Bug 684606
| Summary: | SELinux is preventing xfce4-notifyd from 'open' accesses on the file /var/cache/fontconfig/3830d5c3ddfd5cd38a049b759396e72e-le64.cache-3. | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Christoph Wickert <christoph.wickert> |
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 14 | CC: | dwalsh, mgrepl |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | setroubleshoot_trace_hash:6476a9e6c1cf4b5252f42c456603e786ccedb99ad68b50a0519c213cccef6a65 | ||
| Fixed In Version: | selinux-policy-3.9.7-37.fc14 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2011-03-22 18:52:58 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 678917 | ||
There is a few more errors from the new xfce4-notifyd:
SELinux is preventing /usr/lib64/xfce4/notifyd/xfce4-notifyd from 'getattr' accesses on the file /var/cache/fontconfig/3830d5c3ddfd5cd38a049b759396e72e-le64.cache-3.
***** Plugin catchall (100. confidence) suggests ***************************
If you believe that xfce4-notifyd should be allowed getattr access on the 3830d5c3ddfd5cd38a049b759396e72e-le64.cache-3 file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep xfce4-notifyd /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
Additional Information:
Source Context system_u:system_r:xdm_dbusd_t:s0-s0:c0.c1023
Target Context unconfined_u:object_r:fonts_cache_t:s0
Target Objects /var/cache/fontconfig
/3830d5c3ddfd5cd38a049b759396e72e-le64.cache-3 [
file ]
Source xfce4-notifyd
Source Path /usr/lib64/xfce4/notifyd/xfce4-notifyd
Port <Unbekannt>
Host (removed)
Source RPM Packages xfce4-notifyd-0.2.1-1.fc14
Target RPM Packages
Policy RPM selinux-policy-3.9.7-31.fc14
Selinux Enabled True
Policy Type targeted
Enforcing Mode Permissive
Host Name (removed)
Platform Linux (removed)
2.6.35.11-83.fc14.x86_64 #1 SMP Mon Feb 7 07:06:44
UTC 2011 x86_64 x86_64
Alert Count 5
First Seen Sa 12 Feb 2011 08:57:51 CET
Last Seen Mi 02 Mär 2011 10:53:26 CET
Local ID d7b7c1d8-f62b-4b25-91b9-0b25e3df6c57
Raw Audit Messages
type=AVC msg=audit(1299059606.413:8979): avc: denied { getattr } for pid=4467 comm="xfce4-notifyd" path="/var/cache/fontconfig/3830d5c3ddfd5cd38a049b759396e72e-le64.cache-3" dev=dm-0 ino=87622 scontext=system_u:system_r:xdm_dbusd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:fonts_cache_t:s0 tclass=file
type=SYSCALL msg=audit(1299059606.413:8979): arch=x86_64 syscall=fstat success=yes exit=0 a0=8 a1=7fffd98c8d00 a2=7fffd98c8d00 a3=fffffffffffffff0 items=0 ppid=1 pid=4467 auid=4294967295 uid=42 gid=42 euid=42 suid=42 fsuid=42 egid=42 sgid=42 fsgid=42 tty=(none) ses=4294967295 comm=xfce4-notifyd exe=/usr/lib64/xfce4/notifyd/xfce4-notifyd subj=system_u:system_r:xdm_dbusd_t:s0-s0:c0.c1023 key=(null)
Hash: xfce4-notifyd,xdm_dbusd_t,fonts_cache_t,file,getattr
audit2allow
#============= xdm_dbusd_t ==============
allow xdm_dbusd_t fonts_cache_t:file getattr;
audit2allow -R
#============= xdm_dbusd_t ==============
allow xdm_dbusd_t fonts_cache_t:file getattr;
SELinux is preventing /usr/lib64/xfce4/notifyd/xfce4-notifyd from 'read' accesses on the file /var/cache/fontconfig/3830d5c3ddfd5cd38a049b759396e72e-le64.cache-3.
***** Plugin catchall (100. confidence) suggests ***************************
If you believe that xfce4-notifyd should be allowed read access on the 3830d5c3ddfd5cd38a049b759396e72e-le64.cache-3 file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep xfce4-notifyd /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
Additional Information:
Source Context system_u:system_r:xdm_dbusd_t:s0-s0:c0.c1023
Target Context unconfined_u:object_r:fonts_cache_t:s0
Target Objects /var/cache/fontconfig
/3830d5c3ddfd5cd38a049b759396e72e-le64.cache-3 [
file ]
Source xfce4-notifyd
Source Path /usr/lib64/xfce4/notifyd/xfce4-notifyd
Port <Unbekannt>
Host (removed)
Source RPM Packages xfce4-notifyd-0.2.1-1.fc14
Target RPM Packages
Policy RPM selinux-policy-3.9.7-31.fc14
Selinux Enabled True
Policy Type targeted
Enforcing Mode Permissive
Host Name (removed)
Platform Linux denkermatic.localdomain
2.6.35.11-83.fc14.x86_64 #1 SMP Mon Feb 7 07:06:44
UTC 2011 x86_64 x86_64
Alert Count 5
First Seen Sa 12 Feb 2011 08:57:51 CET
Last Seen Mi 02 Mär 2011 10:53:26 CET
Local ID 3d61b6f7-b1dc-48c2-8ba8-8f1be3580735
Raw Audit Messages
type=AVC msg=audit(1299059606.413:8978): avc: denied { read } for pid=4467 comm="xfce4-notifyd" name="3830d5c3ddfd5cd38a049b759396e72e-le64.cache-3" dev=dm-0 ino=87622 scontext=system_u:system_r:xdm_dbusd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:fonts_cache_t:s0 tclass=file
type=AVC msg=audit(1299059606.413:8978): avc: denied { open } for pid=4467 comm="xfce4-notifyd" name="3830d5c3ddfd5cd38a049b759396e72e-le64.cache-3" dev=dm-0 ino=87622 scontext=system_u:system_r:xdm_dbusd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:fonts_cache_t:s0 tclass=file
type=SYSCALL msg=audit(1299059606.413:8978): arch=x86_64 syscall=open success=yes exit=ENOEXEC a0=155ee30 a1=0 a2=155ee73 a3=fffffffffffffff0 items=0 ppid=1 pid=4467 auid=4294967295 uid=42 gid=42 euid=42 suid=42 fsuid=42 egid=42 sgid=42 fsgid=42 tty=(none) ses=4294967295 comm=xfce4-notifyd exe=/usr/lib64/xfce4/notifyd/xfce4-notifyd subj=system_u:system_r:xdm_dbusd_t:s0-s0:c0.c1023 key=(null)
Hash: xfce4-notifyd,xdm_dbusd_t,fonts_cache_t,file,read
audit2allow
#============= xdm_dbusd_t ==============
allow xdm_dbusd_t fonts_cache_t:file { read open };
audit2allow -R
#============= xdm_dbusd_t ==============
allow xdm_dbusd_t fonts_cache_t:file { read open };
SELinux is preventing xfce4-notifyd from 'open' accesses on the file /usr/share/fonts/dejavu/DejaVuSans.ttf.
***** Plugin catchall (100. confidence) suggests ***************************
If you believe that xfce4-notifyd should be allowed open access on the DejaVuSans.ttf file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep xfce4-notifyd /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
Additional Information:
Source Context system_u:system_r:xdm_dbusd_t:s0-s0:c0.c1023
Target Context system_u:object_r:fonts_t:s0
Target Objects /usr/share/fonts/dejavu/DejaVuSans.ttf [ file ]
Source xfce4-notifyd
Source Path xfce4-notifyd
Port <Unbekannt>
Host (removed)
Source RPM Packages
Target RPM Packages dejavu-sans-fonts-2.32-1.fc14
Policy RPM selinux-policy-3.9.7-29.fc14
Selinux Enabled True
Policy Type targeted
Enforcing Mode Permissive
Host Name (removed)
Platform Linux denkermatic.localdomain
2.6.35.11-83.fc14.x86_64 #1 SMP Mon Feb 7 07:06:44
UTC 2011 x86_64 x86_64
Alert Count 1
First Seen Sa 12 Feb 2011 17:58:11 CET
Last Seen Sa 12 Feb 2011 17:58:11 CET
Local ID 2e52f00a-ccac-42ce-af7c-3a2facc6f753
Raw Audit Messages
type=AVC msg=audit(1297529891.576:444): avc: denied { open } for pid=14029 comm="xfce4-notifyd" name="DejaVuSans.ttf" dev=dm-0 ino=39679 scontext=system_u:system_r:xdm_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:fonts_t:s0 tclass=file
Hash: xfce4-notifyd,xdm_dbusd_t,fonts_t,file,open
audit2allow
#============= xdm_dbusd_t ==============
allow xdm_dbusd_t fonts_t:file open;
audit2allow -R
#============= xdm_dbusd_t ==============
allow xdm_dbusd_t fonts_t:file open;
SELinux is preventing /usr/lib64/xfce4/notifyd/xfce4-notifyd from 'read' accesses on the file /usr/share/fonts/dejavu/DejaVuSans.ttf.
***** Plugin catchall (100. confidence) suggests ***************************
If you believe that xfce4-notifyd should be allowed read access on the DejaVuSans.ttf file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep xfce4-notifyd /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
Additional Information:
Source Context system_u:system_r:xdm_dbusd_t:s0-s0:c0.c1023
Target Context system_u:object_r:fonts_t:s0
Target Objects /usr/share/fonts/dejavu/DejaVuSans.ttf [ file ]
Source xfce4-notifyd
Source Path /usr/lib64/xfce4/notifyd/xfce4-notifyd
Port <Unbekannt>
Host (removed)
Source RPM Packages xfce4-notifyd-0.2.1-1.fc14
Target RPM Packages dejavu-sans-fonts-2.32-1.fc14
Policy RPM selinux-policy-3.9.7-31.fc14
Selinux Enabled True
Policy Type targeted
Enforcing Mode Permissive
Host Name (removed)
Platform Linux (removed)
2.6.35.11-83.fc14.x86_64 #1 SMP Mon Feb 7 07:06:44
UTC 2011 x86_64 x86_64
Alert Count 5
First Seen Sa 12 Feb 2011 08:57:51 CET
Last Seen Mi 02 Mär 2011 10:53:26 CET
Local ID a69c2275-b906-4324-8846-ae234c29e59b
Raw Audit Messages
type=AVC msg=audit(1299059606.416:8982): avc: denied { read } for pid=4467 comm="xfce4-notifyd" name="DejaVuSans.ttf" dev=dm-0 ino=39679 scontext=system_u:system_r:xdm_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:fonts_t:s0 tclass=file
type=AVC msg=audit(1299059606.416:8982): avc: denied { open } for pid=4467 comm="xfce4-notifyd" name="DejaVuSans.ttf" dev=dm-0 ino=39679 scontext=system_u:system_r:xdm_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:fonts_t:s0 tclass=file
type=SYSCALL msg=audit(1299059606.416:8982): arch=x86_64 syscall=open success=yes exit=ENOEXEC a0=151b9a0 a1=0 a2=0 a3=1 items=0 ppid=1 pid=4467 auid=4294967295 uid=42 gid=42 euid=42 suid=42 fsuid=42 egid=42 sgid=42 fsgid=42 tty=(none) ses=4294967295 comm=xfce4-notifyd exe=/usr/lib64/xfce4/notifyd/xfce4-notifyd subj=system_u:system_r:xdm_dbusd_t:s0-s0:c0.c1023 key=(null)
Hash: xfce4-notifyd,xdm_dbusd_t,fonts_t,file,read
audit2allow
#============= xdm_dbusd_t ==============
allow xdm_dbusd_t fonts_t:file { read open };
audit2allow -R
#============= xdm_dbusd_t ==============
allow xdm_dbusd_t fonts_t:file { read open };
SELinux is preventing /usr/lib64/xfce4/notifyd/xfce4-notifyd from 'getattr' accesses on the file /usr/share/fonts/dejavu/DejaVuSans.ttf.
***** Plugin catchall (100. confidence) suggests ***************************
If you believe that xfce4-notifyd should be allowed getattr access on the DejaVuSans.ttf file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep xfce4-notifyd /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
Additional Information:
Source Context system_u:system_r:xdm_dbusd_t:s0-s0:c0.c1023
Target Context system_u:object_r:fonts_t:s0
Target Objects /usr/share/fonts/dejavu/DejaVuSans.ttf [ file ]
Source xfce4-notifyd
Source Path /usr/lib64/xfce4/notifyd/xfce4-notifyd
Port <Unbekannt>
Host (removed)
Source RPM Packages xfce4-notifyd-0.2.1-1.fc14
Target RPM Packages dejavu-sans-fonts-2.32-1.fc14
Policy RPM selinux-policy-3.9.7-31.fc14
Selinux Enabled True
Policy Type targeted
Enforcing Mode Permissive
Host Name (removed)
Platform Linux (removed)
2.6.35.11-83.fc14.x86_64 #1 SMP Mon Feb 7 07:06:44
UTC 2011 x86_64 x86_64
Alert Count 5
First Seen Sa 12 Feb 2011 08:57:51 CET
Last Seen Mi 02 Mär 2011 10:53:26 CET
Local ID 7f46ef73-91b7-443f-b2f9-462f6386b7ff
Raw Audit Messages
type=AVC msg=audit(1299059606.416:8983): avc: denied { getattr } for pid=4467 comm="xfce4-notifyd" path="/usr/share/fonts/dejavu/DejaVuSans.ttf" dev=dm-0 ino=39679 scontext=system_u:system_r:xdm_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:fonts_t:s0 tclass=file
type=SYSCALL msg=audit(1299059606.416:8983): arch=x86_64 syscall=fstat success=yes exit=0 a0=8 a1=7fffd98c8df0 a2=7fffd98c8df0 a3=1 items=0 ppid=1 pid=4467 auid=4294967295 uid=42 gid=42 euid=42 suid=42 fsuid=42 egid=42 sgid=42 fsgid=42 tty=(none) ses=4294967295 comm=xfce4-notifyd exe=/usr/lib64/xfce4/notifyd/xfce4-notifyd subj=system_u:system_r:xdm_dbusd_t:s0-s0:c0.c1023 key=(null)
Hash: xfce4-notifyd,xdm_dbusd_t,fonts_t,file,getattr
audit2allow
#============= xdm_dbusd_t ==============
allow xdm_dbusd_t fonts_t:file getattr;
audit2allow -R
#============= xdm_dbusd_t ==============
allow xdm_dbusd_t fonts_t:file getattr;
SELinux is preventing /usr/lib64/xfce4/notifyd/xfce4-notifyd from 'execute_no_trans' accesses on the file /usr/lib64/xfce4/notifyd/xfce4-notifyd.
***** Plugin catchall (100. confidence) suggests ***************************
If you believe that xfce4-notifyd should be allowed execute_no_trans access on the xfce4-notifyd file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep xfce4-notifyd /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
Additional Information:
Source Context system_u:system_r:xdm_dbusd_t:s0-s0:c0.c1023
Target Context system_u:object_r:lib_t:s0
Target Objects /usr/lib64/xfce4/notifyd/xfce4-notifyd [ file ]
Source xfce4-notifyd
Source Path /usr/lib64/xfce4/notifyd/xfce4-notifyd
Port <Unbekannt>
Host (removed)
Source RPM Packages xfce4-notifyd-0.2.1-1.fc14
Target RPM Packages xfce4-notifyd-0.2.1-1.fc14
Policy RPM selinux-policy-3.9.7-31.fc14
Selinux Enabled True
Policy Type targeted
Enforcing Mode Permissive
Host Name (removed)
Platform Linux denkermatic.localdomain
2.6.35.11-83.fc14.x86_64 #1 SMP Mon Feb 7 07:06:44
UTC 2011 x86_64 x86_64
Alert Count 5
First Seen Sa 12 Feb 2011 08:57:50 CET
Last Seen Mi 02 Mär 2011 10:53:25 CET
Local ID 04cc81e6-a711-48b1-bc9d-4914fbc11d8b
Raw Audit Messages
type=AVC msg=audit(1299059605.936:8975): avc: denied { execute_no_trans } for pid=4467 comm="dbus-daemon" path="/usr/lib64/xfce4/notifyd/xfce4-notifyd" dev=dm-0 ino=269085 scontext=system_u:system_r:xdm_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lib_t:s0 tclass=file
type=SYSCALL msg=audit(1299059605.936:8975): arch=x86_64 syscall=execve success=yes exit=0 a0=7f517ff94680 a1=7f517ff9c3f0 a2=7f517ff94710 a3=7fff3bad38a0 items=0 ppid=4466 pid=4467 auid=4294967295 uid=42 gid=42 euid=42 suid=42 fsuid=42 egid=42 sgid=42 fsgid=42 tty=(none) ses=4294967295 comm=xfce4-notifyd exe=/usr/lib64/xfce4/notifyd/xfce4-notifyd subj=system_u:system_r:xdm_dbusd_t:s0-s0:c0.c1023 key=(null)
Hash: xfce4-notifyd,xdm_dbusd_t,lib_t,file,execute_no_trans
audit2allow
#============= xdm_dbusd_t ==============
allow xdm_dbusd_t lib_t:file execute_no_trans;
audit2allow -R
#============= xdm_dbusd_t ==============
allow xdm_dbusd_t lib_t:file execute_no_trans;
SELinux is preventing /usr/lib64/xfce4/notifyd/xfce4-notifyd from 'connectto' accesses on the unix_stream_socket @/tmp/dbus-aYIsZh6srU.
***** Plugin catchall (100. confidence) suggests ***************************
If you believe that xfce4-notifyd should be allowed connectto access on the dbus-aYIsZh6srU unix_stream_socket by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep xfce4-notifyd /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
Additional Information:
Source Context system_u:system_r:xdm_dbusd_t:s0-s0:c0.c1023
Target Context system_u:system_r:xdm_dbusd_t:s0-s0:c0.c1023
Target Objects @/tmp/dbus-aYIsZh6srU [ unix_stream_socket ]
Source xfce4-notifyd
Source Path /usr/lib64/xfce4/notifyd/xfce4-notifyd
Port <Unbekannt>
Host (removed)
Source RPM Packages xfce4-notifyd-0.2.1-1.fc14
Target RPM Packages
Policy RPM selinux-policy-3.9.7-31.fc14
Selinux Enabled True
Policy Type targeted
Enforcing Mode Permissive
Host Name (removed)
Platform Linux denkermatic.localdomain
2.6.35.11-83.fc14.x86_64 #1 SMP Mon Feb 7 07:06:44
UTC 2011 x86_64 x86_64
Alert Count 5
First Seen Sa 12 Feb 2011 08:57:50 CET
Last Seen Mi 02 Mär 2011 10:53:26 CET
Local ID afd9d9b1-b5d5-47b5-a15e-49b30a24f635
Raw Audit Messages
type=AVC msg=audit(1299059606.78:8976): avc: denied { connectto } for pid=4467 comm="xfce4-notifyd" path=002F746D702F646275732D615949735A6836737255 scontext=system_u:system_r:xdm_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:xdm_dbusd_t:s0-s0:c0.c1023 tclass=unix_stream_socket
type=SYSCALL msg=audit(1299059606.78:8976): arch=x86_64 syscall=connect success=yes exit=0 a0=3 a1=7fffd98cbae0 a2=17 a3=0 items=0 ppid=4466 pid=4467 auid=4294967295 uid=42 gid=42 euid=42 suid=42 fsuid=42 egid=42 sgid=42 fsgid=42 tty=(none) ses=4294967295 comm=xfce4-notifyd exe=/usr/lib64/xfce4/notifyd/xfce4-notifyd subj=system_u:system_r:xdm_dbusd_t:s0-s0:c0.c1023 key=(null)
Hash: xfce4-notifyd,xdm_dbusd_t,xdm_dbusd_t,unix_stream_socket,connectto
audit2allow
#============= xdm_dbusd_t ==============
allow xdm_dbusd_t self:unix_stream_socket connectto;
audit2allow -R
#============= xdm_dbusd_t ==============
allow xdm_dbusd_t self:unix_stream_socket connectto;
SELinux is preventing /usr/lib64/xfce4/notifyd/xfce4-notifyd from 'connectto' accesses on the unix_stream_socket @/tmp/.X11-unix/X0.
***** Plugin catchall (100. confidence) suggests ***************************
If you believe that xfce4-notifyd should be allowed connectto access on the X0 unix_stream_socket by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep xfce4-notifyd /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
Additional Information:
Source Context system_u:system_r:xdm_dbusd_t:s0-s0:c0.c1023
Target Context system_u:system_r:xserver_t:s0-s0:c0.c1023
Target Objects @/tmp/.X11-unix/X0 [ unix_stream_socket ]
Source xfce4-notifyd
Source Path /usr/lib64/xfce4/notifyd/xfce4-notifyd
Port <Unbekannt>
Host (removed)
Source RPM Packages xfce4-notifyd-0.2.1-1.fc14
Target RPM Packages
Policy RPM selinux-policy-3.9.7-31.fc14
Selinux Enabled True
Policy Type targeted
Enforcing Mode Permissive
Host Name (removed)
Platform Linux denkermatic.localdomain
2.6.35.11-83.fc14.x86_64 #1 SMP Mon Feb 7 07:06:44
UTC 2011 x86_64 x86_64
Alert Count 5
First Seen Sa 12 Feb 2011 08:57:50 CET
Last Seen Mi 02 Mär 2011 10:53:26 CET
Local ID cb654d66-e138-4331-9252-c942562bd1ca
Raw Audit Messages
type=AVC msg=audit(1299059606.85:8977): avc: denied { connectto } for pid=4467 comm="xfce4-notifyd" path=002F746D702F2E5831312D756E69782F5830 scontext=system_u:system_r:xdm_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:xserver_t:s0-s0:c0.c1023 tclass=unix_stream_socket
type=SYSCALL msg=audit(1299059606.85:8977): arch=x86_64 syscall=connect success=yes exit=0 a0=7 a1=7fffd98cba90 a2=14 a3=7fffd98cba93 items=0 ppid=4466 pid=4467 auid=4294967295 uid=42 gid=42 euid=42 suid=42 fsuid=42 egid=42 sgid=42 fsgid=42 tty=(none) ses=4294967295 comm=xfce4-notifyd exe=/usr/lib64/xfce4/notifyd/xfce4-notifyd subj=system_u:system_r:xdm_dbusd_t:s0-s0:c0.c1023 key=(null)
Hash: xfce4-notifyd,xdm_dbusd_t,xserver_t,unix_stream_socket,connectto
audit2allow
#============= xdm_dbusd_t ==============
allow xdm_dbusd_t xserver_t:unix_stream_socket connectto;
audit2allow -R
#============= xdm_dbusd_t ==============
allow xdm_dbusd_t xserver_t:unix_stream_socket connectto;
SELinux is preventing /usr/lib64/xfce4/notifyd/xfce4-notifyd from 'read' accesses on the file /var/cache/fontconfig/3830d5c3ddfd5cd38a049b759396e72e-le64.cache-3.
***** Plugin catchall (100. confidence) suggests ***************************
If you believe that xfce4-notifyd should be allowed read access on the 3830d5c3ddfd5cd38a049b759396e72e-le64.cache-3 file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep xfce4-notifyd /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
Additional Information:
Source Context system_u:system_r:xdm_dbusd_t:s0-s0:c0.c1023
Target Context unconfined_u:object_r:fonts_cache_t:s0
Target Objects /var/cache/fontconfig
/3830d5c3ddfd5cd38a049b759396e72e-le64.cache-3 [
file ]
Source xfce4-notifyd
Source Path /usr/lib64/xfce4/notifyd/xfce4-notifyd
Port <Unbekannt>
Host (removed)
Source RPM Packages xfce4-notifyd-0.2.1-1.fc14
Target RPM Packages
Policy RPM selinux-policy-3.9.7-31.fc14
Selinux Enabled True
Policy Type targeted
Enforcing Mode Permissive
Host Name (removed)
Platform Linux denkermatic.localdomain
2.6.35.11-83.fc14.x86_64 #1 SMP Mon Feb 7 07:06:44
UTC 2011 x86_64 x86_64
Alert Count 5
First Seen Sa 12 Feb 2011 08:57:51 CET
Last Seen Mi 02 Mär 2011 10:53:26 CET
Local ID 3d61b6f7-b1dc-48c2-8ba8-8f1be3580735
Raw Audit Messages
type=AVC msg=audit(1299059606.413:8978): avc: denied { read } for pid=4467 comm="xfce4-notifyd" name="3830d5c3ddfd5cd38a049b759396e72e-le64.cache-3" dev=dm-0 ino=87622 scontext=system_u:system_r:xdm_dbusd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:fonts_cache_t:s0 tclass=file
type=AVC msg=audit(1299059606.413:8978): avc: denied { open } for pid=4467 comm="xfce4-notifyd" name="3830d5c3ddfd5cd38a049b759396e72e-le64.cache-3" dev=dm-0 ino=87622 scontext=system_u:system_r:xdm_dbusd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:fonts_cache_t:s0 tclass=file
type=SYSCALL msg=audit(1299059606.413:8978): arch=x86_64 syscall=open success=yes exit=ENOEXEC a0=155ee30 a1=0 a2=155ee73 a3=fffffffffffffff0 items=0 ppid=1 pid=4467 auid=4294967295 uid=42 gid=42 euid=42 suid=42 fsuid=42 egid=42 sgid=42 fsgid=42 tty=(none) ses=4294967295 comm=xfce4-notifyd exe=/usr/lib64/xfce4/notifyd/xfce4-notifyd subj=system_u:system_r:xdm_dbusd_t:s0-s0:c0.c1023 key=(null)
Hash: xfce4-notifyd,xdm_dbusd_t,fonts_cache_t,file,read
audit2allow
#============= xdm_dbusd_t ==============
allow xdm_dbusd_t fonts_cache_t:file { read open };
audit2allow -R
#============= xdm_dbusd_t ==============
allow xdm_dbusd_t fonts_cache_t:file { read open };
AFAICS we need
- open, getattr and read for /var/cache/fontconfig/*
- open, getattr and read for /usr/share/fonts/*/*.ttf
- connect_to for @/tmp/dbus-* and @/tmp/.X11-unix/X0.
Or is there an easier way? I wonder why xfce4-notifyd is executed with xdm_dbusd_t context.
I forgot to mention that the problem only seems to appear when waking up from standby. We have in policy dbus_role_template(xdm, system_r, xdm_t) to use dbus to start other processes as xdm_t. #============= xdm_dbusd_t ============== allow xdm_dbusd_t lib_t:file execute_no_trans; Looks like we should add label bin_t for /usr/lib64/xfce4/notifyd/xfce4-notifyd Yes Fixed in selinux-policy-3.9.7-34.fc14 and also in F15 policy. selinux-policy-3.9.7-34.fc14 has been submitted as an update for Fedora 14. https://admin.fedoraproject.org/updates/selinux-policy-3.9.7-34.fc14 selinux-policy-3.9.7-37.fc14 has been submitted as an update for Fedora 14. https://admin.fedoraproject.org/updates/selinux-policy-3.9.7-37.fc14 selinux-policy-3.9.7-37.fc14 has been pushed to the Fedora 14 stable repository. If problems still persist, please make note of it in this bug report. |
SELinux is preventing xfce4-notifyd from 'open' accesses on the file /var/cache/fontconfig/3830d5c3ddfd5cd38a049b759396e72e-le64.cache-3. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that xfce4-notifyd should be allowed open access on the 3830d5c3ddfd5cd38a049b759396e72e-le64.cache-3 file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep xfce4-notifyd /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:xdm_dbusd_t:s0-s0:c0.c1023 Target Context unconfined_u:object_r:fonts_cache_t:s0 Target Objects /var/cache/fontconfig /3830d5c3ddfd5cd38a049b759396e72e-le64.cache-3 [ file ] Source xfce4-notifyd Source Path xfce4-notifyd Port <Unbekannt> Host (removed) Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.9.7-29.fc14 Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name (removed) Platform Linux (removed) 2.6.35.11-83.fc14.x86_64 #1 SMP Mon Feb 7 07:06:44 UTC 2011 x86_64 x86_64 Alert Count 1 First Seen Sa 12 Feb 2011 17:58:11 CET Last Seen Sa 12 Feb 2011 17:58:11 CET Local ID c9aac662-c4d7-49f5-a00d-df75af139443 Raw Audit Messages type=AVC msg=audit(1297529891.571:437): avc: denied { open } for pid=14029 comm="xfce4-notifyd" name="3830d5c3ddfd5cd38a049b759396e72e-le64.cache-3" dev=dm-0 ino=49911 scontext=system_u:system_r:xdm_dbusd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:fonts_cache_t:s0 tclass=file Hash: xfce4-notifyd,xdm_dbusd_t,fonts_cache_t,file,open audit2allow #============= xdm_dbusd_t ============== allow xdm_dbusd_t fonts_cache_t:file open; audit2allow -R #============= xdm_dbusd_t ============== allow xdm_dbusd_t fonts_cache_t:file open;