Bug 670006

Summary: SELinux is preventing /usr/libexec/gsd-datetime-mechanism "unlink" access on localtime.
Product: [Fedora] Fedora Reporter: Jeremy Baudoin <jacquesstud04>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED DUPLICATE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: 14CC: dwalsh, jacquesstud04, mgrepl
Target Milestone: ---   
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard: setroubleshoot_trace_hash:3d2e602debab90368e5d3be2a49df6942ace467702444567c3960397800dc7c1
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-01-17 11:49:15 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Jeremy Baudoin 2011-01-16 16:48:23 UTC
Summary:

SELinux is preventing /usr/libexec/gsd-datetime-mechanism "unlink" access on
localtime.

Detailed Description:

SELinux denied access requested by gsd-datetime-me. It is not expected that this
access is required by gsd-datetime-me and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug
report.

Additional Information:

Source Context                system_u:system_r:gnomeclock_t:s0-s0:c0.c1023
Target Context                unconfined_u:object_r:etc_t:s0
Target Objects                localtime [ file ]
Source                        gsd-datetime-me
Source Path                   /usr/libexec/gsd-datetime-mechanism
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           gnome-settings-daemon-2.32.0-1.fc14
Target RPM Packages           
Policy RPM                    selinux-policy-3.9.7-3.fc14
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     (removed)
Platform                      Linux (removed) 2.6.35.6-45.fc14.i686
                              #1 SMP Mon Oct 18 23:56:17 UTC 2010 i686 i686
Alert Count                   3
First Seen                    Wed 25 Apr 2007 07:35:30 PM CDT
Last Seen                     Wed 25 Apr 2007 07:58:19 PM CDT
Local ID                      4ab08dd1-3f15-4fcf-a4b5-56375121d53f
Line Numbers                  

Raw Audit Messages            

node=(removed) type=AVC msg=audit(1177549099.458:46): avc:  denied  { unlink } for  pid=13728 comm="gsd-datetime-me" name="localtime" dev=dm-0 ino=6387 scontext=system_u:system_r:gnomeclock_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:etc_t:s0 tclass=file

node=(removed) type=SYSCALL msg=audit(1177549099.458:46): arch=40000003 syscall=38 success=no exit=-13 a0=97083b8 a1=804d50d a2=10f927c a3=b7856818 items=0 ppid=1 pid=13728 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="gsd-datetime-me" exe="/usr/libexec/gsd-datetime-mechanism" subj=system_u:system_r:gnomeclock_t:s0-s0:c0.c1023 key=(null)



Hash String generated from  catchall,gsd-datetime-me,gnomeclock_t,etc_t,file,unlink
audit2allow suggests:

#============= gnomeclock_t ==============
allow gnomeclock_t etc_t:file unlink;

Comment 1 Miroslav Grepl 2011-01-17 11:49:15 UTC
execute:

restorecon -R -v /etc/localtime

Will fix.

*** This bug has been marked as a duplicate of bug 653867 ***