Bug 827732
| Summary: | SELinux is preventing /opt/google/talkplugin/GoogleTalkPlugin from 'getattr' accesses on the fifo_file /dev/initctl. | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Dario Castellarin <req1348> |
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 17 | CC: | dominick.grift, dwalsh, mgrepl |
| Target Milestone: | --- | Keywords: | Reopened |
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Unspecified | ||
| Whiteboard: | abrt_hash:0e9aea2bee531e19a439a62066272bfaa74fe9cb165e77b78634bbf1e954cac0 | ||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2012-12-20 15:19:48 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Fixed in selinux-policy-3.10.0-129.fc17 selinux-policy-3.10.0-130.fc17 has been submitted as an update for Fedora 17. https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-130.fc17 Package selinux-policy-3.10.0-130.fc17: * should fix your issue, * was pushed to the Fedora 17 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-130.fc17' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2012-9520/selinux-policy-3.10.0-130.fc17 then log in and leave karma (feedback). selinux-policy-3.10.0-130.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report. I keep getting this problem in F17:
SELinux is preventing /opt/google/talkplugin/GoogleTalkPlugin from getattr access on the fifo_file /dev/initctl.
***** Plugin catchall (100. confidence) suggests ***************************
If si crede che GoogleTalkPlugin dovrebbe avere possibilità di accesso getattr sui initctl fifo_file in modo predefinito.
Then si dovrebbe riportare il problema come bug.
E' possibile generare un modulo di politica locale per consentire questo accesso.
Do
consentire questo accesso per il momento eseguendo:
# grep GoogleTalkPlugi /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
Additional Information:
Source Context unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c
0.c1023
Target Context system_u:object_r:initctl_t:s0
Target Objects /dev/initctl [ fifo_file ]
Source GoogleTalkPlugi
Source Path /opt/google/talkplugin/GoogleTalkPlugin
Port <Sconosciuto>
Host (removed)
Source RPM Packages google-talkplugin-3.7.1.0-1.x86_64
Target RPM Packages
Policy RPM selinux-policy-3.10.0-153.fc17.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Permissive
Host Name (removed)
Platform Linux dario-laptop 3.5.6-1.fc17.x86_64 #1 SMP Sun
Oct 7 19:31:14 UTC 2012 x86_64 x86_64
Alert Count 2
First Seen 2012-10-09 22:24:59 CEST
Last Seen 2012-10-09 22:24:59 CEST
Local ID e368a9fa-7993-45b6-a586-87256112ab8d
Raw Audit Messages
type=AVC msg=audit(1349814299.886:127): avc: denied { getattr } for pid=4512 comm="GoogleTalkPlugi" path="/dev/initctl" dev="devtmpfs" ino=1950 scontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 tcontext=system_u:object_r:initctl_t:s0 tclass=fifo_file
type=SYSCALL msg=audit(1349814299.886:127): arch=x86_64 syscall=stat success=yes exit=0 a0=2b97c28 a1=2b95ed0 a2=2b95ed0 a3=25 items=0 ppid=1 pid=4512 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=8 comm=GoogleTalkPlugi exe=/opt/google/talkplugin/GoogleTalkPlugin subj=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 key=(null)
Hash: GoogleTalkPlugi,mozilla_plugin_t,initctl_t,fifo_file,getattr
audit2allow
#============= mozilla_plugin_t ==============
allow mozilla_plugin_t initctl_t:fifo_file getattr;
audit2allow -R
#============= mozilla_plugin_t ==============
allow mozilla_plugin_t initctl_t:fifo_file getattr;
I apologize. It has been fixed in F18. Backport fixed also to F17. selinux-policy-3.10.0-156.fc17 has been submitted as an update for Fedora 17. https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-156.fc17 Package selinux-policy-3.10.0-156.fc17: * should fix your issue, * was pushed to the Fedora 17 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-156.fc17' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2012-16347/selinux-policy-3.10.0-156.fc17 then log in and leave karma (feedback). selinux-policy-3.10.0-130.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report. |
libreport version: 2.0.10 executable: /usr/bin/python2.7 hashmarkername: setroubleshoot kernel: 3.3.7-3.fc17.x86_64 time: sab 02 giu 2012 19:27:27 CEST description: :SELinux is preventing /opt/google/talkplugin/GoogleTalkPlugin from 'getattr' accesses on the fifo_file /dev/initctl. : :***** Plugin catchall (100. confidence) suggests *************************** : :If si crede che GoogleTalkPlugin dovrebbe avere possibilità di accesso getattr sui initctl fifo_file in modo predefinito. :Then si dovrebbe riportare il problema come bug. :E' possibile generare un modulo di politica locale per consentire questo accesso. :Do :consentire questo accesso per il momento eseguendo: :# grep GoogleTalkPlugi /var/log/audit/audit.log | audit2allow -M mypol :# semodule -i mypol.pp : :Additional Information: :Source Context unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c : 0.c1023 :Target Context system_u:object_r:initctl_t:s0 :Target Objects /dev/initctl [ fifo_file ] :Source GoogleTalkPlugi :Source Path /opt/google/talkplugin/GoogleTalkPlugin :Port <Sconosciuto> :Host (removed) :Source RPM Packages google-talkplugin-2.9.10.0-1.x86_64 :Target RPM Packages :Policy RPM selinux-policy-3.10.0-128.fc17.noarch :Selinux Enabled True :Policy Type targeted :Enforcing Mode Permissive :Host Name (removed) :Platform Linux (removed) 3.3.7-3.fc17.x86_64 #1 SMP Thu : May 31 21:19:46 UTC 2012 x86_64 x86_64 :Alert Count 1 :First Seen sab 02 giu 2012 19:26:52 CEST :Last Seen sab 02 giu 2012 19:26:52 CEST :Local ID dc5ee8b0-a273-44b3-8959-d0ac6415b37f : :Raw Audit Messages :type=AVC msg=audit(1338658012.4:111): avc: denied { getattr } for pid=17589 comm="GoogleTalkPlugi" path="/dev/initctl" dev="devtmpfs" ino=1871 scontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 tcontext=system_u:object_r:initctl_t:s0 tclass=fifo_file : : :type=SYSCALL msg=audit(1338658012.4:111): arch=x86_64 syscall=stat success=yes exit=0 a0=263d248 a1=26371f0 a2=26371f0 a3=25 items=0 ppid=1 pid=17589 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=2 comm=GoogleTalkPlugi exe=/opt/google/talkplugin/GoogleTalkPlugin subj=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 key=(null) : :Hash: GoogleTalkPlugi,mozilla_plugin_t,initctl_t,fifo_file,getattr : :audit2allowunable to open /sys/fs/selinux/policy: Permission denied : : :audit2allow -Runable to open /sys/fs/selinux/policy: Permission denied : :