Bug 795506

Summary: avc: denied { send_msg } for msgtype=error error_name=net.reactivated.Fprint.Error.NoSuchDevice dest=:1.17 spid=573 tpid=561 scontext=system_u:system_r:fprintd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:initrc_t:s0 tclass=dbus : exe="/usr/bin/dbus-daem
Product: [Fedora] Fedora Reporter: Orion Poplawski <orion>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: low Docs Contact:
Priority: unspecified    
Version: 17CC: dominick.grift, dwalsh, mgrepl
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.10.0-91.fc17 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-02-28 10:35:15 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Orion Poplawski 2012-02-20 18:19:00 UTC 
Description of problem:

I'm seeing this on startup.  Not sure it affects anything.

avc:  denied  { send_msg } for msgtype=error error_name=net.reactivated.Fprint.Error.NoSuchDevice dest=:1.17 spid=573 tpid=561 scontext=system_u:system_r:fprintd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:initrc_t:s0 tclass=dbus : exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?

Seems to be related to the fprintd package

Feb 19 10:56:14 vmf17 dbus-daemon[427]: dbus[427]: [system] Activating service name='net.reactivated.Fprint' (using servicehelper)
Feb 19 10:56:14 vmf17 dbus[427]: [system] Activating service name='net.reactivated.Fprint' (using servicehelper)
Feb 19 10:56:14 vmf17 dbus-daemon[427]: Launching FprintObject
Feb 19 10:56:14 vmf17 dbus-daemon[427]: dbus[427]: [system] Successfully activated service 'net.reactivated.Fprint'
Feb 19 10:56:14 vmf17 dbus[427]: [system] Successfully activated service 'net.reactivated.Fprint'
Feb 19 10:56:14 vmf17 dbus-daemon[427]: ** Message: D-Bus service launched with name: net.reactivated.Fprint

# ps -feZ | grep initrc_t
system_u:system_r:initrc_t:s0   root       376     1  0 Feb19 ?        00:00:00 /usr/sbin/inputwatch
system_u:system_r:initrc_t:s0   root       456     1  0 Feb19 ?        00:00:00 kdm -nodaemon
system_u:system_r:initrc_t:s0   root       561   456  0 Feb19 ?        00:00:00 -:0          
system_u:system_r:initrc_t:s0   root       564   561  0 Feb19 ?        00:01:29 /usr/libexec/kde4/kdm_greet

# cat /usr/share/dbus-1/system-services/net.reactivated.Fprint.service
[D-BUS Service]
Name=net.reactivated.Fprint
Exec=/usr/libexec/fprintd
User=root

Version-Release number of selected component (if applicable):
selinux-policy-3.10.0-89.fc17.noarch
fprintd-0.4.1-2.fc17.x86_64
Comment 1 Orion Poplawski 2012-02-20 18:19:34 UTC 
# ps -feZ | grep dbus
system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 dbus 427 1  0 Feb19 ?  00:00:00 /bin/dbus-daemon --system --address=systemd: --nofork --systemd-activation
Comment 2 Daniel Walsh 2012-02-20 19:55:14 UTC 
ps -eZ | grep initrc_t
Comment 3 Orion Poplawski 2012-02-20 20:28:56 UTC 
(In reply to comment #2)
> ps -eZ | grep initrc_t

Is in the initial report
Comment 4 Miroslav Grepl 2012-02-21 08:44:52 UTC 
The problem is kdm_greet is running as initrc_t instead of xdm_t.

$ chcon -t xdm_exec_t /usr/bin/kdm

I am fixing labels.

commit c6fbdb494cf7dc1d0907cf7a8c02af57d8350440
Author: Miroslav Grepl <mgrepl>
Date:   Tue Feb 21 10:43:53 2012 +0000

    Fix mysql interface naming
    Fix label for kdm
Comment 5 Orion Poplawski 2012-02-21 16:06:03 UTC 
I did the chcon and rebooted.  Now I see lots of:

type=AVC msg=audit(1329840242.668:57): avc:  denied  { sys_ptrace } for  pid=595 comm="pidof" capability=19  scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tclass=capability

but the dbus avc is gone.
Comment 6 Fedora Update System 2012-02-21 20:25:03 UTC 
selinux-policy-3.10.0-91.fc17 has been submitted as an update for Fedora 17.
https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-91.fc17
Comment 7 Fedora Update System 2012-02-22 03:53:31 UTC 
Package selinux-policy-3.10.0-91.fc17:
* should fix your issue,
* was pushed to the Fedora 17 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-91.fc17'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-2180/selinux-policy-3.10.0-91.fc17
then log in and leave karma (feedback).
Comment 8 Orion Poplawski 2012-02-24 03:29:58 UTC 
I'm still seeing kdm mislabeled with -91, is that fix in there?
Comment 9 Daniel Walsh 2012-02-24 19:14:08 UTC 
I see

matchpathcon /usr/bin/kdm
/usr/bin/kdm	system_u:object_r:xdm_exec_t:s0

selinux-policy-3.10.0-92.fc17.noarch
Comment 10 Orion Poplawski 2012-02-24 20:51:41 UTC 
Me too with -91.  Perhaps this is because the installer image has an earlier selinux-policy and so the context isn't correct at install time?

Also, what about the sys_ptrace message?  I still see them with -93.
Comment 11 Miroslav Grepl 2012-02-27 09:43:46 UTC 
Yes, this issue has been fixed in the latest policy.
Which one?

There will be some fixes in -94 policy
Comment 12 Fedora Update System 2012-02-28 10:35:15 UTC 
selinux-policy-3.10.0-91.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.