Bug 671227

Summary: SELinux is preventing /usr/bin/pinentry-qt4 "getattr" access on /.
Product: [Fedora] Fedora Reporter: Walt <waltsaw>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 13CC: dwalsh, mgrepl, waltsaw
Target Milestone: ---   
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard: setroubleshoot_trace_hash:ad6e03de4484ccfd2f11ab8134f2bc1e2f1c550b60a3b473fdf0bbd501934a8d
Fixed In Version: selinux-policy-3.7.19-89.fc13 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-03-17 18:48:45 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Walt 2011-01-20 19:13:36 UTC 
Summary:

SELinux is preventing /usr/bin/pinentry-qt4 "getattr" access on /.

Detailed Description:

SELinux denied access requested by pinentry-qt. It is not expected that this
access is required by pinentry-qt and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug
report.

Additional Information:

Source Context                user_u:user_r:gpg_pinentry_t:s0
Target Context                system_u:object_r:fs_t:s0
Target Objects                / [ filesystem ]
Source                        pinentry-qt
Source Path                   /usr/bin/pinentry-qt4
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           pinentry-qt-0.8.0-3.fc13
Target RPM Packages           sahana-2-1.4
Policy RPM                    selinux-policy-3.7.19-76.fc13
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     (removed)
Platform                      Linux (removed) 2.6.34.7-66.fc13.i686 #1
                              SMP Wed Dec 15 07:40:25 UTC 2010 i686 i686
Alert Count                   215
First Seen                    Tue 04 Jan 2011 07:20:25 AM EST
Last Seen                     Tue 18 Jan 2011 10:04:02 PM EST
Local ID                      effe41dd-0af3-416c-be5b-c2503b58fd07
Line Numbers                  

Raw Audit Messages            

node=(removed) type=AVC msg=audit(1295406242.90:121537): avc:  denied  { getattr } for  pid=32491 comm="pinentry-qt" name="/" dev=dm-0 ino=2 scontext=user_u:user_r:gpg_pinentry_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem

node=(removed) type=SYSCALL msg=audit(1295406242.90:121537): arch=40000003 syscall=99 success=no exit=-13 a0=99a2008 a1=bfc40acc a2=bf5ff4 a3=ffffffb8 items=0 ppid=5015 pid=32491 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="pinentry-qt" exe="/usr/bin/pinentry-qt4" subj=user_u:user_r:gpg_pinentry_t:s0 key=(null)



Hash String generated from  catchall,pinentry-qt,gpg_pinentry_t,fs_t,filesystem,getattr
audit2allow suggests:

#============= gpg_pinentry_t ==============
allow gpg_pinentry_t fs_t:filesystem getattr;
Comment 1 Daniel Walsh 2011-01-20 20:15:03 UTC 
Miroslav add

fs_getattr_xattr_fs(gpg_pinentry_t)
Comment 2 Miroslav Grepl 2011-01-27 13:50:14 UTC 
Fixed in selinux-policy-3.7.19-87.fc13
Comment 3 Fedora Update System 2011-02-04 10:31:15 UTC 
selinux-policy-3.7.19-89.fc13 has been submitted as an update for Fedora 13.
https://admin.fedoraproject.org/updates/selinux-policy-3.7.19-89.fc13
Comment 4 Fedora Update System 2011-02-04 19:48:23 UTC 
selinux-policy-3.7.19-89.fc13 has been pushed to the Fedora 13 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update selinux-policy'.  You can provide feedback for this update here: https://admin.fedoraproject.org/updates/selinux-policy-3.7.19-89.fc13
Comment 5 Fedora Update System 2011-03-17 18:48:01 UTC 
selinux-policy-3.7.19-89.fc13 has been pushed to the Fedora 13 stable repository.  If problems still persist, please make note of it in this bug report.