Bug 903173

Summary: SELinux is preventing /usr/libexec/colord from 'read' accesses on the file 2.
Product: [Fedora] Fedora Reporter: Fabio Valentini <decathorpe>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED CURRENTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 18CC: 306power, akurtako, artur.meski, autarch, casper.gasper, code, cvanewijk, cyrusyzgtt, dominick.grift, dwalsh, edosurina, eparis, joey10946, jsmith.fedora, madko, mgrepl, mishu, roberto.filippetti, sanjay.ankur, scottt.tw, simone.tolotti, sivlemx, tucnadave, twegener
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Unspecified   
Whiteboard: abrt_hash:2a338791fc69a2c1aa4ef1d278082734bdaf4edb2606bcaf374ebe886d4e1ef0
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-02-07 21:22:52 EST Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Description Fabio Valentini 2013-01-23 06:29:31 EST
Description of problem:
SELinux is preventing /usr/libexec/colord from 'read' accesses on the file 2.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that colord should be allowed read access on the 2 file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep colord /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:colord_t:s0
Target Context                system_u:object_r:systemd_logind_sessions_t:s0
Target Objects                2 [ file ]
Source                        colord
Source Path                   /usr/libexec/colord
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           colord-0.1.28-1.fc18.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.11.1-73.fc18.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     (removed)
Platform                      Linux (removed) 3.8.0-rc4 #3 SMP Fri Jan 18
                              13:06:29 CET 2013 x86_64 x86_64
Alert Count                   2
First Seen                    2013-01-23 11:33:56 CET
Last Seen                     2013-01-23 12:27:33 CET
Local ID                      c82bcd76-9858-4d5c-a595-92542fa19cfa

Raw Audit Messages
type=AVC msg=audit(1358940453.140:72): avc:  denied  { read } for  pid=1757 comm="colord" name="2" dev="tmpfs" ino=21935 scontext=system_u:system_r:colord_t:s0 tcontext=system_u:object_r:systemd_logind_sessions_t:s0 tclass=file


type=AVC msg=audit(1358940453.140:72): avc:  denied  { open } for  pid=1757 comm="colord" path="/run/systemd/sessions/2" dev="tmpfs" ino=21935 scontext=system_u:system_r:colord_t:s0 tcontext=system_u:object_r:systemd_logind_sessions_t:s0 tclass=file


type=SYSCALL msg=audit(1358940453.140:72): arch=x86_64 syscall=open success=yes exit=ENOTBLK a0=2123900 a1=80000 a2=1b6 a3=238 items=0 ppid=1 pid=1757 auid=4294967295 uid=998 gid=997 euid=998 suid=998 fsuid=998 egid=997 sgid=997 fsgid=997 ses=4294967295 tty=(none) comm=colord exe=/usr/libexec/colord subj=system_u:system_r:colord_t:s0 key=(null)

Hash: colord,colord_t,systemd_logind_sessions_t,file,read

audit2allow

#============= colord_t ==============
allow colord_t systemd_logind_sessions_t:file { read open };

audit2allow -R

#============= colord_t ==============
allow colord_t systemd_logind_sessions_t:file { read open };


Additional info:
hashmarkername: setroubleshoot
kernel:         3.8.0-rc4
type:           libreport
Comment 1 Miroslav Grepl 2013-01-23 06:54:17 EST
Fixed in selinux-policy-3.11.1-74.fc18.noarch
Comment 2 Fedora Update System 2013-01-31 08:17:53 EST
selinux-policy-3.11.1-74.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/selinux-policy-3.11.1-74.fc18
Comment 3 Fedora Update System 2013-02-01 11:38:25 EST
Package selinux-policy-3.11.1-74.fc18:
* should fix your issue,
* was pushed to the Fedora 18 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.11.1-74.fc18'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-1693/selinux-policy-3.11.1-74.fc18
then log in and leave karma (feedback).
Comment 4 Simone Tolotti 2013-02-03 11:58:55 EST
I have updates-testing enabled and selinux-policy-3.11.1-74.fc18 installed but still getting this SeLinux alert.
I'va also tried to relabel all system doing #touch /.autorelabel
Comment 5 Miroslav Grepl 2013-02-04 06:31:04 EST
Fixed in selinux-policy-3.11.1-75.fc18
Comment 6 Miroslav Grepl 2013-02-04 06:40:40 EST
*** Bug 906970 has been marked as a duplicate of this bug. ***
Comment 7 Miroslav Grepl 2013-02-04 06:52:09 EST
*** Bug 907437 has been marked as a duplicate of this bug. ***
Comment 8 david sutherland 2013-02-04 14:32:41 EST
Laptop did not start from suspended state,  Had to force shut down.

Package: (null)
OS Release: Fedora release 18 (Spherical Cow)
Comment 9 Casper Gasper 2013-02-04 15:02:16 EST
AVC denial happens consistently when logging in.

Package: (null)
OS Release: Fedora release 18 (Spherical Cow)
Comment 10 Jared Smith 2013-02-05 00:49:23 EST
Booted into GNOME 3, and noticed the sealert message.

Package: (null)
OS Release: Fedora release 18 (Spherical Cow)
Comment 11 Fedora Update System 2013-02-05 04:23:19 EST
selinux-policy-3.11.1-76.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/selinux-policy-3.11.1-76.fc18
Comment 12 Pascal94 2013-02-05 06:43:15 EST
just at startup, like every day

Package: (null)
OS Release: Fedora release 18 (Spherical Cow)
Comment 13 Kostya Berger 2013-02-06 05:16:15 EST
No steps, just session startup and I got this alert. That's it.

Package: (null)
OS Release: Fedora release 18 (Spherical Cow)
Comment 14 Javier Villanueva 2013-02-06 09:56:58 EST
This happened when I turned on the lap.

Package: (null)
Architecture: i686
OS Release: Fedora release 18 (Spherical Cow)
Comment 15 Artur M. 2013-02-06 11:12:45 EST
Happens right after login. 

Package: (null)
OS Release: Fedora release 18 (Spherical Cow)
Comment 16 Scott Tsai 2013-02-07 02:24:05 EST
Happends everytime I log into the Gnome desktop.

Package: (null)
OS Release: Fedora release 18 (Spherical Cow)
Comment 17 Chrit van Ewijk 2013-02-07 13:55:12 EST
Alert keeps coming right after startup. 

Package: (null)
OS Release: Fedora release 18 (Spherical Cow)
Comment 18 Fedora Update System 2013-02-07 21:22:54 EST
selinux-policy-3.11.1-74.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 19 joey10946 2013-02-08 04:45:08 EST
The problem still persists.
Comment 20 Miroslav Grepl 2013-02-08 07:21:14 EST
Please update to the latest policy

# yum update selinux-policy-targeted --enablerepo=updates-testing
Comment 21 joey10946 2013-02-08 11:12:14 EST
Updating to 3.11.1-76 solved the problem.
Comment 22 Edouard Bourguignon 2013-02-09 05:37:38 EST
type=AVC msg=audit(1360406105.149:368): avc:  denied  { search } for  pid=2517 comm="colord" name="sessions" dev="tmpfs" ino=13931 scontext=system_u:system_r:colord_t:s0 tcontext=system_u:object_r:systemd_logind_sessions_t:s0 tclass=dir

search is denied now with 3.11.1-76
Comment 23 code 2013-02-09 11:50:04 EST
Observed this bug on selinux-policy-3.11.1-74.fc18.

type=AVC msg=audit(1360427076.051:363): avc:  denied  { search } for  pid=803 comm="colord" name="sessions" dev="tmpfs" ino=15045 scontext=system_u:system_r:colord_t:s0 tcontext=system_u:object_r:systemd_logind_sessions_t:s0 tclass=dir

Resolved for me by updating to selinux-policy-3.11.1-76.fc18: no new entries in SELinux Troubleshooter or in audit.log after a reboot.
Comment 24 Fedora Update System 2013-02-10 23:54:50 EST
selinux-policy-3.11.1-76.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.