Bug 710779

Summary: SELinux is preventing /usr/libexec/colord from 'read' accesses on the katalog /.
Product: [Fedora] Fedora Reporter: Tom <thompson.g.error>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED CURRENTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: unspecified    
Version: rawhideCC: dominick.grift, dwalsh, mgrepl
Target Milestone: ---   
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard: setroubleshoot_trace_hash:686c46d928c5b8cb0df421e41bdbf1d106b6de90ed3f503bec533f9694a98b02
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-02-10 08:47:14 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Tom 2011-06-04 17:50:07 UTC 
SELinux is preventing /usr/libexec/colord from 'read' accesses on the katalog /.

*****  Plugin catchall (100. confidence) suggests  ***************************

If aby colord powinno mieć domyślnie read dostęp do  directory.
Then proszę to zgłosić jako błąd.
Można utworzyć lokalny moduł polityki, aby umożliwić ten dostęp.
Do
można tymczasowo zezwolić na ten dostęp wykonując polecenia:
# grep colord /var/log/audit/audit.log | audit2allow -M moja_polityka
# semodule -i moja_polityka.pp

Additional Information:
Source Context                system_u:system_r:colord_t:s0-s0:c0.c1023
Target Context                system_u:object_r:dosfs_t:s0
Target Objects                / [ dir ]
Source                        colord
Source Path                   /usr/libexec/colord
Port                          <Nieznane>
Host                          (removed)
Source RPM Packages           colord-0.1.7-1.fc15
Target RPM Packages           filesystem-2.4.41-1.fc15
Policy RPM                    selinux-policy-3.9.16-24.fc15
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 2.6.38.6-27.fc15.i686 #1 SMP Sun May
                              15 17:57:13 UTC 2011 i686 i686
Alert Count                   1
First Seen                    śro, 1 cze 2011, 19:56:46
Last Seen                     śro, 1 cze 2011, 19:56:46
Local ID                      c48b6041-0ea1-47b1-99cb-88c46a3cc39e

Raw Audit Messages
type=AVC msg=audit(1306951006.900:114): avc:  denied  { read } for  pid=7898 comm="colord" name="/" dev=sdd1 ino=1 scontext=system_u:system_r:colord_t:s0-s0:c0.c1023 tcontext=system_u:object_r:dosfs_t:s0 tclass=dir


type=SYSCALL msg=audit(1306951006.900:114): arch=i386 syscall=access success=yes exit=0 a0=978f160 a1=5 a2=44e9b328 a3=978f148 items=0 ppid=1 pid=7898 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=colord exe=/usr/libexec/colord subj=system_u:system_r:colord_t:s0-s0:c0.c1023 key=(null)

Hash: colord,colord_t,dosfs_t,dir,read

audit2allow

#============= colord_t ==============
allow colord_t dosfs_t:dir read;

audit2allow -R

#============= colord_t ==============
allow colord_t dosfs_t:dir read;
Comment 1 Dominick Grift 2011-06-04 17:56:45 UTC 
this should be fixed in selinux-policy-3.9.16-26.fc15 or selinux-policy-3.9.16-27.fc15
Comment 2 Miroslav Grepl 2011-06-05 07:44:49 UTC 
Fixed in selinux-policy-3.9.16-27.fc15