Bug 689143

Summary:	SELinux is preventing /usr/bin/metacity from 'getattr' accesses on the sock_file /tmp/at-spi2/socket-1413-1804289383.
Product:	[Fedora] Fedora	Reporter:	tuxor <acc-bugz-redhat>
Component:	selinux-policy	Assignee:	Miroslav Grepl <mgrepl>
Status:	CLOSED ERRATA	QA Contact:	Fedora Extras Quality Assurance <extras-qa>
Severity:	medium	Docs Contact:
Priority:	unspecified
Version:	15	CC:	dwalsh, jmccann, mgrepl, rstrode, stephent98
Target Milestone:	---
Target Release:	---
Hardware:	x86_64
OS:	Linux
Whiteboard:	setroubleshoot_trace_hash:d185f60713dcdf2cca69a639259b48efd75fe12ef80ba519fc8b939aca4ca102
Fixed In Version:	selinux-policy-3.9.16-15.fc15	Doc Type:	Bug Fix
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2011-04-15 21:32:05 UTC	Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description tuxor 2011-03-19 20:40:14 UTC

SELinux is preventing /usr/bin/metacity from 'getattr' accesses on the sock_file /tmp/at-spi2/socket-1413-1804289383.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that metacity should be allowed getattr access on the socket-1413-1804289383 sock_file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep metacity /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:xdm_t:s0-s0:c0.c1023
Target Context                system_u:object_r:tmp_t:s0
Target Objects                /tmp/at-spi2/socket-1413-1804289383 [ sock_file ]
Source                        metacity
Source Path                   /usr/bin/metacity
Port                          <Unbekannt>
Host                          (removed)
Source RPM Packages           metacity-2.32.0-1.git20110228.fc15
Target RPM Packages           
Policy RPM                    selinux-policy-3.9.16-5.fc15
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 2.6.38-1.fc15.x86_64 #1 SMP
                              Tue Mar 15 05:29:00 UTC 2011 x86_64 x86_64
Alert Count                   1
First Seen                    Sa 19 Mär 2011 21:30:31 CET
Last Seen                     Sa 19 Mär 2011 21:30:31 CET
Local ID                      549980e7-03bc-4c70-a1ed-a8e49bdd13cd

Raw Audit Messages
type=AVC msg=audit(1300566631.696:45): avc:  denied  { getattr } for  pid=1413 comm="metacity" path="/tmp/at-spi2/socket-1413-1804289383" dev=dm-1 ino=402638 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tmp_t:s0 tclass=sock_file


type=SYSCALL msg=audit(1300566631.696:45): arch=x86_64 syscall=stat success=no exit=EACCES a0=1c95db0 a1=7ffff3ed70f0 a2=7ffff3ed70f0 a3=7ffff3ed6e60 items=0 ppid=1327 pid=1413 auid=4294967295 uid=42 gid=42 euid=42 suid=42 fsuid=42 egid=42 sgid=42 fsgid=42 tty=(none) ses=4294967295 comm=metacity exe=/usr/bin/metacity subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)

Hash: metacity,xdm_t,tmp_t,sock_file,getattr

audit2allow

#============= xdm_t ==============
allow xdm_t tmp_t:sock_file getattr;

audit2allow -R

#============= xdm_t ==============
allow xdm_t tmp_t:sock_file getattr;

Comment 1 Daniel Walsh 2011-03-21 22:07:58 UTC

Why would xdm be launching metacity and looking at
/tmp/at-spi2/socket-1413-1804289383

Comment 2 Steve Tyler 2011-04-12 16:43:24 UTC

Am getting this with:

gdm-3.0.0-1.fc15.x86_64
metacity-2.34.0-1.fc15.x86_64
selinux-policy-3.9.16-14.fc15.noarch
selinux-policy-targeted-3.9.16-14.fc15.noarch

Raw Audit Messages
type=AVC msg=audit(1302626053.386:39): avc:  denied  { getattr } for  pid=1361 comm="metacity" path="/tmp/at-spi2/socket-1361-1804289383" dev=sdb6 ino=406476 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tmp_t:s0 tclass=sock_file


type=SYSCALL msg=audit(1302626053.386:39): arch=x86_64 syscall=stat success=no exit=EACCES a0=16b2df0 a1=7fff8daf24f0 a2=7fff8daf24f0 a3=7fff8daf2260 items=0 ppid=1321 pid=1361 auid=4294967295 uid=42 gid=42 euid=42 suid=42 fsuid=42 egid=42 sgid=42 fsgid=42 tty=(none) ses=4294967295 comm=metacity exe=/usr/bin/metacity subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)

Hash: metacity,xdm_t,tmp_t,sock_file,getattr

Comment 3 Steve Tyler 2011-04-12 17:11:32 UTC

There were some sockets labelled tmp_t in /tmp/at-spi2/.
restorecon -rnv /tmp/at-spi2/ did not complain.
Cleared this with "rm /tmp/at-spi2/*" and rebooting.

Seems similar to
Bug 692905 - SELinux is preventing /usr/bin/gnome-power-manager from 'getattr' accesses on the sock_file /tmp/at-spi2/socket-1385-1804289383.

Comment 4 Daniel Walsh 2011-04-12 17:29:02 UTC

I think this is left over garbage from the install.  And can be ignored.


I will add

files_dontaudit_getattr_all_tmp_sockets(xdm_t)


to get it to shut up.

Fixed in selinux-policy-3.9.16-15.fc15

Comment 5 Steve Tyler 2011-04-12 17:34:54 UTC

I have done "rm /tmp/at-spi2/*" twice on separate days without reinstalling.
Something seems to be regenerating them that way.

Comment 6 Daniel Walsh 2011-04-13 15:22:26 UTC

Strange since these files should be labeled xdm_tmp_t.

Are you using gdm for boot?

Comment 7 Daniel Walsh 2011-04-13 15:22:38 UTC

I mean login?

Comment 8 Steve Tyler 2011-04-13 17:02:50 UTC

Yes, I am using gdm in a default configuration:
gdm-3.0.0-1.fc15.x86_64

Comment 9 Daniel Walsh 2011-04-13 18:13:48 UTC

If you look in this directory after login, are all of the sockets labeled xdm_tmp_t?

ls -lZ /tmp/at-spi2/

Comment 10 Steve Tyler 2011-04-13 19:00:14 UTC

(In reply to comment #9)
> If you look in this directory after login, are all of the sockets labeled
> xdm_tmp_t?
> 
> ls -lZ /tmp/at-spi2/

I did a clean F15 install and update using the Live CD (F15-Beta-RC2) on my laptop. After rebooting and configuring, I logged out and logged in. There are no sealerts. All sockets in /tmp/at-spi2/ are labelled xdm_tmp_t. ATM, on the desktop system where I had been seeing the sealerts all sockets in /tmp/at-spi2/ are likewise labelled xdm_tmp_t after logging out and logging in.

This is on my newly installed laptop:
[joeblow@spruce ~]$ ls -lZ  | grep ':tmp_t'
[joeblow@spruce ~]$ ls -lZ /tmp/at-spi2/ | head -3
srwxrwxrwx. gdm gdm system_u:object_r:xdm_tmp_t:s0   socket-10367-1165612340
srwxrwxrwx. gdm gdm system_u:object_r:xdm_tmp_t:s0   socket-10374-511702305
srwxrwxrwx. gdm gdm system_u:object_r:xdm_tmp_t:s0   socket-10402-1804289383
[joeblow@spruce ~]$ 
[joeblow@spruce ~]$ rpm -qa 'selinux*' gdm | sort
gdm-3.0.0-1.fc15.i686
selinux-policy-3.9.16-14.fc15.noarch
selinux-policy-targeted-3.9.16-14.fc15.noarch

Comment 11 Steve Tyler 2011-04-13 19:24:58 UTC

Just booted the F15-Beta-RC2 Live CD on my laptop.
/tmp/at-spi2/ does not exist.

After logging out and logging in /tmp/at-spi2/ exists, and there are 8 socket files in /tmp/at-spi2/, all labeled:
system_u:object_r:xdm_tmp_t:s0

Comment 12 Fedora Update System 2011-04-13 19:47:14 UTC

selinux-policy-3.9.16-15.fc15 has been submitted as an update for Fedora 15.
https://admin.fedoraproject.org/updates/selinux-policy-3.9.16-15.fc15

Comment 13 Fedora Update System 2011-04-14 00:33:50 UTC

Package selinux-policy-3.9.16-15.fc15:
* should fix your issue,
* was pushed to the Fedora 15 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.9.16-15.fc15'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/selinux-policy-3.9.16-15.fc15
then log in and leave karma (feedback).

Comment 14 Fedora Update System 2011-04-15 21:30:36 UTC

selinux-policy-3.9.16-15.fc15 has been pushed to the Fedora 15 stable repository.  If problems still persist, please make note of it in this bug report.