| Summary: | SELinux is preventing /usr/libexec/colord from 'getattr' accesses on the filesystem /. | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Michael Wiktowy <michael.wiktowy> |
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | medium | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 15 | CC: | adrin.jalali, borut.semenic, dwalsh, dwilliams344, mgrepl, reinouts, rhughes, richard, sanjay.ankur, thompson.g.error |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | setroubleshoot_trace_hash:78645a0f39b0c9363be2f97e66d6bd9a1bd09a63fba30cc6bc202bf35cefb6a7 | ||
| Fixed In Version: | selinux-policy-3.9.16-18.fc15 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2011-05-02 03:38:44 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
This selinux access error popped up when I was setting up a network multifunction printer using hp-setup. Were you installing from a usb stick? What file system was running in dos mode? I was running a LiveUSB version (don't remember the exact nightly build of the ISO right now) with a persistant overlay of 2GB to install updates into. While the USB stick is FAT, I think that the filesystem in the overlay file is just standard ext3. Daniel, colord tries to search mounted external volumes for color profiles, for instance, if you dual boot colord with osx, we need to be able to use the OSX display icc file in Linux in order for the display to not look "too blue". A similar (but rarer) case is with Windows if you've ever calibrated your screen, or if the calibration tool doesn't have Linux drivers.
The basic logic is below:
/* only scan hfs volumes for OSX */
if (g_strcmp0 (type, "hfs") == 0) {
path = g_build_filename (path_root,
"Library",
"ColorSync",
"Profiles",
"Displays",
NULL);
cd_profile_store_search_path (profile_store, path);
}
/* and fat32 and ntfs for windows */
if (g_strcmp0 (type, "ntfs") == 0 || g_strcmp0 (type, "msdos") == 0) {
/* Windows XP */
path = g_build_filename (path_root,
"Windows",
"system32",
"spool",
"drivers",
"color",
NULL);
cd_profile_store_search_path (profile_store, path);
/* Windows 2000 */
path = g_build_filename (path_root,
"Winnt",
"system32",
"spool",
"drivers",
"color", NULL);
cd_profile_store_search_path (profile_store, path);
/* Windows 98 and ME */
path = g_build_filename (path_root,
"Windows",
"System",
"Color",
NULL);
cd_profile_store_search_path (profile_store, path);
}
Ok I am adding policy to allow it to search all file systems and read files on filesystems that do not support extended attributes. fs_search_all(colord_t) fs_read_noxattr_fs_files(colord_t) Fixed in selinux-policy-3.9.16-18.fc15 selinux-policy-3.9.16-18.fc15 has been submitted as an update for Fedora 15. https://admin.fedoraproject.org/updates/selinux-policy-3.9.16-18.fc15 *** Bug 700584 has been marked as a duplicate of this bug. *** Package selinux-policy-3.9.16-18.fc15: * should fix your issue, * was pushed to the Fedora 15 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.9.16-18.fc15' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/selinux-policy-3.9.16-18.fc15 then log in and leave karma (feedback). selinux-policy-3.9.16-18.fc15 has been pushed to the Fedora 15 stable repository. If problems still persist, please make note of it in this bug report. (In reply to comment #11) > selinux-policy-3.9.16-18.fc15 has been pushed to the Fedora 15 stable > repository. If problems still persist, please make note of it in this bug > report. I got it today, with selinux-policy-3.9.16-26.fc15.noarch. I indeed have a dualboot host. it happened after a yum update, I wonder if it's related. These are the packages that got updated: Jun 22 11:22:49 Updated: 1:libreoffice-ure-3.3.3.1-1.fc15.x86_64 Jun 22 11:22:54 Updated: gtk2-2.24.4-2.fc15.x86_64 Jun 22 11:22:54 Updated: audit-libs-2.1.2-1.fc15.x86_64 Jun 22 11:22:55 Updated: libuuid-2.19.1-1.2.fc15.x86_64 Jun 22 11:22:56 Updated: libblkid-2.19.1-1.2.fc15.x86_64 Jun 22 11:22:57 Updated: system-config-printer-libs-1.3.3-1.fc15.x86_64 Jun 22 11:22:59 Updated: systemd-units-26-4.fc15.x86_64 Jun 22 11:23:04 Updated: systemd-26-4.fc15.x86_64 Jun 22 11:23:05 Updated: libmount-2.19.1-1.2.fc15.x86_64 Jun 22 11:23:07 Updated: 1:libreoffice-opensymbol-fonts-3.3.3.1-1.fc15.noarch Jun 22 11:23:09 Updated: 1:autocorr-en-3.3.3.1-1.fc15.noarch Jun 22 11:23:28 Updated: 1:libreoffice-core-3.3.3.1-1.fc15.x86_64 Jun 22 11:23:31 Updated: 1:libreoffice-presenter-screen-3.3.3.1-1.fc15.x86_64 Jun 22 11:23:32 Updated: 1:libreoffice-impress-3.3.3.1-1.fc15.x86_64 Jun 22 11:23:33 Updated: file-libs-5.07-4.fc15.x86_64 Jun 22 11:23:35 Updated: libpurple-2.8.0-1.fc15.x86_64 Jun 22 11:23:36 Updated: pygobject2-2.28.6-1.fc15.x86_64 Jun 22 11:23:38 Updated: system-config-printer-1.3.3-1.fc15.x86_64 Jun 22 11:23:49 Updated: pidgin-2.8.0-1.fc15.x86_64 Jun 22 11:23:50 Updated: file-5.07-4.fc15.x86_64 Jun 22 11:23:51 Updated: 1:libreoffice-presentation-minimizer-3.3.3.1-1.fc15.x86 _64 Jun 22 11:23:52 Updated: 1:libreoffice-writer-3.3.3.1-1.fc15.x86_64 Jun 22 11:23:55 Updated: 1:libreoffice-calc-3.3.3.1-1.fc15.x86_64 Jun 22 11:23:55 Updated: 1:libreoffice-langpack-en-3.3.3.1-1.fc15.x86_64 Jun 22 11:23:57 Updated: util-linux-2.19.1-1.2.fc15.x86_64 Jun 22 11:23:57 Updated: systemd-sysv-26-4.fc15.x86_64 Jun 22 11:23:59 Updated: ppp-2.4.5-17.fc15.x86_64 Jun 22 11:24:00 Updated: system-config-printer-udev-1.3.3-1.fc15.x86_64 Jun 22 11:24:01 Updated: grubby-7.0.16-4.fc15.x86_64 Jun 22 11:24:02 Updated: audit-2.1.2-1.fc15.x86_64 Jun 22 11:24:03 Updated: audit-libs-python-2.1.2-1.fc15.x86_64 Jun 22 11:24:07 Updated: webkitgtk-1.4.1-1.fc15.x86_64 Jun 22 11:24:07 Updated: gtk2-immodule-xim-2.24.4-2.fc15.x86_64 Jun 22 11:24:11 Updated: gtk2-devel-2.24.4-2.fc15.x86_64 Jun 22 11:24:13 Updated: m17n-contrib-1.1.12-5.fc15.1.noarch Jun 22 11:24:13 Updated: lcms2-2.2-1.fc15.x86_64 Jun 22 11:24:16 Updated: xkeyboard-config-2.3-2.fc15.noarch Jun 22 11:24:19 Updated: util-linux-debuginfo-2.19.1-1.2.fc15.x86_64 Jun 22 11:24:20 Updated: fcoe-utils-1.0.18-2.fc15.x86_64 Jun 22 11:24:21 Updated: fedora-logos-15.0.1-1.fc15.noarch Jun 22 11:24:22 Updated: libass-0.9.12-1.fc15.x86_64 Jun 22 11:24:22 Updated: clutter-gst-1.3.12-1.fc15.x86_64 Jun 22 11:24:23 Updated: libuuid-2.19.1-1.2.fc15.i686 I confirm comment #12, I also got this message after running yum update. Please attach the actual AVC you are seeing. ausearch -m avc -ts recent ausearch reports "<no matches>". ausearch -m avc Then Installation was made with USB
SELinux is preventing /usr/libexec/colord from getattr access on the filesystem /media.
***** Plugin catchall (100. confidence) suggests ***************************
If you believe that colord should be allowed getattr access on the media filesystem by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep colord /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
Additional Information:
Source Context system_u:system_r:colord_t:s0-s0:c0.c1023
Target Context system_u:object_r:tmpfs_t:s0
Target Objects /media [ filesystem ]
Source colord
Source Path /usr/libexec/colord
Port <Unknown>
Host seme.si
Source RPM Packages colord-0.1.14-1.fc16
Target RPM Packages filesystem-2.4.44-1.fc16
Policy RPM selinux-policy-3.10.0-55.fc16
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name seme.si
Platform Linux seme.si 3.1.1-1.fc16.x86_64 #1 SMP Fri Nov
11 21:47:56 UTC 2011 x86_64 x86_64
Alert Count 1
First Seen pet 18 nov 2011 10:39:38 CET
Last Seen pet 18 nov 2011 10:39:38 CET
Local ID 03b6a6cd-399c-4c13-abdb-dc30069dc423
Raw Audit Messages
type=AVC msg=audit(1321609178.366:115): avc: denied { getattr } for pid=1877 comm="colord" name="/" dev=tmpfs ino=10576 scontext=system_u:system_r:colord_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tmpfs_t:s0 tclass=filesystem
type=SYSCALL msg=audit(1321609178.366:115): arch=x86_64 syscall=statfs success=no exit=EACCES a0=7fff8732e016 a1=7fff8732e210 a2=e2c0 a3=0 items=0 ppid=1 pid=1877 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=colord exe=/usr/libexec/colord subj=system_u:system_r:colord_t:s0-s0:c0.c1023 key=(null)
Hash: colord,colord_t,tmpfs_t,filesystem,getattr
audit2allow
#============= colord_t ==============
allow colord_t tmpfs_t:filesystem getattr;
audit2allow -R
#============= colord_t ==============
allow colord_t tmpfs_t:filesystem getattr;
Fixed in selinux-policy-3.10.0-58.fc16 selinux-policy-3.10.0-60.fc16 fix it form me thank you |
SELinux is preventing /usr/libexec/colord from 'getattr' accesses on the filesystem /. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that colord should be allowed getattr access on the filesystem by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep colord /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:colord_t:s0-s0:c0.c1023 Target Context system_u:object_r:dosfs_t:s0 Target Objects / [ filesystem ] Source colord Source Path /usr/libexec/colord Port <Unknown> Host (removed) Source RPM Packages colord-0.1.1-3.fc15 Target RPM Packages filesystem-2.4.40-1.fc15 Policy RPM selinux-policy-3.9.16-13.fc15 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 2.6.38.2-9.fc15.x86_64 #1 SMP Wed Mar 30 16:55:57 UTC 2011 x86_64 x86_64 Alert Count 1 First Seen Mon 11 Apr 2011 09:19:44 PM EDT Last Seen Mon 11 Apr 2011 09:19:44 PM EDT Local ID 9286b880-0fa6-4a6f-a196-17e0551cd336 Raw Audit Messages type=AVC msg=audit(1302571184.659:57): avc: denied { getattr } for pid=1921 comm="colord" name="/" dev=sdc1 ino=1 scontext=system_u:system_r:colord_t:s0-s0:c0.c1023 tcontext=system_u:object_r:dosfs_t:s0 tclass=filesystem type=SYSCALL msg=audit(1302571184.659:57): arch=x86_64 syscall=statfs success=yes exit=0 a0=1f6fd70 a1=7fff808b3440 a2=0 a3=1 items=0 ppid=1 pid=1921 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=colord exe=/usr/libexec/colord subj=system_u:system_r:colord_t:s0-s0:c0.c1023 key=(null) Hash: colord,colord_t,dosfs_t,filesystem,getattr audit2allow #============= colord_t ============== allow colord_t dosfs_t:filesystem getattr; audit2allow -R #============= colord_t ============== allow colord_t dosfs_t:filesystem getattr;