Bug 706582

Summary: SELinux is preventing /usr/libexec/kde4/kcmdatetimehelper from using the 'dac_override' capabilities.
Product: [Fedora] Fedora Reporter: matthias.rambausek
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED DUPLICATE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: unspecified    
Version: rawhideCC: djidanetribal62, dominick.grift, dwalsh, hit_man2, mgrepl, ncoghlan, rdieter
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard: setroubleshoot_trace_hash:50d5957b14823eea44b1984eea5e31c890352c84527952cf6fde671545a51150
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-05-23 09:55:32 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description matthias.rambausek 2011-05-21 09:41:31 UTC 
SELinux is preventing /usr/libexec/kde4/kcmdatetimehelper from using the 'dac_override' capabilities.

*****  Plugin dac_override (91.4 confidence) suggests  ***********************

If you want to help identify if domain needs this access or you have a file with the wrong permissions on your system
Then turn on full auditing to get path information about the offending file and generate the error again.
Do

Turn on full auditing
# auditctl -w /etc/shadow -p w
Try to recreate AVC. Then execute
# ausearch -m avc -ts recent
If you see PATH record check ownership/permissions on file, and fix it, 
otherwise report as a bugzilla.

*****  Plugin catchall (9.59 confidence) suggests  ***************************

If you believe that kcmdatetimehelper should have the dac_override capability by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep kcmdatetimehelp /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:gnomeclock_t:s0-s0:c0.c1023
Target Context                system_u:system_r:gnomeclock_t:s0-s0:c0.c1023
Target Objects                Unknown [ capability ]
Source                        kcmdatetimehelp
Source Path                   /usr/libexec/kde4/kcmdatetimehelper
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           kdebase-workspace-4.6.3-5.fc15
Target RPM Packages           
Policy RPM                    selinux-policy-3.9.16-23.fc15
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 2.6.38.6-27.fc15.x86_64 #1
                              SMP Sun May 15 17:23:28 UTC 2011 x86_64 x86_64
Alert Count                   1
First Seen                    Sat 21 May 2011 11:37:05 CEST
Last Seen                     Sat 21 May 2011 11:37:05 CEST
Local ID                      3be4ff94-5ef9-41b0-a3e3-4fba50f31666

Raw Audit Messages
type=AVC msg=audit(1305970625.927:85): avc:  denied  { dac_override } for  pid=8695 comm="kcmdatetimehelp" capability=1  scontext=system_u:system_r:gnomeclock_t:s0-s0:c0.c1023 tcontext=system_u:system_r:gnomeclock_t:s0-s0:c0.c1023 tclass=capability


type=SYSCALL msg=audit(1305970625.927:85): arch=x86_64 syscall=mkdir success=no exit=EACCES a0=12b8e08 a1=1c0 a2=ffffffffffffff60 a3=0 items=0 ppid=1 pid=8695 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=kcmdatetimehelp exe=/usr/libexec/kde4/kcmdatetimehelper subj=system_u:system_r:gnomeclock_t:s0-s0:c0.c1023 key=(null)

Hash: kcmdatetimehelp,gnomeclock_t,gnomeclock_t,capability,dac_override

audit2allow

#============= gnomeclock_t ==============
allow gnomeclock_t self:capability dac_override;

audit2allow -R

#============= gnomeclock_t ==============
allow gnomeclock_t self:capability dac_override;
Comment 1 Miroslav Grepl 2011-05-23 07:17:43 UTC 
Did you read the Plugin?

*****  Plugin dac_override (91.4 confidence) suggests  ***********************

If you want to help identify if domain needs this access or you have a file
with the wrong permissions on your system
Then turn on full auditing to get path information about the offending file and
generate the error again.
Do

Turn on full auditing
# auditctl -w /etc/shadow -p w
Try to recreate AVC. Then execute
# ausearch -m avc -ts recent
If you see PATH record check ownership/permissions on file, and fix it, 
otherwise report as a bugzilla.
Comment 2 matthias.rambausek 2011-05-23 09:03:35 UTC 
Sorry, I am not an expert in interpreting selinux reports (I was glad that bug reporting worked and forgot to finish investigations --> next time I will do my "homework")
This is the output of the described procedure:

time->Mon May 23 10:47:54 2011
type=PATH msg=audit(1306140474.733:182): item=0 name="/.kde" inode=2 dev=08:07 mode=040555 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:root_t:s0
type=CWD msg=audit(1306140474.733:182):  cwd="/"
type=SYSCALL msg=audit(1306140474.733:182): arch=c000003e syscall=83 success=no exit=-13 a0=107e8e8 a1=1c0 a2=ffffffffffffff60 a3=0 items=1 ppid=1 pid=13343 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="kcmdatetimehelp" exe="/usr/libexec/kde4/kcmdatetimehelper" subj=system_u:system_r:gnomeclock_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1306140474.733:182): avc:  denied  { write } for  pid=13343 comm="kcmdatetimehelp" name="/" dev=sda7 ino=2 scontext=system_u:system_r:gnomeclock_t:s0-s0:c0.c1023 tcontext=system_u:object_r:root_t:s0 tclass=dir


There is no folder /.kde on my system, folder ~/.kde has permissions drwx------.
My system originally was a fedora 15 beta (Gnome3) install. After a while I switched to KDE (installed @kde, used "switchdesk kde"). Is this known to cause troubles?
I will try relabelling on next reboot, but as I used Fedora 14 on the same hard-disk(s) before without any trouble, I doubt relabelling would fix the problem.
Comment 3 Dominick Grift 2011-05-23 09:13:24 UTC 
Here is what i think is going on:

/usr/libexec/kde4/kcmdatetimehelper running as root wants to create /.kde, however / has these bits set dr-xr-xr-x

So root is not allowed to write a directory entry to / in traditional Linux security terms. Hence the dac_override.
Comment 4 Dominick Grift 2011-05-23 09:31:21 UTC 
From my perspective kcmdatetimehelper should not be trying to create .kde in /.

If kcmdatetimehelper running as root must create .kde, then why not do it in /root instead of / ?
Comment 5 Miroslav Grepl 2011-05-23 09:52:46 UTC 
This is a KDE bug.
Comment 6 Miroslav Grepl 2011-05-23 09:55:32 UTC 

*** This bug has been marked as a duplicate of bug 689925 ***
Comment 7 Miroslav Grepl 2012-11-12 08:57:30 UTC 
*** Bug 874959 has been marked as a duplicate of this bug. ***