Bug 836983
| Summary: | SELinux is preventing /lib64/dbus-1/dbus-daemon-launch-helper from 'execute' access on the file /usr/local/libexec/msd-datetime-mechanism | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Dan Mashal <dan.mashal> |
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
| Status: | CLOSED NOTABUG | QA Contact: | Dan Mashal <dan.mashal> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 17 | CC: | dominick.grift, dwalsh, mgrepl |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2012-10-07 11:02:58 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
From which repo does it come? stable. Could you try to execute # chcon -t gnomeclock_exec_t /usr/libexec/msd-datetime-mechanism and re-test it? Will do, give me some time. Sure. Thank you. Miroslav, That didn't seem to help.. Hopefully this screenshot helps you: http://i.imgur.com/VPaf8.png What does "details" button show you? and what does # ls -Z /usr/libexec/msd-datetime-mechanism SELinux is preventing /usr/libexec/gnome-session-check-accelerated-helper from execute access on the file /opt/VBoxGuestAdditions-4.1.18/lib/VBoxOGL.so.
***** Plugin restorecon (94.8 confidence) suggests *************************
If you want to fix the label.
/opt/VBoxGuestAdditions-4.1.18/lib/VBoxOGL.so default label should be textrel_shlib_t.
Then you can run restorecon.
Do
# /sbin/restorecon -v /opt/VBoxGuestAdditions-4.1.18/lib/VBoxOGL.so
***** Plugin catchall_labels (5.21 confidence) suggests ********************
If you want to allow gnome-session-check-accelerated-helper to have execute access on the VBoxOGL.so file
Then you need to change the label on /opt/VBoxGuestAdditions-4.1.18/lib/VBoxOGL.so
Do
# semanage fcontext -a -t FILE_TYPE '/opt/VBoxGuestAdditions-4.1.18/lib/VBoxOGL.so'
where FILE_TYPE is one of the following: abrt_helper_exec_t, rpm_exec_t, systemd_systemctl_exec_t, fusermount_exec_t, pulseaudio_exec_t, pam_exec_t, chkpwd_exec_t, textrel_shlib_t, updpwd_exec_t, xdm_tmp_t, hostname_exec_t, gkeyringd_exec_t, shutdown_exec_t, init_exec_t, alsa_exec_t, consoletype_exec_t, policykit_auth_exec_t, xdm_exec_t, pam_console_exec_t, xsession_exec_t, etc_t, bin_t, lib_t, xdm_unconfined_exec_t, xserver_exec_t, dbusd_exec_t, plymouth_exec_t, xauth_exec_t, loadkeys_exec_t, screen_exec_t, mount_exec_t, shell_exec_t, ssh_agent_exec_t, ld_so_t, lib_t, oddjob_mkhomedir_exec_t, systemd_systemctl_exec_t, xsession_exec_t.
Then execute:
restorecon -v '/opt/VBoxGuestAdditions-4.1.18/lib/VBoxOGL.so'
***** Plugin catchall (1.44 confidence) suggests ***************************
If you believe that gnome-session-check-accelerated-helper should be allowed execute access on the VBoxOGL.so file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep gnome-session-c /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
Additional Information:
Source Context system_u:system_r:xdm_t:s0-s0:c0.c1023
Target Context unconfined_u:object_r:usr_t:s0
Target Objects /opt/VBoxGuestAdditions-4.1.18/lib/VBoxOGL.so [
file ]
Source gnome-session-c
Source Path /usr/libexec/gnome-session-check-accelerated-
helper
Port <Unknown>
Host f172
Source RPM Packages gnome-shell-3.4.1-5.fc17.x86_64
Target RPM Packages
Policy RPM selinux-policy-3.10.0-134.fc17.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name f172
Platform Linux f172 3.4.4-5.fc17.x86_64 #1 SMP Thu Jul 5
20:20:59 UTC 2012 x86_64 x86_64
Alert Count 36
First Seen Tue 10 Jul 2012 10:52:47 PM PDT
Last Seen Wed 11 Jul 2012 05:28:26 AM PDT
Local ID 4c293ebd-5167-419e-a9cc-58695f1c59cb
Raw Audit Messages
type=AVC msg=audit(1342009706.413:96): avc: denied { execute } for pid=1820 comm="gnome-shell" path="/opt/VBoxGuestAdditions-4.1.18/lib/VBoxOGL.so" dev="sda3" ino=2228271 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:usr_t:s0 tclass=file
type=SYSCALL msg=audit(1342009706.413:96): arch=x86_64 syscall=mmap success=no exit=EACCES a0=0 a1=219bc8 a2=5 a3=802 items=0 ppid=1774 pid=1820 auid=42 uid=42 gid=42 euid=42 suid=42 fsuid=42 egid=42 sgid=42 fsgid=42 tty=(none) ses=3 comm=gnome-shell exe=/usr/bin/gnome-shell subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)
Hash: gnome-session-c,xdm_t,usr_t,file,execute
audit2allowunable to open /sys/fs/selinux/policy: Permission denied
audit2allow -Runable to open /sys/fs/selinux/policy: Permission denied
--------------
SELinux is preventing /usr/lib64/dbus-1/dbus-daemon-launch-helper from execute access on the file msd-datetime-mechanism.
***** Plugin leaks (86.2 confidence) suggests ******************************
If you want to ignore dbus-daemon-launch-helper trying to execute access the msd-datetime-mechanism file, because you believe it should not need this access.
Then you should report this as a bug.
You can generate a local policy module to dontaudit this access.
Do
# grep /usr/lib64/dbus-1/dbus-daemon-launch-helper /var/log/audit/audit.log | audit2allow -D -M mypol
# semodule -i mypol.pp
***** Plugin catchall (14.7 confidence) suggests ***************************
If you believe that dbus-daemon-launch-helper should be allowed execute access on the msd-datetime-mechanism file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep dbus-daemon-lau /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
Additional Information:
Source Context system_u:system_r:system_dbusd_t:s0-s0:c0.c1023
Target Context system_u:object_r:usr_t:s0
Target Objects msd-datetime-mechanism [ file ]
Source dbus-daemon-lau
Source Path /usr/lib64/dbus-1/dbus-daemon-launch-helper
Port <Unknown>
Host f172
Source RPM Packages dbus-1.4.10-4.fc17.x86_64
Target RPM Packages
Policy RPM selinux-policy-3.10.0-134.fc17.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name f172
Platform Linux f172 3.4.4-5.fc17.x86_64 #1 SMP Thu Jul 5
20:20:59 UTC 2012 x86_64 x86_64
Alert Count 3
First Seen Wed 11 Jul 2012 05:19:31 AM PDT
Last Seen Wed 11 Jul 2012 05:28:32 AM PDT
Local ID 345b5fc1-7083-4a6a-a8f6-3ea0225518b6
Raw Audit Messages
type=AVC msg=audit(1342009712.797:104): avc: denied { execute } for pid=2197 comm="dbus-daemon-lau" name="msd-datetime-mechanism" dev="sda3" ino=394635 scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:usr_t:s0 tclass=file
type=SYSCALL msg=audit(1342009712.797:104): arch=x86_64 syscall=execve success=no exit=EACCES a0=1a4b800 a1=1a4b6a0 a2=1a4a010 a3=2d656d6974657461 items=0 ppid=2196 pid=2197 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=dbus-daemon-lau exe=/usr/lib64/dbus-1/dbus-daemon-launch-helper subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 key=(null)
Hash: dbus-daemon-lau,system_dbusd_t,usr_t,file,execute
audit2allowunable to open /sys/fs/selinux/policy: Permission denied
audit2allow -Runable to open /sys/fs/selinux/policy: Permission denied
dan@f172 ~]$ ls -Z /usr/libexec/msd-datetime-mechanism -rwxr-xr-x. root root system_u:object_r:gnomeclock_exec_t:s0 /usr/libexec/msd-datetime-mechanism [dan@f172 ~]$ Some more errors I'm receiving. BTW I should note that I'm running MATE desktop if that helps at all. SELinux is preventing /usr/libexec/gnome-session-check-accelerated-helper from execute access on the file /opt/VBoxGuestAdditions-4.1.18/lib/VBoxOGL.so. Plugin: catchall_labels you want to allow gnome-session-check-accelerated-helper to have execute access on the VBoxOGL.so fileIf you want to allow gnome-session-check-accelerated-helper to have execute access on the VBoxOGL.so file You need to change the label on /opt/VBoxGuestAdditions-4.1.18/lib/VBoxOGL.so # semanage fcontext -a -t FILE_TYPE '/opt/VBoxGuestAdditions-4.1.18/lib/VBoxOGL.so' where FILE_TYPE is one of the following: abrt_helper_exec_t, rpm_exec_t, systemd_systemctl_exec_t, fusermount_exec_t, pulseaudio_exec_t, pam_exec_t, chkpwd_exec_t, textrel_shlib_t, updpwd_exec_t, xdm_tmp_t, hostname_exec_t, gkeyringd_exec_t, shutdown_exec_t, init_exec_t, alsa_exec_t, consoletype_exec_t, policykit_auth_exec_t, xdm_exec_t, pam_console_exec_t, xsession_exec_t, etc_t, bin_t, lib_t, xdm_unconfined_exec_t, xserver_exec_t, dbusd_exec_t, plymouth_exec_t, xauth_exec_t, loadkeys_exec_t, screen_exec_t, mount_exec_t, shell_exec_t, ssh_agent_exec_t, ld_so_t, lib_t, oddjob_mkhomedir_exec_t, systemd_systemctl_exec_t, xsession_exec_t. Then execute: restorecon -v '/opt/VBoxGuestAdditions-4.1.18/lib/VBoxOGL.so' restorecon -v '/opt/VBoxGuestAdditions-4.1.18/lib/VBoxOGL.so' should help you. But this is strange you have msd-d-mechanism running as system_dbusd_t if we add gnomeclock_exec_t. I will need to install MATE desktop. MATE has a lot of hooks in to dbus. I am building the packages for it right now but you can install 1.4 easily on any F17 system, just takes time. Might be faster for me to just build it for you. ;) Figured most of the kinks out. Will reopen this bug if I need to. Thanks! |
I am receiving this error in Fedora 17: SELinux is preventing /usr/lib64/dbus-1/dbus-daemon-launch-helper from execute access on the file /usr/local/libexec/msd-datetime-mechanism. ***** Plugin leaks (86.2 confidence) suggests ****************************** If you want to ignore dbus-daemon-launch-helper trying to execute access the msd-datetime-mechanism file, because you believe it should not need this access. Then you should report this as a bug. You can generate a local policy module to dontaudit this access. Do # grep /usr/lib64/dbus-1/dbus-daemon-launch-helper /var/log/audit/audit.log | audit2allow -D -M mypol # semodule -i mypol.pp ***** Plugin catchall (14.7 confidence) suggests *************************** If you believe that dbus-daemon-launch-helper should be allowed execute access on the msd-datetime-mechanism file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep dbus-daemon-lau /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 Target Context system_u:object_r:usr_t:s0 Target Objects /usr/local/libexec/msd-datetime-mechanism [ file ] Source dbus-daemon-lau Source Path /usr/lib64/dbus-1/dbus-daemon-launch-helper Port <Unknown> Host (removed) Source RPM Packages dbus-1.4.10-4.fc17.x86_64 Target RPM Packages Policy RPM selinux-policy-3.10.0-132.fc17.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux Fedora17 3.4.3-1.fc17.x86_64 #1 SMP Mon Jun 18 19:53:17 UTC 2012 x86_64 x86_64 Alert Count 3 First Seen Sat 30 Jun 2012 05:04:18 PM PDT Last Seen Sat 30 Jun 2012 05:39:42 PM PDT Local ID c44ec7d4-dd86-49f1-9d32-d86c9f2ec29a Raw Audit Messages type=AVC msg=audit(1341103182.271:86): avc: denied { execute } for pid=2115 comm="dbus-daemon-lau" name="msd-datetime-mechanism" dev="sda3" ino=2885176 scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:usr_t:s0 tclass=file type=SYSCALL msg=audit(1341103182.271:86): arch=x86_64 syscall=execve success=no exit=EACCES a0=19717b0 a1=1970660 a2=1970010 a3=2d656d6974657461 items=0 ppid=2114 pid=2115 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=dbus-daemon-lau exe=/usr/lib64/dbus-1/dbus-daemon-launch-helper subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 key=(null) Hash: dbus-daemon-lau,system_dbusd_t,usr_t,file,execute audit2allowunable to open /sys/fs/selinux/policy: Permission denied audit2allow -Runable to open /sys/fs/selinux/policy: Permission denied