Policy RPM selinux-policy-3.9.10-10.fc15 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 2.6.37-0.rc5.git2.1.fc15.x86_64 #1 SMP Thu Dec 9 19:08:58 UTC 2010 x86_64 x86_64 Alert Count 4 First Seen sam. 11 déc. 2010 10:49:06 CET Last Seen sam. 11 déc. 2010 10:52:24 CET Local ID c6fcd9b1-55aa-4a40-80e2-a22704f88be3 Raw Audit Messages type=AVC msg=audit(1292061144.865:1300): avc: denied { write } for pid=12352 comm="polkit-agent-he" name="users.db" dev=dm-1 ino=41581 scontext=unconfined_u:unconfined_r:policykit_auth_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_auth_t:s0 tclass=file polkit-agent-he,policykit_auth_t,var_auth_t,file,write type=SYSCALL msg=audit(1292061144.865:1300): arch=x86_64 syscall=open success=no exit=EACCES a0=127a650 a1=2 a2=0 a3=16 items=0 ppid=1942 pid=12352 auid=500 uid=500 gid=500 euid=0 suid=0 fsuid=0 egid=500 sgid=500 fsgid=500 tty=(none) ses=2 comm=polkit-agent-he exe=/usr/libexec/polkit-1/polkit-agent-helper-1 subj=unconfined_u:unconfined_r:policykit_auth_t:s0-s0:c0.c1023 key=(null) polkit-agent-he,policykit_auth_t,var_auth_t,file,write #============= policykit_auth_t ============== allow policykit_auth_t var_auth_t:file write;