Bug 753212

Summary: gnome-shell crashes because dbus can't read icc files on glusterfs home dir
Product: [Fedora] Fedora Reporter: Michael J. Chudobiak <mjc>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 16CC: dominick.grift, dwalsh, mgrepl
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: selinux-policy-3.10.0-61.fc16 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-11-30 02:00:51 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Attachments:
Description Flags
audit log
none
log of denied stuff, from logging in this morning
none
denial log, with selinux-policy-targeted-3.10.0-60.fc16.noarch none

Description Michael J. Chudobiak 2011-11-11 15:56:19 UTC 
selinux-policy-3.10.0-55.fc16.noarch
use_fusefs_home_dirs --> on

My home folders are fuse-mounted (glusterfs).

When logging on, gnome-shell crashes because of this:

type=AVC msg=audit(1321026450.589:20): avc:  denied  { read } for  pid=1015 comm="dbus-daemon" path="/fileserver/home/mjc/.local/share/icc/edid-d560eef024ea9e585314edae583d0826.icc" dev=fuse ino=24380124 scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:fusefs_t:s0 tclass=file

audit2allow recommends this:
allow system_dbusd_t fusefs_t:file read;


If I "setenforce 0", I can log in. A full "audit2allow -a" then gives:

#============= mount_t ==============
allow mount_t colord_t:file { read getattr open };
allow mount_t setroubleshootd_t:file { read getattr open };
allow mount_t system_dbusd_t:file { read getattr open };
allow mount_t unconfined_dbusd_t:file { read getattr open };
allow mount_t unconfined_java_t:file { read getattr open };
allow mount_t unconfined_t:file { read getattr open };

#============= system_dbusd_t ==============
allow system_dbusd_t fusefs_t:file read;

I'll attach the full audit log.

- Mike
Comment 1 Michael J. Chudobiak 2011-11-11 15:58:12 UTC 
Created attachment 533101 [details]
audit log
Comment 2 Daniel Walsh 2011-11-11 16:05:11 UTC 
Do you have use_fusefs_home_dirs turned on?

setsebool -P use_fusefs_home_dirs 1
Comment 3 Michael J. Chudobiak 2011-11-11 16:14:28 UTC 
Yes.

[root@xena mjc]# getsebool use_fusefs_home_dirs
use_fusefs_home_dirs --> on
Comment 4 Daniel Walsh 2011-11-11 20:32:35 UTC 
Can you run in permissive mode and gather all the AVC's about fusefs.
Comment 5 Michael J. Chudobiak 2011-11-14 13:14:04 UTC 
Created attachment 533520 [details]
log of denied stuff, from logging in this morning

Here's a log of things that selinux denied when logging into gnome-shell this morning, showing the various glusterfs/fusefs issues.
Comment 6 Daniel Walsh 2011-11-18 18:46:33 UTC 
Miroslav, I made changes to mount to handle this in Rawhide.  I think we should think about back porting the userdom_home_manager stuff from F17 and cleaning this all up for gluster.
Comment 7 Miroslav Grepl 2011-11-21 11:19:53 UTC 
Fixed in selinux-policy-3.10.0-58.fc16.

Will backport userdom_home_manager stuff in the next release.
Comment 8 Fedora Update System 2011-11-24 13:22:40 UTC 
selinux-policy-3.10.0-59.fc16 has been submitted as an update for Fedora 16.
https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-59.fc16
Comment 9 Fedora Update System 2011-11-25 02:17:56 UTC 
Package selinux-policy-3.10.0-60.fc16:
* should fix your issue,
* was pushed to the Fedora 16 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-60.fc16'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2011-16371/selinux-policy-3.10.0-60.fc16
then log in and leave karma (feedback).
Comment 10 Michael J. Chudobiak 2011-11-25 12:43:41 UTC 
Created attachment 536243 [details]
denial log, with selinux-policy-targeted-3.10.0-60.fc16.noarch

I'm still having some issues, even with the updated policy. gnome-shell is still crashing on icc/dbus stuff.

Log attached.

selinux-policy-3.10.0-60.fc16.noarch
selinux-policy-targeted-3.10.0-60.fc16.noarch
Comment 11 Fedora Update System 2011-11-25 23:26:11 UTC 
Package selinux-policy-3.10.0-61.fc16:
* should fix your issue,
* was pushed to the Fedora 16 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-61.fc16'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2011-16371/selinux-policy-3.10.0-61.fc16
then log in and leave karma (feedback).
Comment 12 Miroslav Grepl 2011-11-28 09:31:30 UTC 
I apologize, I added it only for session bus type.
Comment 13 Miroslav Grepl 2011-11-28 09:32:40 UTC 
Fixed in selinux-policy-3.10.0-62.fc16
Comment 14 Michael J. Chudobiak 2011-11-28 14:19:36 UTC 
I don't see 3.10.0-62 in koji...
Comment 15 Michael J. Chudobiak 2011-11-28 21:24:05 UTC 
Never mind, it's there now.
Comment 16 Michael J. Chudobiak 2011-11-28 21:31:30 UTC 
And my problems are fixed with 3.10.0-62. Thank you!
Comment 17 Fedora Update System 2011-11-30 02:00:51 UTC 
selinux-policy-3.10.0-61.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.