| Summary: | SELinux is preventing /usr/libexec/colord from 'search' accesses on the directory /. | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Adam Williamson <awilliam> |
| Component: | colord | Assignee: | Richard Hughes <richard> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 15 | CC: | awilliam, dwalsh, mgrepl, rhughes, richard |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | setroubleshoot_trace_hash:08c94bec6cc8c38a388f86972487e4ea1e4b773bb22e3f213621a69addd3054e | ||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2011-11-15 12:21:26 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
Tried to add a printer with hp-setup. Does colord need to be able to read any file in the users homedir? this seems to keep re-occurring. Allowing it to search these directories, although still not sure what it is doing. Fixed in selinux-policy-3.9.16-17.fc15 (In reply to comment #2) > Does colord need to be able to read any file in the users homedir? Yes. It reads the ICC profiles from ~/.local/share/icc/ -- if this is unpalatable, I can get the session client to send the data (rather than the filename) over DBus, although this might be a performance issue if the user has lots of profiles (I have 8Mb of profiles in my .local...) No that is fine, it is just we need to know. Fixed in selinux-policy-3.9.16-18.fc15 |
SELinux is preventing /usr/libexec/colord from 'search' accesses on the directory /. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that colord should be allowed search access on the directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep colord /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:colord_t:s0-s0:c0.c1023 Target Context system_u:object_r:home_root_t:s0 Target Objects / [ dir ] Source colord Source Path /usr/libexec/colord Port <Unknown> Host (removed) Source RPM Packages colord-0.1.1-3.fc15 Target RPM Packages filesystem-2.4.40-1.fc15 Policy RPM selinux-policy-3.9.16-13.fc15 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 2.6.38.2-9.fc15.x86_64 #1 SMP Wed Mar 30 16:55:57 UTC 2011 x86_64 x86_64 Alert Count 1 First Seen Tue 12 Apr 2011 08:28:50 AM PDT Last Seen Tue 12 Apr 2011 08:28:50 AM PDT Local ID bf0fde4f-18bd-4de8-8d93-505691d14ebc Raw Audit Messages type=AVC msg=audit(1302622130.864:62): avc: denied { search } for pid=2610 comm="colord" name="/" dev=dm-1 ino=2 scontext=system_u:system_r:colord_t:s0-s0:c0.c1023 tcontext=system_u:object_r:home_root_t:s0 tclass=dir type=AVC msg=audit(1302622130.864:62): avc: denied { search } for pid=2610 comm="colord" name="(removed)w" dev=dm-1 ino=12 scontext=system_u:system_r:colord_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir type=AVC msg=audit(1302622130.864:62): avc: denied { getattr } for pid=2610 comm="colord" name="/" dev=0:29 ino=56701 scontext=system_u:system_r:colord_t:s0-s0:c0.c1023 tcontext=system_u:object_r:nfs_t:s0 tclass=filesystem type=SYSCALL msg=audit(1302622130.864:62): arch=x86_64 syscall=statfs success=yes exit=0 a0=d9fed0 a1=7fff683a5260 a2=0 a3=7fff683a4f40 items=0 ppid=1 pid=2610 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=colord exe=/usr/libexec/colord subj=system_u:system_r:colord_t:s0-s0:c0.c1023 key=(null) Hash: colord,colord_t,home_root_t,dir,search audit2allow #============= colord_t ============== allow colord_t home_root_t:dir search; allow colord_t nfs_t:filesystem getattr; allow colord_t user_home_dir_t:dir search; audit2allow -R #============= colord_t ============== allow colord_t home_root_t:dir search; allow colord_t nfs_t:filesystem getattr; allow colord_t user_home_dir_t:dir search;