Bug 712575

Summary: Changing the date & time in KDE is impossible and produces AVC denial
Product: [Fedora] Fedora Reporter: Tony White <twhite>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED CURRENTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 15CC: dominick.grift, dwalsh, jreznik, kevin, ltinkl, mgrepl, rdieter, rnovacek, smparrish, than
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-10-07 14:27:29 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Attachments:
Description Flags
AVC Denial
none
Second AVC Denial none

Description Tony White 2011-06-11 10:04:29 UTC 
Created attachment 504240 [details]
AVC Denial

Description of problem:
I cannot set the correct time using KDE's date & time system settings module

Version-Release number of selected component (if applicable):
Current Fedora 15

How reproducible:
Everytime

Steps to Reproduce:
1. systemsettings
2. time & date
3. change settings
4. apply
  
Actual results:
Crash & AVC denial

Expected results:
The time and date are changed. No crashes.

Additional info:
Please see attached
Comment 1 Tony White 2011-06-11 10:05:04 UTC 
Created attachment 504241 [details]
Second AVC Denial
Comment 2 Kevin Kofler 2011-06-11 15:27:21 UTC 
The first AVC is already reported (see e.g. bug #590883), but that should not prevent this from working.

It's the second AVC denial which is interesting and new. Why is dac_override needed? How can we figure out what exactly the KCM is trying to do which requires dac_override?
Comment 3 Kevin Kofler 2011-06-11 15:30:09 UTC 
(PS: Bug #590883 is "closed", but we know that this is still causing problems for the date&time KCM's context, the bug was only worked around for KDM.)
Comment 4 Dominick Grift 2011-06-11 16:58:26 UTC 
If you want to help identify if domain needs this access or you have a file
with the wrong permissions on your system
Then turn on full auditing to get path information about the offending file and
generate the error again.
Do

Turn on full auditing
# auditctl -w /etc/shadow -p w
Try to recreate AVC. Then execute
# ausearch -m avc -ts recent
If you see PATH record check ownership/permissions on file, and fix it, 
otherwise report as a bugzilla.
Comment 5 Miroslav Grepl 2011-06-13 08:54:07 UTC 
I think this is still the same issue with /.config or /.kde directories.