Bug 880038
| Summary: | SELinux is preventing /usr/libexec/kde4/ksysguardprocesslist_helper from 'lock' accesses on the file /root/.config/Trolltech.conf. | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | ziomaul <ziomaul> | ||||||
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> | ||||||
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||||
| Severity: | unspecified | Docs Contact: | |||||||
| Priority: | unspecified | ||||||||
| Version: | 17 | CC: | dominick.grift, dwalsh, jgrulich, jreznik, kevin, ltinkl, mbriza, mgrepl, rdieter, rnovacek, than | ||||||
| Target Milestone: | --- | ||||||||
| Target Release: | --- | ||||||||
| Hardware: | i686 | ||||||||
| OS: | Unspecified | ||||||||
| Whiteboard: | abrt_hash:a9cc3532590ae70a63c76175584ee7c83fca5ffc106f8e54c6ee1dd02ebdd7e0 | ||||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||||
| Doc Text: | Story Points: | --- | |||||||
| Clone Of: | Environment: | ||||||||
| Last Closed: | 2013-01-07 04:01:38 UTC | Type: | --- | ||||||
| Regression: | --- | Mount Type: | --- | ||||||
| Documentation: | --- | CRM: | |||||||
| Verified Versions: | Category: | --- | |||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||
| Embargoed: | |||||||||
| Attachments: |
|
||||||||
Created attachment 651740 [details]
File: type
Created attachment 651741 [details]
File: hashmarkername
Did you log in as root? curious, is there a problem or objection to allowing access to stuff under ~root/.config/ policy-wise? So the /.config/Trolltech.conf is created if a user uses kauth for example to setup date&time? Just would like know how it works. Thx. I have no problem to add optional_policy(` gnome_read_home_config(gnomesystemmm_t) ') Added.
commit 058874eb8f4c9f5733558260a82849fbc560c657
Author: Miroslav Grepl <mgrepl>
Date: Mon Nov 26 15:25:09 2012 +0100
Allow ksysguardproces to read /.config/Trolltech.conf
yes, that file will get created/accessed whenever any privledged helper ( generally matching /usr/libexec/kde4/*helper ) is envoked No, i work as user-mode, Kppp work root mode. I use KDE as your desktop and kppp (not networkmanager) for connection modem. A bug unmanaged kppp obligated to kill process. "curious, is there a problem or objection to allowing access to stuff under ~root/.config/ policy-wise?" Likely. Post .config/Trolltech.conf [Qt%20Plugin%20Cache%204.8.false] usr\lib\qt4\plugins\inputmethods\libqimsw-multi.so=40801, 0, i386 linux g++-4 full-config, 2012-05-10T20:46:12 usr\lib\kde4\plugins\styles\oxygen.so=40801, 0, i386 linux g++-4 full-config, 2012-05-02T19:03:12 usr\lib\kde4\plugins\imageformats\kimg_dds.so=40801, 0, i386 linux g++-4 full-config, 2012-04-30T20:43:17 usr\lib\kde4\plugins\imageformats\kimg_eps.so=40801, 0, i386 linux g++-4 full-config, 2012-04-30T20:43:16 usr\lib\kde4\plugins\imageformats\kimg_exr.so=40801, 0, i386 linux g++-4 full-config, 2012-04-30T20:43:16 usr\lib\kde4\plugins\imageformats\kimg_jp2.so=40801, 0, i386 linux g++-4 full-config, 2012-04-30T20:43:15 usr\lib\kde4\plugins\imageformats\kimg_pcx.so=40801, 0, i386 linux g++-4 full-config, 2012-04-30T20:43:16 usr\lib\kde4\plugins\imageformats\kimg_pic.so=40801, 0, i386 linux g++-4 full-config, 2012-04-30T20:43:16 usr\lib\kde4\plugins\imageformats\kimg_psd.so=40801, 0, i386 linux g++-4 full-config, 2012-04-30T20:43:15 usr\lib\kde4\plugins\imageformats\kimg_ras.so=40801, 0, i386 linux g++-4 full-config, 2012-04-30T20:43:16 usr\lib\kde4\plugins\imageformats\kimg_rgb.so=40801, 0, i386 linux g++-4 full-config, 2012-04-30T20:43:15 usr\lib\kde4\plugins\imageformats\kimg_tga.so=40801, 0, i386 linux g++-4 full-config, 2012-04-30T20:43:15 usr\lib\kde4\plugins\imageformats\kimg_xcf.so=40801, 0, i386 linux g++-4 full-config, 2012-04-30T20:43:16 usr\lib\kde4\plugins\imageformats\kimg_xview.so=40801, 0, i386 linux g++-4 full-config, 2012-04-30T20:43:16 usr\lib\qt4\plugins\imageformats\libqgif.so=40801, 0, i386 linux g++-4 full-config, 2012-05-10T20:46:05 usr\lib\qt4\plugins\imageformats\libqico.so=40801, 0, i386 linux g++-4 full-config, 2012-05-10T20:46:05 usr\lib\qt4\plugins\imageformats\libqjpeg.so=40801, 0, i386 linux g++-4 full-config, 2012-05-10T20:46:06 usr\lib\qt4\plugins\imageformats\libqmng.so=40801, 0, i386 linux g++-4 full-config, 2012-05-10T20:46:05 usr\lib\qt4\plugins\imageformats\libqsvg.so=40801, 0, i386 linux g++-4 full-config, 2012-05-10T20:46:05 usr\lib\qt4\plugins\imageformats\libqtga.so=40801, 0, i386 linux g++-4 full-config, 2012-05-10T20:46:06 usr\lib\qt4\plugins\imageformats\libqtiff.so=40801, 0, i386 linux g++-4 full-config, 2012-05-10T20:46:06 usr\lib\kde4\plugins\kauth\backend\kauth_backend_plugin.so=40802, 0, i386 linux g++-4 full-config, 2012-10-04T18:44:51 usr\lib\kde4\plugins\kauth\helper\kauth_helper_plugin.so=40802, 0, i386 linux g++-4 full-config, 2012-10-04T18:44:51 [Qt%20Factory%20Cache%204.8] com.trolltech.Qt.QInputContextFactoryInterface%3A\usr\lib\qt4\plugins\inputmethods\libqimsw-multi.so=2012-05-10T20:46:12, imsw-multi com.trolltech.Qt.QStyleFactoryInterface%3A\usr\lib\kde4\plugins\styles\oxygen.so=2012-05-02T19:03:12, Oxygen com.trolltech.Qt.QImageIOHandlerFactoryInterface%3A\usr\lib\kde4\plugins\imageformats\kimg_dds.so=2012-04-30T20:43:17, dds com.trolltech.Qt.QImageIOHandlerFactoryInterface%3A\usr\lib\kde4\plugins\imageformats\kimg_eps.so=2012-04-30T20:43:16, eps, EPS, epsi, EPSI, epsf, EPSF com.trolltech.Qt.QImageIOHandlerFactoryInterface%3A\usr\lib\kde4\plugins\imageformats\kimg_exr.so=2012-04-30T20:43:16, exr, EXR com.trolltech.Qt.QImageIOHandlerFactoryInterface%3A\usr\lib\kde4\plugins\imageformats\kimg_jp2.so=2012-04-30T20:43:15, jp2 com.trolltech.Qt.QImageIOHandlerFactoryInterface%3A\usr\lib\kde4\plugins\imageformats\kimg_pcx.so=2012-04-30T20:43:16, pcx, PCX com.trolltech.Qt.QImageIOHandlerFactoryInterface%3A\usr\lib\kde4\plugins\imageformats\kimg_pic.so=2012-04-30T20:43:16, pic com.trolltech.Qt.QImageIOHandlerFactoryInterface%3A\usr\lib\kde4\plugins\imageformats\kimg_psd.so=2012-04-30T20:43:15, psd, PSD com.trolltech.Qt.QImageIOHandlerFactoryInterface%3A\usr\lib\kde4\plugins\imageformats\kimg_ras.so=2012-04-30T20:43:16, ras, RAS com.trolltech.Qt.QImageIOHandlerFactoryInterface%3A\usr\lib\kde4\plugins\imageformats\kimg_rgb.so=2012-04-30T20:43:15, rgb, RGB, rgba, RGBA, bw, BW, sgi, SGI com.trolltech.Qt.QImageIOHandlerFactoryInterface%3A\usr\lib\kde4\plugins\imageformats\kimg_tga.so=2012-04-30T20:43:15, tga, TGA com.trolltech.Qt.QImageIOHandlerFactoryInterface%3A\usr\lib\kde4\plugins\imageformats\kimg_xcf.so=2012-04-30T20:43:16, xcf, XCF com.trolltech.Qt.QImageIOHandlerFactoryInterface%3A\usr\lib\kde4\plugins\imageformats\kimg_xview.so=2012-04-30T20:43:16, xv com.trolltech.Qt.QImageIOHandlerFactoryInterface%3A\usr\lib\qt4\plugins\imageformats\libqgif.so=2012-05-10T20:46:05, gif com.trolltech.Qt.QImageIOHandlerFactoryInterface%3A\usr\lib\qt4\plugins\imageformats\libqico.so=2012-05-10T20:46:05, ico com.trolltech.Qt.QImageIOHandlerFactoryInterface%3A\usr\lib\qt4\plugins\imageformats\libqjpeg.so=2012-05-10T20:46:06, jpeg, jpg com.trolltech.Qt.QImageIOHandlerFactoryInterface%3A\usr\lib\qt4\plugins\imageformats\libqmng.so=2012-05-10T20:46:05, mng com.trolltech.Qt.QImageIOHandlerFactoryInterface%3A\usr\lib\qt4\plugins\imageformats\libqsvg.so=2012-05-10T20:46:05, svg, svgz com.trolltech.Qt.QImageIOHandlerFactoryInterface%3A\usr\lib\qt4\plugins\imageformats\libqtga.so=2012-05-10T20:46:06, tga com.trolltech.Qt.QImageIOHandlerFactoryInterface%3A\usr\lib\qt4\plugins\imageformats\libqtiff.so=2012-05-10T20:46:06, tiff, tif > Did you log in as root? No, he didn't. This is a KAuth helper. KAuth is a wrapper around D-Bus activation and PolicyKit to handle secure privilege escalation. KAuth helpers work just like any other D-Bus-activated PolicyKit mechanisms. So the helper always runs as root. > So the /.config/Trolltech.conf is created if a user uses kauth for example to > setup date&time? That's the wrong path, it should be /root/.config/Trolltech.conf (see the file name quoted in the mail's subject). A top-level /.config was accidentally used in the past, but that's a bug which has been fixed. selinux-policy-3.10.0-165.fc17 has been submitted as an update for Fedora 17. https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-165.fc17 Package selinux-policy-3.10.0-165.fc17: * should fix your issue, * was pushed to the Fedora 17 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-165.fc17' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2012-20544/selinux-policy-3.10.0-165.fc17 then log in and leave karma (feedback). Package selinux-policy-3.10.0-166.fc17: * should fix your issue, * was pushed to the Fedora 17 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-166.fc17' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2012-20544/selinux-policy-3.10.0-166.fc17 then log in and leave karma (feedback). selinux-policy-3.10.0-166.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report. |
Description of problem: Kppp not control program error. Killl for user. Kppp is loop Additional info: libreport version: 2.0.18 kernel: 3.6.7-4.fc17.i686 description: :SELinux is preventing /usr/libexec/kde4/ksysguardprocesslist_helper from 'lock' accesses on the file /root/.config/Trolltech.conf. : :***** Plugin catchall (100. confidence) suggests *************************** : :If you believe that ksysguardprocesslist_helper should be allowed lock access on the Trolltech.conf file by default. :Then you should report this as a bug. :You can generate a local policy module to allow this access. :Do :allow this access for now by executing: :# grep ksysguardproces /var/log/audit/audit.log | audit2allow -M mypol :# semodule -i mypol.pp : :Additional Information: :Source Context system_u:system_r:gnomesystemmm_t:s0-s0:c0.c1023 :Target Context system_u:object_r:config_home_t:s0 :Target Objects /root/.config/Trolltech.conf [ file ] :Source ksysguardproces :Source Path /usr/libexec/kde4/ksysguardprocesslist_helper :Port <Unknown> :Host (removed) :Source RPM Packages ksysguard-4.9.3-2.fc17.i686 :Target RPM Packages :Policy RPM selinux-policy-3.10.0-161.fc17.noarch :Selinux Enabled True :Policy Type targeted :Enforcing Mode Permissive :Host Name (removed) :Platform Linux (removed) 3.6.7-4.fc17.i686 #1 SMP Tue Nov : 20 20:13:04 UTC 2012 i686 i686 :Alert Count 1 :First Seen 2012-11-26 05:32:04 CET :Last Seen 2012-11-26 05:32:04 CET :Local ID cc8566d3-adc0-4d2b-b082-98e7dce5f308 : :Raw Audit Messages :type=AVC msg=audit(1353904324.485:79): avc: denied { lock } for pid=4862 comm="ksysguardproces" path="/root/.config/Trolltech.conf" dev="dm-1" ino=55172 scontext=system_u:system_r:gnomesystemmm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:config_home_t:s0 tclass=file : : :type=SYSCALL msg=audit(1353904324.485:79): arch=i386 syscall=fcntl64 success=yes exit=0 a0=3 a1=7 a2=bfc57a70 a3=1 items=0 ppid=4861 pid=4862 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=ksysguardproces exe=/usr/libexec/kde4/ksysguardprocesslist_helper subj=system_u:system_r:gnomesystemmm_t:s0-s0:c0.c1023 key=(null) : :Hash: ksysguardproces,gnomesystemmm_t,config_home_t,file,lock : :audit2allow : :#============= gnomesystemmm_t ============== :allow gnomesystemmm_t config_home_t:file lock; : :audit2allow -R : :#============= gnomesystemmm_t ============== :allow gnomesystemmm_t config_home_t:file lock; :