Bug 836983
Summary: | SELinux is preventing /lib64/dbus-1/dbus-daemon-launch-helper from 'execute' access on the file /usr/local/libexec/msd-datetime-mechanism | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Dan Mashal <dan.mashal> |
Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
Status: | CLOSED NOTABUG | QA Contact: | Dan Mashal <dan.mashal> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 17 | CC: | dominick.grift, dwalsh, mgrepl |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2012-10-07 11:02:58 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Dan Mashal
2012-07-02 12:15:34 UTC
From which repo does it come? stable. Could you try to execute # chcon -t gnomeclock_exec_t /usr/libexec/msd-datetime-mechanism and re-test it? Will do, give me some time. Sure. Thank you. Miroslav, That didn't seem to help.. Hopefully this screenshot helps you: http://i.imgur.com/VPaf8.png What does "details" button show you? and what does # ls -Z /usr/libexec/msd-datetime-mechanism SELinux is preventing /usr/libexec/gnome-session-check-accelerated-helper from execute access on the file /opt/VBoxGuestAdditions-4.1.18/lib/VBoxOGL.so. ***** Plugin restorecon (94.8 confidence) suggests ************************* If you want to fix the label. /opt/VBoxGuestAdditions-4.1.18/lib/VBoxOGL.so default label should be textrel_shlib_t. Then you can run restorecon. Do # /sbin/restorecon -v /opt/VBoxGuestAdditions-4.1.18/lib/VBoxOGL.so ***** Plugin catchall_labels (5.21 confidence) suggests ******************** If you want to allow gnome-session-check-accelerated-helper to have execute access on the VBoxOGL.so file Then you need to change the label on /opt/VBoxGuestAdditions-4.1.18/lib/VBoxOGL.so Do # semanage fcontext -a -t FILE_TYPE '/opt/VBoxGuestAdditions-4.1.18/lib/VBoxOGL.so' where FILE_TYPE is one of the following: abrt_helper_exec_t, rpm_exec_t, systemd_systemctl_exec_t, fusermount_exec_t, pulseaudio_exec_t, pam_exec_t, chkpwd_exec_t, textrel_shlib_t, updpwd_exec_t, xdm_tmp_t, hostname_exec_t, gkeyringd_exec_t, shutdown_exec_t, init_exec_t, alsa_exec_t, consoletype_exec_t, policykit_auth_exec_t, xdm_exec_t, pam_console_exec_t, xsession_exec_t, etc_t, bin_t, lib_t, xdm_unconfined_exec_t, xserver_exec_t, dbusd_exec_t, plymouth_exec_t, xauth_exec_t, loadkeys_exec_t, screen_exec_t, mount_exec_t, shell_exec_t, ssh_agent_exec_t, ld_so_t, lib_t, oddjob_mkhomedir_exec_t, systemd_systemctl_exec_t, xsession_exec_t. Then execute: restorecon -v '/opt/VBoxGuestAdditions-4.1.18/lib/VBoxOGL.so' ***** Plugin catchall (1.44 confidence) suggests *************************** If you believe that gnome-session-check-accelerated-helper should be allowed execute access on the VBoxOGL.so file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep gnome-session-c /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:xdm_t:s0-s0:c0.c1023 Target Context unconfined_u:object_r:usr_t:s0 Target Objects /opt/VBoxGuestAdditions-4.1.18/lib/VBoxOGL.so [ file ] Source gnome-session-c Source Path /usr/libexec/gnome-session-check-accelerated- helper Port <Unknown> Host f172 Source RPM Packages gnome-shell-3.4.1-5.fc17.x86_64 Target RPM Packages Policy RPM selinux-policy-3.10.0-134.fc17.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name f172 Platform Linux f172 3.4.4-5.fc17.x86_64 #1 SMP Thu Jul 5 20:20:59 UTC 2012 x86_64 x86_64 Alert Count 36 First Seen Tue 10 Jul 2012 10:52:47 PM PDT Last Seen Wed 11 Jul 2012 05:28:26 AM PDT Local ID 4c293ebd-5167-419e-a9cc-58695f1c59cb Raw Audit Messages type=AVC msg=audit(1342009706.413:96): avc: denied { execute } for pid=1820 comm="gnome-shell" path="/opt/VBoxGuestAdditions-4.1.18/lib/VBoxOGL.so" dev="sda3" ino=2228271 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:usr_t:s0 tclass=file type=SYSCALL msg=audit(1342009706.413:96): arch=x86_64 syscall=mmap success=no exit=EACCES a0=0 a1=219bc8 a2=5 a3=802 items=0 ppid=1774 pid=1820 auid=42 uid=42 gid=42 euid=42 suid=42 fsuid=42 egid=42 sgid=42 fsgid=42 tty=(none) ses=3 comm=gnome-shell exe=/usr/bin/gnome-shell subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null) Hash: gnome-session-c,xdm_t,usr_t,file,execute audit2allowunable to open /sys/fs/selinux/policy: Permission denied audit2allow -Runable to open /sys/fs/selinux/policy: Permission denied -------------- SELinux is preventing /usr/lib64/dbus-1/dbus-daemon-launch-helper from execute access on the file msd-datetime-mechanism. ***** Plugin leaks (86.2 confidence) suggests ****************************** If you want to ignore dbus-daemon-launch-helper trying to execute access the msd-datetime-mechanism file, because you believe it should not need this access. Then you should report this as a bug. You can generate a local policy module to dontaudit this access. Do # grep /usr/lib64/dbus-1/dbus-daemon-launch-helper /var/log/audit/audit.log | audit2allow -D -M mypol # semodule -i mypol.pp ***** Plugin catchall (14.7 confidence) suggests *************************** If you believe that dbus-daemon-launch-helper should be allowed execute access on the msd-datetime-mechanism file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep dbus-daemon-lau /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 Target Context system_u:object_r:usr_t:s0 Target Objects msd-datetime-mechanism [ file ] Source dbus-daemon-lau Source Path /usr/lib64/dbus-1/dbus-daemon-launch-helper Port <Unknown> Host f172 Source RPM Packages dbus-1.4.10-4.fc17.x86_64 Target RPM Packages Policy RPM selinux-policy-3.10.0-134.fc17.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name f172 Platform Linux f172 3.4.4-5.fc17.x86_64 #1 SMP Thu Jul 5 20:20:59 UTC 2012 x86_64 x86_64 Alert Count 3 First Seen Wed 11 Jul 2012 05:19:31 AM PDT Last Seen Wed 11 Jul 2012 05:28:32 AM PDT Local ID 345b5fc1-7083-4a6a-a8f6-3ea0225518b6 Raw Audit Messages type=AVC msg=audit(1342009712.797:104): avc: denied { execute } for pid=2197 comm="dbus-daemon-lau" name="msd-datetime-mechanism" dev="sda3" ino=394635 scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:usr_t:s0 tclass=file type=SYSCALL msg=audit(1342009712.797:104): arch=x86_64 syscall=execve success=no exit=EACCES a0=1a4b800 a1=1a4b6a0 a2=1a4a010 a3=2d656d6974657461 items=0 ppid=2196 pid=2197 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=dbus-daemon-lau exe=/usr/lib64/dbus-1/dbus-daemon-launch-helper subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 key=(null) Hash: dbus-daemon-lau,system_dbusd_t,usr_t,file,execute audit2allowunable to open /sys/fs/selinux/policy: Permission denied audit2allow -Runable to open /sys/fs/selinux/policy: Permission denied dan@f172 ~]$ ls -Z /usr/libexec/msd-datetime-mechanism -rwxr-xr-x. root root system_u:object_r:gnomeclock_exec_t:s0 /usr/libexec/msd-datetime-mechanism [dan@f172 ~]$ Some more errors I'm receiving. BTW I should note that I'm running MATE desktop if that helps at all. SELinux is preventing /usr/libexec/gnome-session-check-accelerated-helper from execute access on the file /opt/VBoxGuestAdditions-4.1.18/lib/VBoxOGL.so. Plugin: catchall_labels you want to allow gnome-session-check-accelerated-helper to have execute access on the VBoxOGL.so fileIf you want to allow gnome-session-check-accelerated-helper to have execute access on the VBoxOGL.so file You need to change the label on /opt/VBoxGuestAdditions-4.1.18/lib/VBoxOGL.so # semanage fcontext -a -t FILE_TYPE '/opt/VBoxGuestAdditions-4.1.18/lib/VBoxOGL.so' where FILE_TYPE is one of the following: abrt_helper_exec_t, rpm_exec_t, systemd_systemctl_exec_t, fusermount_exec_t, pulseaudio_exec_t, pam_exec_t, chkpwd_exec_t, textrel_shlib_t, updpwd_exec_t, xdm_tmp_t, hostname_exec_t, gkeyringd_exec_t, shutdown_exec_t, init_exec_t, alsa_exec_t, consoletype_exec_t, policykit_auth_exec_t, xdm_exec_t, pam_console_exec_t, xsession_exec_t, etc_t, bin_t, lib_t, xdm_unconfined_exec_t, xserver_exec_t, dbusd_exec_t, plymouth_exec_t, xauth_exec_t, loadkeys_exec_t, screen_exec_t, mount_exec_t, shell_exec_t, ssh_agent_exec_t, ld_so_t, lib_t, oddjob_mkhomedir_exec_t, systemd_systemctl_exec_t, xsession_exec_t. Then execute: restorecon -v '/opt/VBoxGuestAdditions-4.1.18/lib/VBoxOGL.so' restorecon -v '/opt/VBoxGuestAdditions-4.1.18/lib/VBoxOGL.so' should help you. But this is strange you have msd-d-mechanism running as system_dbusd_t if we add gnomeclock_exec_t. I will need to install MATE desktop. MATE has a lot of hooks in to dbus. I am building the packages for it right now but you can install 1.4 easily on any F17 system, just takes time. Might be faster for me to just build it for you. ;) Figured most of the kinks out. Will reopen this bug if I need to. Thanks! |