Bug 973849 (accounts)

Description of problem:
right after booting

Additional info:
reporter:       libreport-2.1.4
hashmarkername: setroubleshoot
kernel:         3.9.5-301.fc19.x86_64
type:           libreport

Same problem here (x86_64). This problem slows down my system extremely because the exception is raised continously so I'm forced to downgrade accountsservice to have an useable system again

Why does it need to watch /var/log?

Description of problem:
Booted and logged into Gnome 3.

Additional info:
reporter:       libreport-2.1.4
hashmarkername: setroubleshoot
kernel:         3.9.5-301.fc19.x86_64
type:           libreport

Description of problem:
just restarted my computer after an update

Additional info:
reporter:       libreport-2.1.4
hashmarkername: setroubleshoot
kernel:         3.9.5-301.fc19.x86_64
type:           libreport

Description of problem:
After boot system to gnome shell

Additional info:
reporter:       libreport-2.1.4
hashmarkername: setroubleshoot
kernel:         3.9.5-301.fc19.x86_64
type:           libreport

because it watches when accounts come and go in wtmp. This isn't new behavior though, afaik. I guess something must have changed in the release, not sure what, but I don't think it's a bug.

Description of problem:
It appeared just after reboot

Additional info:
reporter:       libreport-2.1.4
hashmarkername: setroubleshoot
kernel:         3.9.5-301.fc19.i686
type:           libreport

Added.

Description of problem:
I'm not sure; the SELinux Alert Browser just popped up with this.

Additional info:
reporter:       libreport-2.1.4
hashmarkername: setroubleshoot
kernel:         3.9.5-301.fc19.x86_64
type:           libreport

SELinux is preventing /usr/libexec/accounts-daemon from read access on the directory /var/log.

*****  Plugin catchall (100. confidence) suggests  ***************************

Additional Information:
Source Context                system_u:system_r:accountsd_t:s0
Target Context                system_u:object_r:var_log_t:s0
Target Objects                /var/log [ dir ]
Source                        accounts-daemon
Source Path                   /usr/libexec/accounts-daemon
Port                          <Unknown>
Source RPM Packages           accountsservice-0.6.34-1.fc19.x86_64
Target RPM Packages           filesystem-3.2-10.fc19.x86_64
Policy RPM                    selinux-policy-3.12.1-48.fc19.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     
Platform                      Linux 
                              3.9.5-301.fc19.x86_64 #1 SMP Tue Jun 11 19:39:38
                              UTC 2013 x86_64 x86_64
Alert Count                   8226
First Seen                    2013-06-13 00:49:05 EDT
Last Seen                     2013-06-13 09:57:25 EDT
Local ID                      be5bcb9b-ad10-4683-8464-0f350bccedad

Raw Audit Messages
type=AVC msg=audit(1371131845.127:8742): avc:  denied  { read } for  pid=585 comm="accounts-daemon" name="log" dev="dm-1" ino=2883619 scontext=system_u:system_r:accountsd_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=dir


type=SYSCALL msg=audit(1371131845.127:8742): arch=x86_64 syscall=inotify_add_watch success=no exit=EACCES a0=8 a1=7fae6947bb90 a2=1002fce a3=0 items=0 ppid=1 pid=585 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm=accounts-daemon exe=/usr/libexec/accounts-daemon subj=system_u:system_r:accountsd_t:s0 key=(null)

Hash: accounts-daemon,accountsd_t,var_log_t,dir,read

Description of problem:
Updated to the latest accoutservice

Additional info:
reporter:       libreport-2.1.4
hashmarkername: setroubleshoot
kernel:         3.9.5-301.fc19.x86_64
type:           libreport

Description of problem:
At system reboot

Additional info:
reporter:       libreport-2.1.4
hashmarkername: setroubleshoot
kernel:         3.9.5-301.fc19.i686
type:           libreport

Description of problem:
just logged after an update

Additional info:
reporter:       libreport-2.1.4
hashmarkername: setroubleshoot
kernel:         3.9.5-301.fc19.x86_64
type:           libreport

Description of problem:
G3 was just started. did nothing, no mouse click, no keyboard typing. F19 beta up to date.

Additional info:
reporter:       libreport-2.1.4
hashmarkername: setroubleshoot
kernel:         3.9.5-301.fc19.i686
type:           libreport

Description of problem:
Just popped up after a reboot (system had hung prior to the reboot).

Additional info:
reporter:       libreport-2.1.4
hashmarkername: setroubleshoot
kernel:         3.9.5-301.fc19.x86_64
type:           libreport

As this seems to hit everyone, nominating as a blocker per Final criterion "In most cases, there must be no SELinux 'AVC: denied' messages or abrt crash notifications on initial boot and subsequent login (see Blocker_Bug_FAQ)".

Description of problem:
This bug occurred after update and logged session

Additional info:
reporter:       libreport-2.1.4
hashmarkername: setroubleshoot
kernel:         3.9.5-301.fc19.x86_64
type:           libreport

Note the bug also affected rawhide as well running on VM using Gnome Boxes.

Description of problem:
Happens immediatly after login

Additional info:
reporter:       libreport-2.1.4
hashmarkername: setroubleshoot
kernel:         3.9.5-301.fc19.x86_64
type:           libreport

Description of problem:
After the first logon screen, and when desktop is loaded.
May this problem is caused by a recent automatic system update.

Additional info:
reporter:       libreport-2.1.4
hashmarkername: setroubleshoot
kernel:         3.9.5-301.fc19.i686
type:           libreport

Description of problem:
This SELinux warning have been popping up at every startup of Fedora 19 for some days (2 or 3).

Additional info:
reporter:       libreport-2.1.4
hashmarkername: setroubleshoot
kernel:         3.9.5-301.fc19.x86_64
type:           libreport

Description of problem:
just logged my computer after night shutdown

Additional info:
reporter:       libreport-2.1.4
hashmarkername: setroubleshoot
kernel:         3.9.5-301.fc19.x86_64
type:           libreport

Description of problem:
Didn't do much. Came up after login.

Additional info:
reporter:       libreport-2.1.4
hashmarkername: setroubleshoot
kernel:         3.9.5-301.fc19.x86_64
type:           libreport

I recommend people hitting this (which is, pretty much, everyone using GNOME, apparently) do the 'audit2allow' operation suggested by the SELinux troubleshooter for now, otherwise this problem is just going to spam the hell out of your logs; the access is tried about every three seconds on my systems.

The update has been submitted.

https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-52.fc19

The update works for me, thanks.

I'm happy now, thanks....

Description of problem:
Reboot after updates!

Additional info:
reporter:       libreport-2.1.4
hashmarkername: setroubleshoot
kernel:         3.9.5-301.fc19.i686
type:           libreport

Description of problem:
After updating accountsservice-0.6.34-1.fc19.x86_64

Additional info:
reporter:       libreport-2.1.4
hashmarkername: setroubleshoot
kernel:         3.9.5-301.fc19.x86_64
type:           libreport

Description of problem:
I installed F19 Final TC3, updated with testing updates, created another user and logged in (to GNOME).

Additional info:
reporter:       libreport-2.1.4
hashmarkername: setroubleshoot
kernel:         3.9.5-301.fc19.x86_64
type:           libreport

Same happens to me after update F19:

Raw Audit Messages
type=AVC msg=audit(1371215508.382:475): avc:  denied  { read } for  pid=522 comm="accounts-daemon" name="log" dev="dm-1" ino=393231 scontext=system_u:system_r:accountsd_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=dir


Hash: accounts-daemon,accountsd_t,var_log_t,dir,read

Description of problem:
just installed recent updates for F19Beta which included some auth subsystem changes, rebooted

Additional info:
reporter:       libreport-2.1.4
hashmarkername: setroubleshoot
kernel:         3.9.5-301.fc19.x86_64
type:           libreport

Description of problem:
This bug is really anoying me - abrt is flagging this every 5 seconds

Additional info:
reporter:       libreport-2.1.4
hashmarkername: setroubleshoot
kernel:         3.9.5-301.fc19.x86_64
type:           libreport

Description of problem:
This is driving me crazy, my PC is running warm and is very slow.

Please publish a workaround until this item can be fixed....

Additional info:
reporter:       libreport-2.1.4
hashmarkername: setroubleshoot
kernel:         3.9.5-301.fc19.x86_64
type:           libreport

Simon: there's already an update linked from this bug. Just install it.

Description of problem:
After fresh install of Fedora 19 beta Mate when starting the desktop you get many SELinux notifications. If you close one another pops up over and over and over.

Additional info:
reporter:       libreport-2.1.4
hashmarkername: setroubleshoot
kernel:         3.9.5-301.fc19.x86_64
type:           libreport

Description of problem:
F19 beta desktop running.   2x of these alerts have popped up.

I do use the gnome log viewer, but don't know if this is related.

Additional info:
reporter:       libreport-2.1.4
hashmarkername: setroubleshoot
kernel:         3.9.5-301.fc19.x86_64
type:           libreport

For those who have a loop in /var/log/messages and the PC gets warm, just delete the files at /var/log/journal/ as described here
http://www.happyassassin.net/2013/06/14/fedora-1920-logfile-explosions/

Description of problem:
Just after login.

Additional info:
reporter:       libreport-2.1.4
hashmarkername: setroubleshoot
kernel:         3.9.5-301.fc19.i686.PAE
type:           libreport

Well, I followed the advice from http://www.happyassassin.net/2013/06/14/fedora-1920-logfile-explosions/ as suggested and installed the SELinux policy packages straight from http://koji.fedoraproject.org/koji/buildinfo?buildID=426578 and things seem to have calmed down, but I sure was drowning in logs for a while there.

hraf: if your logs aren't terribly important you can follow the other advice from my post to wipe large journal files to save a bit of space and prevent your journalctl output being huge and slow.

I added the policy myself and deleted the journal files.
Rebooted and it worked like a charm.
Of course i didnt need the information in those files. The system created new ones with same name.

Already did that Adam, thanks for the tip.

Description of problem:
Notification shown in gnome shell after rebooting.

Additional info:
reporter:       libreport-2.1.4
hashmarkername: setroubleshoot
kernel:         3.9.5-301.fc19.x86_64
type:           libreport

Phew! Many thanks for the quick responses. Updating to:

http://koji.fedoraproject.org/koji/buildinfo?buildID=426578

plus,

deleting all .journal and .journal~ files found in sub-folders under /var/log/journal

and rebooting did the trick.

Description of problem:
I just logged in

Additional info:
reporter:       libreport-2.1.4
hashmarkername: setroubleshoot
kernel:         3.9.5-301.fc19.x86_64
type:           libreport

Description of problem:
The problem appeared at the very end of booting Fedora 19, about the time when the clock applet appears in the middle of the upper panel.

Additional info:
reporter:       libreport-2.1.4
hashmarkername: setroubleshoot
kernel:         3.9.5-301.fc19.x86_64
type:           libreport

Description of problem:
fedora 19 yum-updated today (15/06/2013). The problem shows up after rebooting the system and logging in.

Additional info:
reporter:       libreport-2.1.4
hashmarkername: setroubleshoot
kernel:         3.9.5-301.fc19.x86_64
type:           libreport

*** Bug 973367 has been marked as a duplicate of this bug. ***

Description of problem:
After logging in to Fedora 19 beta I did receive that Selinux alarm. Consultation needed here. First time I feel a bit lost
and disorientated, about how to categorize and how to decide about that specific Selinux alarm here. Very often I could decide to establish a local policy module, but very much apprehensive to do the suggested #grep accounts-daemon /var/log/audit/audit.log | audit2allow -M mypol, #semodule -i mypol.pp here. If I don't allow access, the Selinux-Alarm will be triggered again for sure. Feels almost like an autoimmune reaction of the system (joking here) Any advice?       

Additional info:
reporter:       libreport-2.1.4
hashmarkername: setroubleshoot
kernel:         3.9.5-301.fc19.i686.PAE
type:           libreport

Description of problem:
booting after login

Additional info:
reporter:       libreport-2.1.4
hashmarkername: setroubleshoot
kernel:         3.9.5-301.fc19.x86_64
type:           libreport

Description of problem:
This is an upgraded Fedora 19 system (from v18). This alert comes up after logging into Gnome shell.

Additional info:
reporter:       libreport-2.1.4
hashmarkername: setroubleshoot
kernel:         3.9.5-301.fc19.x86_64
type:           libreport

Klaus: just install the update.

https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-52.fc19

http://koji.fedoraproject.org/koji/buildinfo?buildID=426578

(In reply to Ray Strode [halfline] from comment #7)
> because it watches when accounts come and go in wtmp. This isn't new
> behavior though, afaik. I guess something must have changed in the release,
> not sure what, but I don't think it's a bug.

Should it be migrated to use systemd-logind (at least when available?) instead of watching wtmp?

Description of problem:
updated for today's F19+updates-testing, rebooted for kernel changes and just logged into gnome session

Additional info:
reporter:       libreport-2.1.4
hashmarkername: setroubleshoot
kernel:         3.9.5-301.fc19.x86_64
type:           libreport

Description of problem:
The problem happens every time I boot my laptop. 

I believe that the access is required. I have not allowed the access yet as it is an anoyance rather than a real problem for me.

Additional info:
reporter:       libreport-2.1.4
hashmarkername: setroubleshoot
kernel:         3.9.5-301.fc19.x86_64
type:           libreport

Description of problem:
I restarted the computer for the first time after the initial installation of F19Beta.

Additional info:
reporter:       libreport-2.1.4
hashmarkername: setroubleshoot
kernel:         3.9.5-301.fc19.x86_64
type:           libreport

Trying this correction and I get the following errors. I'm new to linux and not sure what I'm doing wrong. Could someone suggest the correct way to get the update installed?

yum localupdate selinux-policy-3.12.1-52.fc19.noarch.rpm 
Failed to set locale, defaulting to C
Loaded plugins: langpacks, refresh-packagekit
Examining selinux-policy-3.12.1-52.fc19.noarch.rpm: selinux-policy-3.12.1-52.fc19.noarch
Marking selinux-policy-3.12.1-52.fc19.noarch.rpm as an update to selinux-policy-3.12.1-48.fc19.noarch
Resolving Dependencies
--> Running transaction check
---> Package selinux-policy.noarch 0:3.12.1-48.fc19 will be updated
--> Processing Dependency: selinux-policy = 3.12.1-48.fc19 for package: selinux-policy-targeted-3.12.1-48.fc19.noarch
--> Processing Dependency: selinux-policy = 3.12.1-48.fc19 for package: selinux-policy-targeted-3.12.1-48.fc19.noarch
---> Package selinux-policy.noarch 0:3.12.1-52.fc19 will be an update
--> Finished Dependency Resolution
Error: Package: selinux-policy-targeted-3.12.1-48.fc19.noarch (@fedora)
           Requires: selinux-policy = 3.12.1-48.fc19
           Removing: selinux-policy-3.12.1-48.fc19.noarch (@fedora)
               selinux-policy = 3.12.1-48.fc19
           Updated By: selinux-policy-3.12.1-52.fc19.noarch (/selinux-policy-3.12.1-52.fc19.noarch)
               selinux-policy = 3.12.1-52.fc19
 You could try using --skip-broken to work around the problem
 You could try running: rpm -Va --nofiles --nodigest

Kurt: there's two or three packages you have to update together. If the packages haven't reached your mirror yet, the easiest thing to do is go to /tmp , run 'bodhi -D selinux-policy-3.12.1-52.fc19' , and then 'yum update selin*.rpm'. That will do what you need (might need 'yum install bodhi' first).

Description of problem:
I have tried to transmit a bugreport via bugzilla (initial bug 973849) and my bugzilla id was wrong !

Additional info:
reporter:       libreport-2.1.4
hashmarkername: setroubleshoot
kernel:         3.9.5-301.fc19.x86_64
type:           libreport

Description of problem:
boot the system
login to KDE

Additional info:
reporter:       libreport-2.1.4
hashmarkername: setroubleshoot
kernel:         3.9.5-301.fc19.i686.PAE
type:           libreport

(In reply to Adam Williamson from comment #55)
> Klaus: just install the update.
> 
> https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-52.fc19
> 
> http://koji.fedoraproject.org/koji/buildinfo?buildID=426578

Adeam, thanks for providing an update. Feels right but installation efforts with yumex deliver a message 

error resolving dependencies:

package: selinux-policy-targeted-3.12.1-48.fc19.noarch (@updates-testing)
    requires: selinux-policy = 3.12.1-48.fc19
    to remove: selinux-policy-3.12.1-48.fc19.noarch (@fedora)
        selinux-policy = 3.12.1-48.fc19
    updated by: selinux-policy-3.12.1-52.fc19.noarch (/selinux-policy-3.12.1-52.fc19.noarch(1))
        selinux-policy = 3.12.1-52.fc19

Description of problem:
Updated f18-f19 with fedup, relabeled and then logged in.

Additional info:
reporter:       libreport-2.1.4
hashmarkername: setroubleshoot
kernel:         3.9.5-301.fc19.x86_64
type:           libreport

(In reply to klaus from comment #64)
> (In reply to Adam Williamson from comment #55)
> > Klaus: just install the update.
> > 
> > https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-52.fc19
> > 
> > http://koji.fedoraproject.org/koji/buildinfo?buildID=426578
> 
> Adeam, thanks for providing an update. Feels right but installation efforts
> with yumex deliver a message 
> 
> error resolving dependencies:
> 
> package: selinux-policy-targeted-3.12.1-48.fc19.noarch (@updates-testing)
>     requires: selinux-policy = 3.12.1-48.fc19
>     to remove: selinux-policy-3.12.1-48.fc19.noarch (@fedora)
>         selinux-policy = 3.12.1-48.fc19
>     updated by: selinux-policy-3.12.1-52.fc19.noarch
> (/selinux-policy-3.12.1-52.fc19.noarch(1))
>         selinux-policy = 3.12.1-52.fc19

execute rpm -qa selinux\* and update all packages listed to avoid that error

Description of problem:
This popped up after I logged in from booting up.

Additional info:
reporter:       libreport-2.1.4
hashmarkername: setroubleshoot
kernel:         3.9.5-301.fc19.x86_64
type:           libreport

(In reply to Adam Williamson from comment #61)
> Kurt: there's two or three packages you have to update together. If the
> packages haven't reached your mirror yet, the easiest thing to do is go to
> /tmp , run 'bodhi -D selinux-policy-3.12.1-52.fc19' , and then 'yum update
> selin*.rpm'. That will do what you need (might need 'yum install bodhi'
> first).

Thank you, that worked like a charm.

The update fixed the problem as well. Thanks!

Description of problem:
You should report this as a bug.
You can generate a local policy module to allow this access.
Allow this access for now by executing:
# grep accounts-daemon /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.ppv

Additional info:
reporter:       libreport-2.1.4
hashmarkername: setroubleshoot
kernel:         3.9.5-301.fc19.x86_64
type:           libreport

Description of problem:
Boot F19 beta, watch setroubleshoot almost immediately start complaining.

Additional info:
reporter:       libreport-2.1.4
hashmarkername: setroubleshoot
kernel:         3.9.5-301.fc19.x86_64
type:           libreport

Description of problem:
I installed all the latest updates for Fedora-19, then shut down my machine. Upon starting it up again the next day I got this selinux denial.

Additional info:
reporter:       libreport-2.1.4
hashmarkername: setroubleshoot
kernel:         3.9.5-301.fc19.x86_64
type:           libreport

Discussed at 2013-06-17 blocker review meeting: http://meetbot.fedoraproject.org/fedora-blocker-review/2013-06-17/f19final-blocker-review-6.2013-06-17-16.01.log.txt . Accepted as a blocker per criterion "In most cases, there must be no SELinux 'AVC: denied' messages or abrt crash notifications on initial boot and subsequent login (see Blocker_Bug_FAQ)" .

Please, everyone who's hitting this, just install the selinux-policy update. It fixes it.

Description of problem:
This happened on first login after a cold boot

Additional info:
reporter:       libreport-2.1.4
hashmarkername: setroubleshoot
kernel:         3.9.5-301.fc19.x86_64
type:           libreport

Description of problem:
automatic report?

Additional info:
reporter:       libreport-2.1.4
hashmarkername: setroubleshoot
kernel:         3.9.5-301.fc19.x86_64
type:           libreport

Description of problem:
Just noticed it on the message tray, no idea how it occured.

Additional info:
reporter:       libreport-2.1.4
hashmarkername: setroubleshoot
kernel:         3.9.5-301.fc19.x86_64
type:           libreport

https://admin.fedoraproject.org/updates/FEDORA-2013-10881/selinux-policy-3.12.1-52.fc19 has gone stable, closing.