Bug 684606
Summary: | SELinux is preventing xfce4-notifyd from 'open' accesses on the file /var/cache/fontconfig/3830d5c3ddfd5cd38a049b759396e72e-le64.cache-3. | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Christoph Wickert <christoph.wickert> |
Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 14 | CC: | dwalsh, mgrepl |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | x86_64 | ||
OS: | Linux | ||
Whiteboard: | setroubleshoot_trace_hash:6476a9e6c1cf4b5252f42c456603e786ccedb99ad68b50a0519c213cccef6a65 | ||
Fixed In Version: | selinux-policy-3.9.7-37.fc14 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2011-03-22 18:52:58 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 678917 |
Description
Christoph Wickert
2011-03-13 19:37:54 UTC
There is a few more errors from the new xfce4-notifyd: SELinux is preventing /usr/lib64/xfce4/notifyd/xfce4-notifyd from 'getattr' accesses on the file /var/cache/fontconfig/3830d5c3ddfd5cd38a049b759396e72e-le64.cache-3. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that xfce4-notifyd should be allowed getattr access on the 3830d5c3ddfd5cd38a049b759396e72e-le64.cache-3 file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep xfce4-notifyd /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:xdm_dbusd_t:s0-s0:c0.c1023 Target Context unconfined_u:object_r:fonts_cache_t:s0 Target Objects /var/cache/fontconfig /3830d5c3ddfd5cd38a049b759396e72e-le64.cache-3 [ file ] Source xfce4-notifyd Source Path /usr/lib64/xfce4/notifyd/xfce4-notifyd Port <Unbekannt> Host (removed) Source RPM Packages xfce4-notifyd-0.2.1-1.fc14 Target RPM Packages Policy RPM selinux-policy-3.9.7-31.fc14 Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name (removed) Platform Linux (removed) 2.6.35.11-83.fc14.x86_64 #1 SMP Mon Feb 7 07:06:44 UTC 2011 x86_64 x86_64 Alert Count 5 First Seen Sa 12 Feb 2011 08:57:51 CET Last Seen Mi 02 Mär 2011 10:53:26 CET Local ID d7b7c1d8-f62b-4b25-91b9-0b25e3df6c57 Raw Audit Messages type=AVC msg=audit(1299059606.413:8979): avc: denied { getattr } for pid=4467 comm="xfce4-notifyd" path="/var/cache/fontconfig/3830d5c3ddfd5cd38a049b759396e72e-le64.cache-3" dev=dm-0 ino=87622 scontext=system_u:system_r:xdm_dbusd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:fonts_cache_t:s0 tclass=file type=SYSCALL msg=audit(1299059606.413:8979): arch=x86_64 syscall=fstat success=yes exit=0 a0=8 a1=7fffd98c8d00 a2=7fffd98c8d00 a3=fffffffffffffff0 items=0 ppid=1 pid=4467 auid=4294967295 uid=42 gid=42 euid=42 suid=42 fsuid=42 egid=42 sgid=42 fsgid=42 tty=(none) ses=4294967295 comm=xfce4-notifyd exe=/usr/lib64/xfce4/notifyd/xfce4-notifyd subj=system_u:system_r:xdm_dbusd_t:s0-s0:c0.c1023 key=(null) Hash: xfce4-notifyd,xdm_dbusd_t,fonts_cache_t,file,getattr audit2allow #============= xdm_dbusd_t ============== allow xdm_dbusd_t fonts_cache_t:file getattr; audit2allow -R #============= xdm_dbusd_t ============== allow xdm_dbusd_t fonts_cache_t:file getattr; SELinux is preventing /usr/lib64/xfce4/notifyd/xfce4-notifyd from 'read' accesses on the file /var/cache/fontconfig/3830d5c3ddfd5cd38a049b759396e72e-le64.cache-3. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that xfce4-notifyd should be allowed read access on the 3830d5c3ddfd5cd38a049b759396e72e-le64.cache-3 file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep xfce4-notifyd /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:xdm_dbusd_t:s0-s0:c0.c1023 Target Context unconfined_u:object_r:fonts_cache_t:s0 Target Objects /var/cache/fontconfig /3830d5c3ddfd5cd38a049b759396e72e-le64.cache-3 [ file ] Source xfce4-notifyd Source Path /usr/lib64/xfce4/notifyd/xfce4-notifyd Port <Unbekannt> Host (removed) Source RPM Packages xfce4-notifyd-0.2.1-1.fc14 Target RPM Packages Policy RPM selinux-policy-3.9.7-31.fc14 Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name (removed) Platform Linux denkermatic.localdomain 2.6.35.11-83.fc14.x86_64 #1 SMP Mon Feb 7 07:06:44 UTC 2011 x86_64 x86_64 Alert Count 5 First Seen Sa 12 Feb 2011 08:57:51 CET Last Seen Mi 02 Mär 2011 10:53:26 CET Local ID 3d61b6f7-b1dc-48c2-8ba8-8f1be3580735 Raw Audit Messages type=AVC msg=audit(1299059606.413:8978): avc: denied { read } for pid=4467 comm="xfce4-notifyd" name="3830d5c3ddfd5cd38a049b759396e72e-le64.cache-3" dev=dm-0 ino=87622 scontext=system_u:system_r:xdm_dbusd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:fonts_cache_t:s0 tclass=file type=AVC msg=audit(1299059606.413:8978): avc: denied { open } for pid=4467 comm="xfce4-notifyd" name="3830d5c3ddfd5cd38a049b759396e72e-le64.cache-3" dev=dm-0 ino=87622 scontext=system_u:system_r:xdm_dbusd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:fonts_cache_t:s0 tclass=file type=SYSCALL msg=audit(1299059606.413:8978): arch=x86_64 syscall=open success=yes exit=ENOEXEC a0=155ee30 a1=0 a2=155ee73 a3=fffffffffffffff0 items=0 ppid=1 pid=4467 auid=4294967295 uid=42 gid=42 euid=42 suid=42 fsuid=42 egid=42 sgid=42 fsgid=42 tty=(none) ses=4294967295 comm=xfce4-notifyd exe=/usr/lib64/xfce4/notifyd/xfce4-notifyd subj=system_u:system_r:xdm_dbusd_t:s0-s0:c0.c1023 key=(null) Hash: xfce4-notifyd,xdm_dbusd_t,fonts_cache_t,file,read audit2allow #============= xdm_dbusd_t ============== allow xdm_dbusd_t fonts_cache_t:file { read open }; audit2allow -R #============= xdm_dbusd_t ============== allow xdm_dbusd_t fonts_cache_t:file { read open }; SELinux is preventing xfce4-notifyd from 'open' accesses on the file /usr/share/fonts/dejavu/DejaVuSans.ttf. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that xfce4-notifyd should be allowed open access on the DejaVuSans.ttf file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep xfce4-notifyd /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:xdm_dbusd_t:s0-s0:c0.c1023 Target Context system_u:object_r:fonts_t:s0 Target Objects /usr/share/fonts/dejavu/DejaVuSans.ttf [ file ] Source xfce4-notifyd Source Path xfce4-notifyd Port <Unbekannt> Host (removed) Source RPM Packages Target RPM Packages dejavu-sans-fonts-2.32-1.fc14 Policy RPM selinux-policy-3.9.7-29.fc14 Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name (removed) Platform Linux denkermatic.localdomain 2.6.35.11-83.fc14.x86_64 #1 SMP Mon Feb 7 07:06:44 UTC 2011 x86_64 x86_64 Alert Count 1 First Seen Sa 12 Feb 2011 17:58:11 CET Last Seen Sa 12 Feb 2011 17:58:11 CET Local ID 2e52f00a-ccac-42ce-af7c-3a2facc6f753 Raw Audit Messages type=AVC msg=audit(1297529891.576:444): avc: denied { open } for pid=14029 comm="xfce4-notifyd" name="DejaVuSans.ttf" dev=dm-0 ino=39679 scontext=system_u:system_r:xdm_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:fonts_t:s0 tclass=file Hash: xfce4-notifyd,xdm_dbusd_t,fonts_t,file,open audit2allow #============= xdm_dbusd_t ============== allow xdm_dbusd_t fonts_t:file open; audit2allow -R #============= xdm_dbusd_t ============== allow xdm_dbusd_t fonts_t:file open; SELinux is preventing /usr/lib64/xfce4/notifyd/xfce4-notifyd from 'read' accesses on the file /usr/share/fonts/dejavu/DejaVuSans.ttf. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that xfce4-notifyd should be allowed read access on the DejaVuSans.ttf file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep xfce4-notifyd /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:xdm_dbusd_t:s0-s0:c0.c1023 Target Context system_u:object_r:fonts_t:s0 Target Objects /usr/share/fonts/dejavu/DejaVuSans.ttf [ file ] Source xfce4-notifyd Source Path /usr/lib64/xfce4/notifyd/xfce4-notifyd Port <Unbekannt> Host (removed) Source RPM Packages xfce4-notifyd-0.2.1-1.fc14 Target RPM Packages dejavu-sans-fonts-2.32-1.fc14 Policy RPM selinux-policy-3.9.7-31.fc14 Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name (removed) Platform Linux (removed) 2.6.35.11-83.fc14.x86_64 #1 SMP Mon Feb 7 07:06:44 UTC 2011 x86_64 x86_64 Alert Count 5 First Seen Sa 12 Feb 2011 08:57:51 CET Last Seen Mi 02 Mär 2011 10:53:26 CET Local ID a69c2275-b906-4324-8846-ae234c29e59b Raw Audit Messages type=AVC msg=audit(1299059606.416:8982): avc: denied { read } for pid=4467 comm="xfce4-notifyd" name="DejaVuSans.ttf" dev=dm-0 ino=39679 scontext=system_u:system_r:xdm_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:fonts_t:s0 tclass=file type=AVC msg=audit(1299059606.416:8982): avc: denied { open } for pid=4467 comm="xfce4-notifyd" name="DejaVuSans.ttf" dev=dm-0 ino=39679 scontext=system_u:system_r:xdm_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:fonts_t:s0 tclass=file type=SYSCALL msg=audit(1299059606.416:8982): arch=x86_64 syscall=open success=yes exit=ENOEXEC a0=151b9a0 a1=0 a2=0 a3=1 items=0 ppid=1 pid=4467 auid=4294967295 uid=42 gid=42 euid=42 suid=42 fsuid=42 egid=42 sgid=42 fsgid=42 tty=(none) ses=4294967295 comm=xfce4-notifyd exe=/usr/lib64/xfce4/notifyd/xfce4-notifyd subj=system_u:system_r:xdm_dbusd_t:s0-s0:c0.c1023 key=(null) Hash: xfce4-notifyd,xdm_dbusd_t,fonts_t,file,read audit2allow #============= xdm_dbusd_t ============== allow xdm_dbusd_t fonts_t:file { read open }; audit2allow -R #============= xdm_dbusd_t ============== allow xdm_dbusd_t fonts_t:file { read open }; SELinux is preventing /usr/lib64/xfce4/notifyd/xfce4-notifyd from 'getattr' accesses on the file /usr/share/fonts/dejavu/DejaVuSans.ttf. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that xfce4-notifyd should be allowed getattr access on the DejaVuSans.ttf file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep xfce4-notifyd /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:xdm_dbusd_t:s0-s0:c0.c1023 Target Context system_u:object_r:fonts_t:s0 Target Objects /usr/share/fonts/dejavu/DejaVuSans.ttf [ file ] Source xfce4-notifyd Source Path /usr/lib64/xfce4/notifyd/xfce4-notifyd Port <Unbekannt> Host (removed) Source RPM Packages xfce4-notifyd-0.2.1-1.fc14 Target RPM Packages dejavu-sans-fonts-2.32-1.fc14 Policy RPM selinux-policy-3.9.7-31.fc14 Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name (removed) Platform Linux (removed) 2.6.35.11-83.fc14.x86_64 #1 SMP Mon Feb 7 07:06:44 UTC 2011 x86_64 x86_64 Alert Count 5 First Seen Sa 12 Feb 2011 08:57:51 CET Last Seen Mi 02 Mär 2011 10:53:26 CET Local ID 7f46ef73-91b7-443f-b2f9-462f6386b7ff Raw Audit Messages type=AVC msg=audit(1299059606.416:8983): avc: denied { getattr } for pid=4467 comm="xfce4-notifyd" path="/usr/share/fonts/dejavu/DejaVuSans.ttf" dev=dm-0 ino=39679 scontext=system_u:system_r:xdm_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:fonts_t:s0 tclass=file type=SYSCALL msg=audit(1299059606.416:8983): arch=x86_64 syscall=fstat success=yes exit=0 a0=8 a1=7fffd98c8df0 a2=7fffd98c8df0 a3=1 items=0 ppid=1 pid=4467 auid=4294967295 uid=42 gid=42 euid=42 suid=42 fsuid=42 egid=42 sgid=42 fsgid=42 tty=(none) ses=4294967295 comm=xfce4-notifyd exe=/usr/lib64/xfce4/notifyd/xfce4-notifyd subj=system_u:system_r:xdm_dbusd_t:s0-s0:c0.c1023 key=(null) Hash: xfce4-notifyd,xdm_dbusd_t,fonts_t,file,getattr audit2allow #============= xdm_dbusd_t ============== allow xdm_dbusd_t fonts_t:file getattr; audit2allow -R #============= xdm_dbusd_t ============== allow xdm_dbusd_t fonts_t:file getattr; SELinux is preventing /usr/lib64/xfce4/notifyd/xfce4-notifyd from 'execute_no_trans' accesses on the file /usr/lib64/xfce4/notifyd/xfce4-notifyd. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that xfce4-notifyd should be allowed execute_no_trans access on the xfce4-notifyd file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep xfce4-notifyd /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:xdm_dbusd_t:s0-s0:c0.c1023 Target Context system_u:object_r:lib_t:s0 Target Objects /usr/lib64/xfce4/notifyd/xfce4-notifyd [ file ] Source xfce4-notifyd Source Path /usr/lib64/xfce4/notifyd/xfce4-notifyd Port <Unbekannt> Host (removed) Source RPM Packages xfce4-notifyd-0.2.1-1.fc14 Target RPM Packages xfce4-notifyd-0.2.1-1.fc14 Policy RPM selinux-policy-3.9.7-31.fc14 Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name (removed) Platform Linux denkermatic.localdomain 2.6.35.11-83.fc14.x86_64 #1 SMP Mon Feb 7 07:06:44 UTC 2011 x86_64 x86_64 Alert Count 5 First Seen Sa 12 Feb 2011 08:57:50 CET Last Seen Mi 02 Mär 2011 10:53:25 CET Local ID 04cc81e6-a711-48b1-bc9d-4914fbc11d8b Raw Audit Messages type=AVC msg=audit(1299059605.936:8975): avc: denied { execute_no_trans } for pid=4467 comm="dbus-daemon" path="/usr/lib64/xfce4/notifyd/xfce4-notifyd" dev=dm-0 ino=269085 scontext=system_u:system_r:xdm_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lib_t:s0 tclass=file type=SYSCALL msg=audit(1299059605.936:8975): arch=x86_64 syscall=execve success=yes exit=0 a0=7f517ff94680 a1=7f517ff9c3f0 a2=7f517ff94710 a3=7fff3bad38a0 items=0 ppid=4466 pid=4467 auid=4294967295 uid=42 gid=42 euid=42 suid=42 fsuid=42 egid=42 sgid=42 fsgid=42 tty=(none) ses=4294967295 comm=xfce4-notifyd exe=/usr/lib64/xfce4/notifyd/xfce4-notifyd subj=system_u:system_r:xdm_dbusd_t:s0-s0:c0.c1023 key=(null) Hash: xfce4-notifyd,xdm_dbusd_t,lib_t,file,execute_no_trans audit2allow #============= xdm_dbusd_t ============== allow xdm_dbusd_t lib_t:file execute_no_trans; audit2allow -R #============= xdm_dbusd_t ============== allow xdm_dbusd_t lib_t:file execute_no_trans; SELinux is preventing /usr/lib64/xfce4/notifyd/xfce4-notifyd from 'connectto' accesses on the unix_stream_socket @/tmp/dbus-aYIsZh6srU. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that xfce4-notifyd should be allowed connectto access on the dbus-aYIsZh6srU unix_stream_socket by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep xfce4-notifyd /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:xdm_dbusd_t:s0-s0:c0.c1023 Target Context system_u:system_r:xdm_dbusd_t:s0-s0:c0.c1023 Target Objects @/tmp/dbus-aYIsZh6srU [ unix_stream_socket ] Source xfce4-notifyd Source Path /usr/lib64/xfce4/notifyd/xfce4-notifyd Port <Unbekannt> Host (removed) Source RPM Packages xfce4-notifyd-0.2.1-1.fc14 Target RPM Packages Policy RPM selinux-policy-3.9.7-31.fc14 Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name (removed) Platform Linux denkermatic.localdomain 2.6.35.11-83.fc14.x86_64 #1 SMP Mon Feb 7 07:06:44 UTC 2011 x86_64 x86_64 Alert Count 5 First Seen Sa 12 Feb 2011 08:57:50 CET Last Seen Mi 02 Mär 2011 10:53:26 CET Local ID afd9d9b1-b5d5-47b5-a15e-49b30a24f635 Raw Audit Messages type=AVC msg=audit(1299059606.78:8976): avc: denied { connectto } for pid=4467 comm="xfce4-notifyd" path=002F746D702F646275732D615949735A6836737255 scontext=system_u:system_r:xdm_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:xdm_dbusd_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=SYSCALL msg=audit(1299059606.78:8976): arch=x86_64 syscall=connect success=yes exit=0 a0=3 a1=7fffd98cbae0 a2=17 a3=0 items=0 ppid=4466 pid=4467 auid=4294967295 uid=42 gid=42 euid=42 suid=42 fsuid=42 egid=42 sgid=42 fsgid=42 tty=(none) ses=4294967295 comm=xfce4-notifyd exe=/usr/lib64/xfce4/notifyd/xfce4-notifyd subj=system_u:system_r:xdm_dbusd_t:s0-s0:c0.c1023 key=(null) Hash: xfce4-notifyd,xdm_dbusd_t,xdm_dbusd_t,unix_stream_socket,connectto audit2allow #============= xdm_dbusd_t ============== allow xdm_dbusd_t self:unix_stream_socket connectto; audit2allow -R #============= xdm_dbusd_t ============== allow xdm_dbusd_t self:unix_stream_socket connectto; SELinux is preventing /usr/lib64/xfce4/notifyd/xfce4-notifyd from 'connectto' accesses on the unix_stream_socket @/tmp/.X11-unix/X0. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that xfce4-notifyd should be allowed connectto access on the X0 unix_stream_socket by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep xfce4-notifyd /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:xdm_dbusd_t:s0-s0:c0.c1023 Target Context system_u:system_r:xserver_t:s0-s0:c0.c1023 Target Objects @/tmp/.X11-unix/X0 [ unix_stream_socket ] Source xfce4-notifyd Source Path /usr/lib64/xfce4/notifyd/xfce4-notifyd Port <Unbekannt> Host (removed) Source RPM Packages xfce4-notifyd-0.2.1-1.fc14 Target RPM Packages Policy RPM selinux-policy-3.9.7-31.fc14 Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name (removed) Platform Linux denkermatic.localdomain 2.6.35.11-83.fc14.x86_64 #1 SMP Mon Feb 7 07:06:44 UTC 2011 x86_64 x86_64 Alert Count 5 First Seen Sa 12 Feb 2011 08:57:50 CET Last Seen Mi 02 Mär 2011 10:53:26 CET Local ID cb654d66-e138-4331-9252-c942562bd1ca Raw Audit Messages type=AVC msg=audit(1299059606.85:8977): avc: denied { connectto } for pid=4467 comm="xfce4-notifyd" path=002F746D702F2E5831312D756E69782F5830 scontext=system_u:system_r:xdm_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:xserver_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=SYSCALL msg=audit(1299059606.85:8977): arch=x86_64 syscall=connect success=yes exit=0 a0=7 a1=7fffd98cba90 a2=14 a3=7fffd98cba93 items=0 ppid=4466 pid=4467 auid=4294967295 uid=42 gid=42 euid=42 suid=42 fsuid=42 egid=42 sgid=42 fsgid=42 tty=(none) ses=4294967295 comm=xfce4-notifyd exe=/usr/lib64/xfce4/notifyd/xfce4-notifyd subj=system_u:system_r:xdm_dbusd_t:s0-s0:c0.c1023 key=(null) Hash: xfce4-notifyd,xdm_dbusd_t,xserver_t,unix_stream_socket,connectto audit2allow #============= xdm_dbusd_t ============== allow xdm_dbusd_t xserver_t:unix_stream_socket connectto; audit2allow -R #============= xdm_dbusd_t ============== allow xdm_dbusd_t xserver_t:unix_stream_socket connectto; SELinux is preventing /usr/lib64/xfce4/notifyd/xfce4-notifyd from 'read' accesses on the file /var/cache/fontconfig/3830d5c3ddfd5cd38a049b759396e72e-le64.cache-3. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that xfce4-notifyd should be allowed read access on the 3830d5c3ddfd5cd38a049b759396e72e-le64.cache-3 file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep xfce4-notifyd /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:xdm_dbusd_t:s0-s0:c0.c1023 Target Context unconfined_u:object_r:fonts_cache_t:s0 Target Objects /var/cache/fontconfig /3830d5c3ddfd5cd38a049b759396e72e-le64.cache-3 [ file ] Source xfce4-notifyd Source Path /usr/lib64/xfce4/notifyd/xfce4-notifyd Port <Unbekannt> Host (removed) Source RPM Packages xfce4-notifyd-0.2.1-1.fc14 Target RPM Packages Policy RPM selinux-policy-3.9.7-31.fc14 Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name (removed) Platform Linux denkermatic.localdomain 2.6.35.11-83.fc14.x86_64 #1 SMP Mon Feb 7 07:06:44 UTC 2011 x86_64 x86_64 Alert Count 5 First Seen Sa 12 Feb 2011 08:57:51 CET Last Seen Mi 02 Mär 2011 10:53:26 CET Local ID 3d61b6f7-b1dc-48c2-8ba8-8f1be3580735 Raw Audit Messages type=AVC msg=audit(1299059606.413:8978): avc: denied { read } for pid=4467 comm="xfce4-notifyd" name="3830d5c3ddfd5cd38a049b759396e72e-le64.cache-3" dev=dm-0 ino=87622 scontext=system_u:system_r:xdm_dbusd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:fonts_cache_t:s0 tclass=file type=AVC msg=audit(1299059606.413:8978): avc: denied { open } for pid=4467 comm="xfce4-notifyd" name="3830d5c3ddfd5cd38a049b759396e72e-le64.cache-3" dev=dm-0 ino=87622 scontext=system_u:system_r:xdm_dbusd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:fonts_cache_t:s0 tclass=file type=SYSCALL msg=audit(1299059606.413:8978): arch=x86_64 syscall=open success=yes exit=ENOEXEC a0=155ee30 a1=0 a2=155ee73 a3=fffffffffffffff0 items=0 ppid=1 pid=4467 auid=4294967295 uid=42 gid=42 euid=42 suid=42 fsuid=42 egid=42 sgid=42 fsgid=42 tty=(none) ses=4294967295 comm=xfce4-notifyd exe=/usr/lib64/xfce4/notifyd/xfce4-notifyd subj=system_u:system_r:xdm_dbusd_t:s0-s0:c0.c1023 key=(null) Hash: xfce4-notifyd,xdm_dbusd_t,fonts_cache_t,file,read audit2allow #============= xdm_dbusd_t ============== allow xdm_dbusd_t fonts_cache_t:file { read open }; audit2allow -R #============= xdm_dbusd_t ============== allow xdm_dbusd_t fonts_cache_t:file { read open }; AFAICS we need - open, getattr and read for /var/cache/fontconfig/* - open, getattr and read for /usr/share/fonts/*/*.ttf - connect_to for @/tmp/dbus-* and @/tmp/.X11-unix/X0. Or is there an easier way? I wonder why xfce4-notifyd is executed with xdm_dbusd_t context. I forgot to mention that the problem only seems to appear when waking up from standby. We have in policy dbus_role_template(xdm, system_r, xdm_t) to use dbus to start other processes as xdm_t. #============= xdm_dbusd_t ============== allow xdm_dbusd_t lib_t:file execute_no_trans; Looks like we should add label bin_t for /usr/lib64/xfce4/notifyd/xfce4-notifyd Yes Fixed in selinux-policy-3.9.7-34.fc14 and also in F15 policy. selinux-policy-3.9.7-34.fc14 has been submitted as an update for Fedora 14. https://admin.fedoraproject.org/updates/selinux-policy-3.9.7-34.fc14 selinux-policy-3.9.7-37.fc14 has been submitted as an update for Fedora 14. https://admin.fedoraproject.org/updates/selinux-policy-3.9.7-37.fc14 selinux-policy-3.9.7-37.fc14 has been pushed to the Fedora 14 stable repository. If problems still persist, please make note of it in this bug report. |