Bug 836983

Summary: SELinux is preventing /lib64/dbus-1/dbus-daemon-launch-helper from 'execute' access on the file /usr/local/libexec/msd-datetime-mechanism
Product: [Fedora] Fedora Reporter: Dan Mashal <dan.mashal>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED NOTABUG QA Contact: Dan Mashal <dan.mashal>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 17CC: dominick.grift, dwalsh, mgrepl
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-10-07 07:02:58 EDT Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Description Dan Mashal 2012-07-02 08:15:34 EDT
I am receiving this error in Fedora 17:


SELinux is preventing /usr/lib64/dbus-1/dbus-daemon-launch-helper from execute access on the file /usr/local/libexec/msd-datetime-mechanism.

*****  Plugin leaks (86.2 confidence) suggests  ******************************

If you want to ignore dbus-daemon-launch-helper trying to execute access the msd-datetime-mechanism file, because you believe it should not need this access.
Then you should report this as a bug.  
You can generate a local policy module to dontaudit this access.
Do
# grep /usr/lib64/dbus-1/dbus-daemon-launch-helper /var/log/audit/audit.log | audit2allow -D -M mypol
# semodule -i mypol.pp

*****  Plugin catchall (14.7 confidence) suggests  ***************************

If you believe that dbus-daemon-launch-helper should be allowed execute access on the msd-datetime-mechanism file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep dbus-daemon-lau /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:system_dbusd_t:s0-s0:c0.c1023
Target Context                system_u:object_r:usr_t:s0
Target Objects                /usr/local/libexec/msd-datetime-mechanism [ file ]
Source                        dbus-daemon-lau
Source Path                   /usr/lib64/dbus-1/dbus-daemon-launch-helper
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           dbus-1.4.10-4.fc17.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.10.0-132.fc17.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux Fedora17 3.4.3-1.fc17.x86_64 #1 SMP Mon Jun
                              18 19:53:17 UTC 2012 x86_64 x86_64
Alert Count                   3
First Seen                    Sat 30 Jun 2012 05:04:18 PM PDT
Last Seen                     Sat 30 Jun 2012 05:39:42 PM PDT
Local ID                      c44ec7d4-dd86-49f1-9d32-d86c9f2ec29a

Raw Audit Messages
type=AVC msg=audit(1341103182.271:86): avc:  denied  { execute } for  pid=2115 comm="dbus-daemon-lau" name="msd-datetime-mechanism" dev="sda3" ino=2885176 scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:usr_t:s0 tclass=file


type=SYSCALL msg=audit(1341103182.271:86): arch=x86_64 syscall=execve success=no exit=EACCES a0=19717b0 a1=1970660 a2=1970010 a3=2d656d6974657461 items=0 ppid=2114 pid=2115 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=dbus-daemon-lau exe=/usr/lib64/dbus-1/dbus-daemon-launch-helper subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 key=(null)

Hash: dbus-daemon-lau,system_dbusd_t,usr_t,file,execute

audit2allowunable to open /sys/fs/selinux/policy:  Permission denied


audit2allow -Runable to open /sys/fs/selinux/policy:  Permission denied
Comment 1 Miroslav Grepl 2012-07-03 03:53:31 EDT
From which repo does it come?
Comment 2 Dan Mashal 2012-07-03 03:54:31 EDT
stable.
Comment 3 Miroslav Grepl 2012-07-03 04:28:06 EDT
Could you try to execute

# chcon -t gnomeclock_exec_t /usr/libexec/msd-datetime-mechanism

and re-test it?
Comment 4 Dan Mashal 2012-07-03 04:29:04 EDT
Will do, give me some time.
Comment 5 Miroslav Grepl 2012-07-03 04:36:54 EDT
Sure. Thank you.
Comment 6 Dan Mashal 2012-07-11 08:30:12 EDT
Miroslav,

That didn't seem to help..

Hopefully this screenshot helps you:

http://i.imgur.com/VPaf8.png
Comment 7 Miroslav Grepl 2012-07-11 08:41:16 EDT
What does "details" button show you?

and what does

# ls -Z /usr/libexec/msd-datetime-mechanism
Comment 8 Dan Mashal 2012-07-11 08:42:37 EDT
SELinux is preventing /usr/libexec/gnome-session-check-accelerated-helper from execute access on the file /opt/VBoxGuestAdditions-4.1.18/lib/VBoxOGL.so.



*****  Plugin restorecon (94.8 confidence) suggests  *************************



If you want to fix the label. 

/opt/VBoxGuestAdditions-4.1.18/lib/VBoxOGL.so default label should be textrel_shlib_t.

Then you can run restorecon.

Do

# /sbin/restorecon -v /opt/VBoxGuestAdditions-4.1.18/lib/VBoxOGL.so



*****  Plugin catchall_labels (5.21 confidence) suggests  ********************



If you want to allow gnome-session-check-accelerated-helper to have execute access on the VBoxOGL.so file

Then you need to change the label on /opt/VBoxGuestAdditions-4.1.18/lib/VBoxOGL.so

Do

# semanage fcontext -a -t FILE_TYPE '/opt/VBoxGuestAdditions-4.1.18/lib/VBoxOGL.so'

where FILE_TYPE is one of the following: abrt_helper_exec_t, rpm_exec_t, systemd_systemctl_exec_t, fusermount_exec_t, pulseaudio_exec_t, pam_exec_t, chkpwd_exec_t, textrel_shlib_t, updpwd_exec_t, xdm_tmp_t, hostname_exec_t, gkeyringd_exec_t, shutdown_exec_t, init_exec_t, alsa_exec_t, consoletype_exec_t, policykit_auth_exec_t, xdm_exec_t, pam_console_exec_t, xsession_exec_t, etc_t, bin_t, lib_t, xdm_unconfined_exec_t, xserver_exec_t, dbusd_exec_t, plymouth_exec_t, xauth_exec_t, loadkeys_exec_t, screen_exec_t, mount_exec_t, shell_exec_t, ssh_agent_exec_t, ld_so_t, lib_t, oddjob_mkhomedir_exec_t, systemd_systemctl_exec_t, xsession_exec_t. 

Then execute: 

restorecon -v '/opt/VBoxGuestAdditions-4.1.18/lib/VBoxOGL.so'





*****  Plugin catchall (1.44 confidence) suggests  ***************************



If you believe that gnome-session-check-accelerated-helper should be allowed execute access on the VBoxOGL.so file by default.

Then you should report this as a bug.

You can generate a local policy module to allow this access.

Do

allow this access for now by executing:

# grep gnome-session-c /var/log/audit/audit.log | audit2allow -M mypol

# semodule -i mypol.pp



Additional Information:

Source Context                system_u:system_r:xdm_t:s0-s0:c0.c1023

Target Context                unconfined_u:object_r:usr_t:s0

Target Objects                /opt/VBoxGuestAdditions-4.1.18/lib/VBoxOGL.so [

                              file ]

Source                        gnome-session-c

Source Path                   /usr/libexec/gnome-session-check-accelerated-

                              helper

Port                          <Unknown>

Host                          f172

Source RPM Packages           gnome-shell-3.4.1-5.fc17.x86_64

Target RPM Packages           

Policy RPM                    selinux-policy-3.10.0-134.fc17.noarch

Selinux Enabled               True

Policy Type                   targeted

Enforcing Mode                Enforcing

Host Name                     f172

Platform                      Linux f172 3.4.4-5.fc17.x86_64 #1 SMP Thu Jul 5

                              20:20:59 UTC 2012 x86_64 x86_64

Alert Count                   36

First Seen                    Tue 10 Jul 2012 10:52:47 PM PDT

Last Seen                     Wed 11 Jul 2012 05:28:26 AM PDT

Local ID                      4c293ebd-5167-419e-a9cc-58695f1c59cb



Raw Audit Messages

type=AVC msg=audit(1342009706.413:96): avc:  denied  { execute } for  pid=1820 comm="gnome-shell" path="/opt/VBoxGuestAdditions-4.1.18/lib/VBoxOGL.so" dev="sda3" ino=2228271 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:usr_t:s0 tclass=file





type=SYSCALL msg=audit(1342009706.413:96): arch=x86_64 syscall=mmap success=no exit=EACCES a0=0 a1=219bc8 a2=5 a3=802 items=0 ppid=1774 pid=1820 auid=42 uid=42 gid=42 euid=42 suid=42 fsuid=42 egid=42 sgid=42 fsgid=42 tty=(none) ses=3 comm=gnome-shell exe=/usr/bin/gnome-shell subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)



Hash: gnome-session-c,xdm_t,usr_t,file,execute



audit2allowunable to open /sys/fs/selinux/policy:  Permission denied





audit2allow -Runable to open /sys/fs/selinux/policy:  Permission denied




--------------

SELinux is preventing /usr/lib64/dbus-1/dbus-daemon-launch-helper from execute access on the file msd-datetime-mechanism.

*****  Plugin leaks (86.2 confidence) suggests  ******************************

If you want to ignore dbus-daemon-launch-helper trying to execute access the msd-datetime-mechanism file, because you believe it should not need this access.
Then you should report this as a bug.  
You can generate a local policy module to dontaudit this access.
Do
# grep /usr/lib64/dbus-1/dbus-daemon-launch-helper /var/log/audit/audit.log | audit2allow -D -M mypol
# semodule -i mypol.pp

*****  Plugin catchall (14.7 confidence) suggests  ***************************

If you believe that dbus-daemon-launch-helper should be allowed execute access on the msd-datetime-mechanism file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep dbus-daemon-lau /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:system_dbusd_t:s0-s0:c0.c1023
Target Context                system_u:object_r:usr_t:s0
Target Objects                msd-datetime-mechanism [ file ]
Source                        dbus-daemon-lau
Source Path                   /usr/lib64/dbus-1/dbus-daemon-launch-helper
Port                          <Unknown>
Host                          f172
Source RPM Packages           dbus-1.4.10-4.fc17.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.10.0-134.fc17.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     f172
Platform                      Linux f172 3.4.4-5.fc17.x86_64 #1 SMP Thu Jul 5
                              20:20:59 UTC 2012 x86_64 x86_64
Alert Count                   3
First Seen                    Wed 11 Jul 2012 05:19:31 AM PDT
Last Seen                     Wed 11 Jul 2012 05:28:32 AM PDT
Local ID                      345b5fc1-7083-4a6a-a8f6-3ea0225518b6

Raw Audit Messages
type=AVC msg=audit(1342009712.797:104): avc:  denied  { execute } for  pid=2197 comm="dbus-daemon-lau" name="msd-datetime-mechanism" dev="sda3" ino=394635 scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:usr_t:s0 tclass=file


type=SYSCALL msg=audit(1342009712.797:104): arch=x86_64 syscall=execve success=no exit=EACCES a0=1a4b800 a1=1a4b6a0 a2=1a4a010 a3=2d656d6974657461 items=0 ppid=2196 pid=2197 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=dbus-daemon-lau exe=/usr/lib64/dbus-1/dbus-daemon-launch-helper subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 key=(null)

Hash: dbus-daemon-lau,system_dbusd_t,usr_t,file,execute

audit2allowunable to open /sys/fs/selinux/policy:  Permission denied


audit2allow -Runable to open /sys/fs/selinux/policy:  Permission denied
Comment 9 Dan Mashal 2012-07-11 09:04:00 EDT
dan@f172 ~]$ ls -Z /usr/libexec/msd-datetime-mechanism 
-rwxr-xr-x. root root system_u:object_r:gnomeclock_exec_t:s0 /usr/libexec/msd-datetime-mechanism
[dan@f172 ~]$
Comment 10 Dan Mashal 2012-07-11 21:35:51 EDT
Some more errors I'm receiving.

BTW I should note that I'm running MATE desktop if that helps at all.

SELinux is preventing /usr/libexec/gnome-session-check-accelerated-helper from execute access on the file /opt/VBoxGuestAdditions-4.1.18/lib/VBoxOGL.so.

Plugin: catchall_labels 
you want to allow gnome-session-check-accelerated-helper to have execute access
on the VBoxOGL.so fileIf you want to allow gnome-session-check-accelerated-helper to have execute access on the VBoxOGL.so file
You need to change the label on /opt/VBoxGuestAdditions-4.1.18/lib/VBoxOGL.so
# semanage fcontext -a -t FILE_TYPE '/opt/VBoxGuestAdditions-4.1.18/lib/VBoxOGL.so'
where FILE_TYPE is one of the following: abrt_helper_exec_t, rpm_exec_t, systemd_systemctl_exec_t, fusermount_exec_t, pulseaudio_exec_t, pam_exec_t, chkpwd_exec_t, textrel_shlib_t, updpwd_exec_t, xdm_tmp_t, hostname_exec_t, gkeyringd_exec_t, shutdown_exec_t, init_exec_t, alsa_exec_t, consoletype_exec_t, policykit_auth_exec_t, xdm_exec_t, pam_console_exec_t, xsession_exec_t, etc_t, bin_t, lib_t, xdm_unconfined_exec_t, xserver_exec_t, dbusd_exec_t, plymouth_exec_t, xauth_exec_t, loadkeys_exec_t, screen_exec_t, mount_exec_t, shell_exec_t, ssh_agent_exec_t, ld_so_t, lib_t, oddjob_mkhomedir_exec_t, systemd_systemctl_exec_t, xsession_exec_t. 
Then execute: 
restorecon -v '/opt/VBoxGuestAdditions-4.1.18/lib/VBoxOGL.so'
Comment 11 Miroslav Grepl 2012-07-12 14:31:52 EDT
restorecon -v '/opt/VBoxGuestAdditions-4.1.18/lib/VBoxOGL.so'

should help you. 

But this is strange you have msd-d-mechanism running as system_dbusd_t if we add gnomeclock_exec_t.

I will need to install MATE desktop.
Comment 12 Dan Mashal 2012-07-12 14:38:48 EDT
MATE has a lot of hooks in to dbus. I am building the packages for it right now but you can install 1.4 easily on any F17 system, just takes time. Might be faster for me to just build it for you. ;)
Comment 13 Dan Mashal 2012-10-07 07:02:58 EDT
Figured most of the kinks out. Will reopen this bug if I need to. Thanks!