Bug 741086
| Summary: | SELinux is preventing /usr/libexec/colord from using the 'execmem' accesses on a process. | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Lari Tanase <larieu> |
| Component: | colord | Assignee: | Richard Hughes <hughsient> |
| Status: | CLOSED INSUFFICIENT_DATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | medium | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 19 | CC: | dct996, dominick.grift, dwalsh, hughsient, jduttontwo, luism.villegasv, mgrepl, rhughes |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | setroubleshoot_trace_hash:203325be9150f898eb3d28e88edc500853089c4428361d4807fab9882c0442c1 | ||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2013-04-24 10:29:00 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
colord should not required this access. http://www.akkadia.org/drepper/selinux-mem.html If you change /etc/colord.conf to say UseSANE=false and reboot, does the execmem go away? *** Bug 728731 has been marked as a duplicate of this bug. *** This bug appears to have been reported against 'rawhide' during the Fedora 19 development cycle. Changing version to '19'. (As we did not run this process for some time, it could affect also pre-Fedora 19 development cycle bugs. We are very sorry. It will help us with cleanup during Fedora 19 End Of Life. Thank you.) More information and reason for this action is here: https://fedoraproject.org/wiki/BugZappers/HouseKeeping/Fedora19 |
SELinux is preventing /usr/libexec/colord from using the 'execmem' accesses on a process. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that colord should be allowed execmem access on processes labeled colord_t by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep colord /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:colord_t:s0-s0:c0.c1023 Target Context system_u:system_r:colord_t:s0-s0:c0.c1023 Target Objects Unknown [ process ] Source colord Source Path /usr/libexec/colord Port <Unknown> Host (removed) Source RPM Packages colord-0.1.7-1.fc15 Target RPM Packages Policy RPM selinux-policy-3.9.16-38.fc15 Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name (removed) Platform Linux (removed) 2.6.40.4-5.fc15.x86_64 #1 SMP Tue Aug 30 14:38:32 UTC 2011 x86_64 x86_64 Alert Count 1 First Seen Sun 25 Sep 2011 09:34:31 AM CEST Last Seen Sun 25 Sep 2011 09:34:31 AM CEST Local ID 0c0ceaed-0dea-487d-8608-e6f34be1b32c Raw Audit Messages type=AVC msg=audit(1316936071.361:103): avc: denied { execmem } for pid=1297 comm="colord" scontext=system_u:system_r:colord_t:s0-s0:c0.c1023 tcontext=system_u:system_r:colord_t:s0-s0:c0.c1023 tclass=process type=SYSCALL msg=audit(1316936071.361:103): arch=x86_64 syscall=mmap success=yes exit=140508849758208 a0=0 a1=801000 a2=7 a3=20022 items=0 ppid=1 pid=1297 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=colord exe=/usr/libexec/colord subj=system_u:system_r:colord_t:s0-s0:c0.c1023 key=(null) Hash: colord,colord_t,colord_t,process,execmem audit2allow #============= colord_t ============== allow colord_t self:process execmem; audit2allow -R #============= colord_t ============== allow colord_t self:process execmem;