| Summary: | SELinux is preventing /usr/libexec/colord from 'read' accesses on the dossier /. | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | jiker |
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
| Status: | CLOSED WORKSFORME | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 16 | CC: | dominick.grift, dwalsh, mgrepl |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | i686 | ||
| OS: | Unspecified | ||
| Whiteboard: | abrt_hash:0f79397946db75a4e4c60a3ea1eb82eaa4134f19c8a9209ceab3577d0f869150 | ||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2011-10-11 20:09:22 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
Could you try to turn on full auditing # auditctl -w /etc/shadow -p w and try to recreate AVC. Then execute # ausearch -m avc -ts recent (In reply to comment #1) > Could you try to turn on full auditing > > # auditctl -w /etc/shadow -p w > > and try to recreate AVC. Then execute > > # ausearch -m avc -ts recent First I'm sorry if I send a lot of unecessary bugs, it's just because I don't understand any things about SElinux etc ... And I speak a poor English I ran successfully your command : auditctl -w /etc/shadow -p w I don't know how to " recreate AVC ". I'm still searching about AVC Despite of that I ran : ausearch -m avc -ts recent ---- time->Mon Oct 10 19:22:51 2011 type=SYSCALL msg=audit(1318267371.712:70): arch=40000003 syscall=33 success=no exit=-13 a0=9d1f4bc a1=1 a2=4cbd2ff4 a3=8 items=0 ppid=830 pid=907 auid=42 uid=42 gid=42 euid=42 suid=42 fsuid=42 egid=42 sgid=42 fsgid=42 tty=(none) ses=1 comm="gnome-shell" exe="/usr/bin/gnome-shell" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1318267371.712:70): avc: denied { execute } for pid=907 comm="gnome-shell" name="vlc" dev=sda2 ino=158182 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:mplayer_exec_t:s0 tclass=file My computer is an Asus eeePC 1000 H 1Gb/160Gb Intel Atom N270 1.6 Ghz 32 bits In all case don't worry, I just try Fedora 16 Beta, Best regards Did you add a new disk and used restorecon on it? Also could you add me output of # id -Z *** Bug 744617 has been marked as a duplicate of this bug. *** I have added anything since I install F16 Beta with:
~$ ls /home/sda6|grep -i fedora
~$ Fedora-16-Beta-i686-Live-Desktop.iso
on my /dev/sda2 as /
/dev/sda7 as /home
I have an USB 500 GB external HD connected on my eeePC, viewed by Linux as /dev/sdb (1->10) which were at the same place when I proceeded to the installation.
About restorecon :
~# cat .bash_history|grep restorecon
restorecon -v '/usr/lib/flash-plugin/libflashplayer.so'
restorecon -v '/usr/lib/flash-plugin/libflashplayer.so'
restorecon -v '/usr/lib/flash-plugin/libflashplayer.so'
/sbin/restorecon -v /home/seb-fed/.macromedia/Flash_Player/macromedia.com/support/flashplayer/sys/settings.sol
~#
Your last request :
~$ id -Z
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
~$
More information when you want
Best regards :-)
colord might be listing the users homdirs in /home? (In reply to comment #6) > colord might be listing the users homdirs in /home? I don't know how to handle your request. I understand that colord is a daemon but I don't how to use it to list the homedir user . I try man colord, apropos colord, but there is no output . If you want me to use a specific command just show me the command ( I began with Linux on Red Hat 6.0 but I'm not LPIC-[[:digit:]]\+ or other. I try this (may be usefull for you ? ) : find /var/log -type f -exec grep 'colord' '{}' \; -print Oct 9 01:16:49 SunPC yum[1744]: Updated: colord-0.1.13-1.fc16.i686 Oct 9 04:59:07 SunPC dbus-daemon[535]: (colord:1115): Cd-WARNING **: CdProfileStore: failed to get filesystem type: Error getting filesystem info: Permission denied Oct 9 04:59:07 SunPC dbus-daemon[535]: (colord:1115): Cd-WARNING **: CdProfileStore: failed to get filesystem type: Error getting filesystem info: Permission denied Oct 9 04:59:23 SunPC setroubleshoot: SELinux is preventing /usr/libexec/colord from 'read, search' accesses on the directory /. For complete SELinux messages. run sealert -l dd324838-5662-4bb2-899f-057a277187e3 Oct 9 04:59:24 SunPC setroubleshoot: SELinux is preventing /usr/libexec/colord from read access on the directory /. For complete SELinux messages. run sealert -l d483afcf-db6c-4805-9b51-04ca69e0914f Oct 9 04:59:24 SunPC setroubleshoot: SELinux is preventing /usr/libexec/colord from 'read, search' accesses on the directory /. For complete SELinux messages. run sealert -l dd324838-5662-4bb2-899f-057a277187e3 Oct 9 04:59:24 SunPC setroubleshoot: SELinux is preventing /usr/libexec/colord from getattr access on the filesystem /media/_Fedora-15-i686-. For complete SELinux messages. run sealert -l 8bd22212-c52e-4c4b-976f-98e7b0d1c81c Oct 9 04:59:25 SunPC setroubleshoot: SELinux is preventing /usr/libexec/colord from 'read, search' accesses on the directory /. For complete SELinux messages. run sealert -l dd324838-5662-4bb2-899f-057a277187e3 Oct 9 21:13:16 SunPC dbus-daemon[538]: (colord:1135): Cd-WARNING **: CdProfileStore: failed to get filesystem type: Error getting filesystem info: Permission denied Oct 9 21:13:16 SunPC dbus-daemon[538]: (colord:1135): Cd-WARNING **: CdProfileStore: failed to get filesystem type: Error getting filesystem info: Permission denied Oct 9 21:13:16 SunPC dbus-daemon[538]: (colord:1135): Cd-WARNING **: CdProfileStore: failed to get filesystem type: Error getting filesystem info: Permission denied Oct 9 21:13:27 SunPC setroubleshoot: SELinux is preventing /usr/libexec/colord from getattr access on the filesystem /home/sda6. For complete SELinux messages. run sealert -l 8bd22212-c52e-4c4b-976f-98e7b0d1c81c /var/log/messages Oct 09 01:16:49 Updated: colord-0.1.13-1.fc16.i686 /var/log/yum.log type=AVC msg=audit(1318129147.836:669): avc: denied { read search } for pid=1115 comm="colord" name="/" dev=sdb10 ino=2 scontext=system_u:system_r:colord_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=dir type=SYSCALL msg=audit(1318129147.836:669): arch=40000003 syscall=33 success=no exit=-13 a0=9d411a8 a1=5 a2=4cbd2ff4 a3=1 items=0 ppid=1 pid=1115 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="colord" exe="/usr/libexec/colord" subj=system_u:system_r:colord_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1318129147.837:670): avc: denied { read search } for pid=1115 comm="colord" name="/" dev=sdb5 ino=2 scontext=system_u:system_r:colord_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=dir type=SYSCALL msg=audit(1318129147.837:670): arch=40000003 syscall=33 success=no exit=-13 a0=9d41248 a1=5 a2=4cbd2ff4 a3=1 items=0 ppid=1 pid=1115 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="colord" exe="/usr/libexec/colord" subj=system_u:system_r:colord_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1318129147.838:671): avc: denied { read } for pid=1115 comm="colord" name="/" dev=sdb8 ino=2 scontext=system_u:system_r:colord_t:s0-s0:c0.c1023 tcontext=system_u:object_r:home_root_t:s0 tclass=dir type=SYSCALL msg=audit(1318129147.838:671): arch=40000003 syscall=33 success=no exit=-13 a0=9d411e0 a1=5 a2=4cbd2ff4 a3=1 items=0 ppid=1 pid=1115 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="colord" exe="/usr/libexec/colord" subj=system_u:system_r:colord_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1318129147.838:672): avc: denied { read search } for pid=1115 comm="colord" name="/" dev=sdb7 ino=2 scontext=system_u:system_r:colord_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=dir type=SYSCALL msg=audit(1318129147.838:672): arch=40000003 syscall=33 success=no exit=-13 a0=9d412b8 a1=5 a2=4cbd2ff4 a3=1 items=0 ppid=1 pid=1115 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="colord" exe="/usr/libexec/colord" subj=system_u:system_r:colord_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1318129147.839:673): avc: denied { getattr } for pid=1115 comm="colord" name="/" dev=sdb3 ino=2 scontext=system_u:system_r:colord_t:s0-s0:c0.c1023 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem type=SYSCALL msg=audit(1318129147.839:673): arch=40000003 syscall=268 success=no exit=-13 a0=9d41c68 a1=54 a2=bfe1a42c a3=8061a5f items=0 ppid=1 pid=1115 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="colord" exe="/usr/libexec/colord" subj=system_u:system_r:colord_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1318129147.840:674): avc: denied { read search } for pid=1115 comm="colord" name="/" dev=sdb9 ino=2 scontext=system_u:system_r:colord_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=dir type=SYSCALL msg=audit(1318129147.840:674): arch=40000003 syscall=33 success=no exit=-13 a0=9d41210 a1=5 a2=4cbd2ff4 a3=1 items=0 ppid=1 pid=1115 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="colord" exe="/usr/libexec/colord" subj=system_u:system_r:colord_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1318187596.469:332): avc: denied { getattr } for pid=1135 comm="colord" name="/" dev=sda6 ino=2 scontext=system_u:system_r:colord_t:s0-s0:c0.c1023 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem type=SYSCALL msg=audit(1318187596.469:332): arch=40000003 syscall=268 success=no exit=-13 a0=9df59f8 a1=54 a2=bfac1a3c a3=8061a5f items=0 ppid=1 pid=1135 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="colord" exe="/usr/libexec/colord" subj=system_u:system_r:colord_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1318187596.470:333): avc: denied { getattr } for pid=1135 comm="colord" name="/" dev=sdb5 ino=2 scontext=system_u:system_r:colord_t:s0-s0:c0.c1023 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem type=SYSCALL msg=audit(1318187596.470:333): arch=40000003 syscall=268 success=no exit=-13 a0=9e16d80 a1=54 a2=bfac1a3c a3=8061a5f items=0 ppid=1 pid=1135 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="colord" exe="/usr/libexec/colord" subj=system_u:system_r:colord_t:s0-s0:c0.c1023 key=(null) type=USER_CMD msg=audit(1318353368.628:88): user pid=1779 uid=0 auid=1000 ses=2 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='cwd="/home/seb-fed" cmd="colord" terminal=pts/0 res=failed' /var/log/audit/audit.log /usr/lib/libcolord.so.1.0.5 4cda2000-4cdc246c /var/log/prelink/prelink.log Best regards Can you run restorecon -R -v /home To cleanup labels on your homedir? (In reply to comment #8) > Can you run > > restorecon -R -v /home > > To cleanup labels on your homedir? I have ran your command : # restorecon -R -v /home The command output was huge and take a few minutes but no error have been reported # echo $? 0 Every things seems to be OK, no SElinux alert, nothing strange ... thanks for the sofware update ! I'm looking the restorcon man to understand the things just a little bit more Best regards Ok I will close, reopen if it happens again. |
libreport version: 2.0.6 executable: /usr/bin/python hashmarkername: setroubleshoot kernel: 3.1.0-0.rc6.git0.3.fc16.i686 reason: SELinux is preventing /usr/libexec/colord from 'read' accesses on the dossier /. time: Sun Oct 9 19:10:36 2011 description: :SELinux is preventing /usr/libexec/colord from 'read' accesses on the dossier /. : :***** Plugin catchall (100. confidence) suggests *************************** : :If you believe that colord should be allowed read access on the directory by default. :Then you should report this as a bug. :You can generate a local policy module to allow this access. :Do :allow this access for now by executing: :# grep colord /var/log/audit/audit.log | audit2allow -M mypol :# semodule -i mypol.pp : :Additional Information: :Source Context system_u:system_r:colord_t:s0-s0:c0.c1023 :Target Context system_u:object_r:home_root_t:s0 :Target Objects / [ dir ] :Source colord :Source Path /usr/libexec/colord :Port <Inconnu> :Host (removed) :Source RPM Packages colord-0.1.13-1.fc16 :Target RPM Packages filesystem-2.4.44-1.fc16 :Policy RPM selinux-policy-3.10.0-32.fc16 :Selinux Enabled True :Policy Type targeted :Enforcing Mode Enforcing :Host Name (removed) :Platform Linux (removed) 3.1.0-0.rc6.git0.3.fc16.i686 #1 : SMP Fri Sep 16 12:22:19 UTC 2011 i686 i686 :Alert Count 1 :First Seen dim. 09 oct. 2011 04:59:07 CEST :Last Seen dim. 09 oct. 2011 04:59:07 CEST :Local ID d483afcf-db6c-4805-9b51-04ca69e0914f : :Raw Audit Messages :type=AVC msg=audit(1318129147.838:671): avc: denied { read } for pid=1115 comm="colord" name="/" dev=sdb8 ino=2 scontext=system_u:system_r:colord_t:s0-s0:c0.c1023 tcontext=system_u:object_r:home_root_t:s0 tclass=dir : : :type=SYSCALL msg=audit(1318129147.838:671): arch=i386 syscall=access success=no exit=EACCES a0=9d411e0 a1=5 a2=4cbd2ff4 a3=1 items=0 ppid=1 pid=1115 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=colord exe=/usr/libexec/colord subj=system_u:system_r:colord_t:s0-s0:c0.c1023 key=(null) : :Hash: colord,colord_t,home_root_t,dir,read : :audit2allow : :#============= colord_t ============== :allow colord_t home_root_t:dir read; : :audit2allow -R : :#============= colord_t ============== :allow colord_t home_root_t:dir read; :