Bug 883741

Summary: SELinux is preventing /usr/bin/dolphin from 'getattr' accesses on the directory /run/media/kecskebak/KINGSTON-8.
Product: [Fedora] Fedora Reporter: Dave Jeffery <david.richard.jeffery>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED CURRENTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 18CC: dominick.grift, dwalsh, mgrepl
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Unspecified   
Whiteboard: abrt_hash:49696fbc853a14bdcc8e8c264139a8b539b998c398bb47c8a0d5edd7ca260037
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-12-18 06:54:50 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Dave Jeffery 2012-12-05 08:08:29 UTC 
Description of problem:
1. Plug in a USB drive
2. Can't use it, get lots of SELinux warnings instead
SELinux is preventing /usr/bin/dolphin from 'getattr' accesses on the directory /run/media/kecskebak/KINGSTON-8.

*****  Plugin file (36.8 confidence) suggests  *******************************

If you think this is caused by a badly mislabeled machine.
Then you need to fully relabel.
Do
touch /.autorelabel; reboot

*****  Plugin file (36.8 confidence) suggests  *******************************

If you think this is caused by a badly mislabeled machine.
Then you need to fully relabel.
Do
touch /.autorelabel; reboot

*****  Plugin catchall_labels (23.2 confidence) suggests  ********************

If you want to allow dolphin to have getattr access on the KINGSTON-8 directory
Then you need to change the label on /run/media/kecskebak/KINGSTON-8
Do
# semanage fcontext -a -t FILE_TYPE '/run/media/kecskebak/KINGSTON-8'
where FILE_TYPE is one of the following: httpd_sys_content_t, var_run_t, user_home_dir_t, systemd_logind_var_run_t, policykit_reload_t, systemd_passwd_var_run_t, gconf_home_t, home_root_t, init_var_run_t, gnome_home_t, httpd_user_content_t, admin_home_t, var_lib_t, var_run_t, httpd_user_script_exec_t, gconf_home_t, home_root_t, user_home_type, fsadm_var_run_t, sysctl_crypto_t, etc_t, boolean_type, krb5kdc_conf_t, krb5_host_rcache_t, chrome_sandbox_t, virt_home_t, winbind_var_run_t, readable_t, user_tmp_type, user_home_dir_t, systemd_logind_var_run_t, file_type, systemd_passwd_var_run_t, home_root_t, cfengine_var_lib_t, etc_t, mail_spool_t, user_home_dir_t, device_t, device_t, devpts_t, sysctl_vm_t, cert_t, user_tmpfs_type, proc_net_t, etc_t, cert_type, selinux_config_t, cgroup_t, sysfs_t, tmpfs_t, var_t, abrt_var_run_t, config_home_t, bin_t, boot_t, init_var_run_t, init_t, var_run_t, setrans_var_run_t, root_t, user_home_dir_t, device_t, tmp_t, usr_t, locale_t, var_t, sssd_public_t, etc_t, user_tmp_t, cupsd_etc_t, proc_t, sysfs_t, postfix_etc_t, device_t, tmp_t, tmp_t, var_t, sysctl_t, abrt_t, bin_t, etc_t, base_ro_file_type, unlabeled_t, lib_t, man_t, likewise_var_lib_t, mnt_t, user_tmp_t, alsa_etc_rw_t, proc_t, proc_type, public_content_rw_t, public_content_t, cgroup_t, root_t, sysfs_t, tmpfs_t, tmp_t, usr_t, var_t, sysctl_kernel_t, etc_mail_t, config_home_t, bin_t, cert_t, unconfined_dbusd_t, sysctl_vm_overcommit_t, init_t, cpu_online_t, mandb_cache_t, root_t, user_fonts_t, system_cronjob_var_lib_t, thumb_t, tmp_t, usr_t, var_t, mqueue_spool_t, krb5_conf_t, systemd_logind_sessions_t, policykit_var_lib_t, user_tmp_t, telepathy_data_home_t, semanage_store_t, cfengine_var_lib_t, telepathy_cache_home_t, systemd_unit_file_type, filesystem_type, user_fonts_t, user_home_t, cache_home_t, data_home_t, textrel_shlib_t, nx_server_var_lib_t, sysctl_type, device_t, devpts_t, var_spool_t, etc_t, cache_home_t, nscd_var_run_t, nslcd_var_run_t, data_home_t, sandbox_file_t, samba_var_t, proc_t, var_lib_t, var_run_t, smbd_var_run_t, user_fonts_config_t, cgroup_t, rpm_script_tmp_t, src_t, sysfs_t, tmpfs_t, sssd_var_lib_t, var_log_t, sysctl_type, modules_object_t, sysctl_t, avahi_var_run_t, home_root_t, bin_t, security_t, init_var_run_t, lib_t, samba_etc_t, mnt_t, var_lib_t, var_run_t, net_conf_t, systemd_unit_file_type, virt_var_run_t, usr_t, var_t, abrt_var_run_t, security_t, security_t, domain, rpm_log_t, default_t, var_run_t, var_log_t, unconfined_t, abrt_var_run_t, krb5_host_rcache_t, sysctl_kernel_t, sysfs_t, device_t, var_t, var_t, proc_t, sysctl_t, bin_t, security_t, mozilla_plugin_rw_t, nscd_var_run_t, pcscd_var_run_t, var_run_t, var_run_t, mozilla_plugin_t. 
Then execute: 
restorecon -v '/run/media/kecskebak/KINGSTON-8'


*****  Plugin catchall (5.04 confidence) suggests  ***************************

If you believe that dolphin should be allowed getattr access on the KINGSTON-8 directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep dolphin /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
                              023
Target Context                system_u:object_r:file_t:s0
Target Objects                /run/media/kecskebak/KINGSTON-8 [ dir ]
Source                        dolphin
Source Path                   /usr/bin/dolphin
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           kde-runtime-4.9.3-1.fc18.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.11.1-59.fc18.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 3.6.7-5.fc18.x86_64 #1 SMP Tue Nov
                              20 19:40:08 UTC 2012 x86_64 x86_64
Alert Count                   19
First Seen                    2012-12-05 08:59:52 CET
Last Seen                     2012-12-05 09:04:16 CET
Local ID                      c0b34adc-f238-4b6a-af88-ba4e42e4cbd3

Raw Audit Messages
type=AVC msg=audit(1354694656.284:454): avc:  denied  { getattr } for  pid=2979 comm="kioclient" path="/run/media/kecskebak/KINGSTON-8" dev="sde1" ino=2 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=dir


type=SYSCALL msg=audit(1354694656.284:454): arch=x86_64 syscall=stat success=no exit=EACCES a0=d1e2c8 a1=7fffbedb3390 a2=7fffbedb3390 a3=7fffbedb2fe0 items=0 ppid=1217 pid=2979 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=1 comm=kioclient exe=/usr/bin/kioclient subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)

Hash: dolphin,unconfined_t,file_t,dir,getattr

audit2allow
audit2allow -R

Additional info:
hashmarkername: setroubleshoot
kernel:         3.6.7-5.fc18.x86_64
type:           libreport
Comment 1 Miroslav Grepl 2012-12-05 09:23:26 UTC 
Dave,
what does

# grep "Failed to set security context" /var/log/messages
Comment 2 Dave Jeffery 2012-12-05 09:27:57 UTC 
Just tried it - it returns nothing. BTW: thanks for looking into this so quickly Miroslav!
Comment 3 Miroslav Grepl 2012-12-05 09:53:37 UTC 
Ok, did you try to downgrade to -50.fc18 release?
Comment 4 Dave Jeffery 2012-12-05 09:58:55 UTC 
Not that I know of. I am using a clean install of Fedora 18 KDE Beta on a real hard drive. There is nothing else - no other OS-es on the computer. I've only updated when prompted to by Apper with the updates it suggests.
Comment 5 Dave Jeffery 2012-12-05 09:59:58 UTC 
BTW: Just checked with Apper and it says my system is completely up to date.
Comment 6 Daniel Walsh 2012-12-06 20:03:56 UTC 
Fixed in selinux-policy-3.11.1-60.fc18.noarch
Comment 7 Dave Jeffery 2012-12-07 07:47:29 UTC 
Fixed selinux policy was waiting for me to update this morning - I can confirm that I can now plug-in my USB sticks and Dolphin lets me use them.

Many, many, thanks for your quick work fixing this Daniel and Miroslav.

All the best, Dave
Comment 8 Fedora Update System 2012-12-11 17:51:53 UTC 
selinux-policy-3.11.1-62.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/selinux-policy-3.11.1-62.fc18
Comment 9 Fedora Update System 2012-12-11 23:28:28 UTC 
Package selinux-policy-3.11.1-62.fc18:
* should fix your issue,
* was pushed to the Fedora 18 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.11.1-62.fc18'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-20203/selinux-policy-3.11.1-62.fc18
then log in and leave karma (feedback).
Comment 10 Fedora Update System 2012-12-17 17:40:10 UTC 
selinux-policy-3.11.1-66.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/selinux-policy-3.11.1-66.fc18
Comment 11 Fedora Update System 2012-12-18 06:54:51 UTC 
selinux-policy-3.11.1-66.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.