Bug 976017

Summary: Please push latest selinux policy to fix denials for gvfs and others
Product: [Fedora] Fedora Reporter: Dan Mashal <dan.mashal>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: urgent Docs Contact:
Priority: unspecified    
Version: 19CC: awilliam, dominick.grift, dwalsh, mgrepl
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: RejectedFreezeException
Fixed In Version: selinux-policy-3.12.1-54.fc19 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-06-23 06:27:55 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Dan Mashal 2013-06-19 18:34:05 UTC 
[root@Fedora19 dan3]# cat /var/log/messages |grep denied
Jun 18 20:14:11 Fedora19 kernel: [    9.834251] type=1400 audit(1371611643.411:4): avc:  denied  { relabelfrom } for  pid=281 comm="systemd-tmpfile" name="lock" dev="tmpfs" ino=13096 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:iscsi_lock_t:s0 tclass=file
Jun 18 20:21:55 Fedora19 kernel: [   16.658571] type=1400 audit(1371612107.319:4): avc:  denied  { relabelfrom } for  pid=257 comm="systemd-tmpfile" name="lock" dev="tmpfs" ino=14133 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:iscsi_lock_t:s0 tclass=file
Jun 18 20:36:30 Fedora19 systemd-tmpfiles[1993]: stat(/run/user/1000/gvfs) failed: Permission denied
Jun 18 21:00:03 Fedora19 kernel: [   27.164783] type=1400 audit(1371614396.756:4): avc:  denied  { relabelfrom } for  pid=251 comm="systemd-tmpfile" name="lock" dev="tmpfs" ino=11761 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:iscsi_lock_t:s0 tclass=file
Jun 18 21:14:29 Fedora19 systemd-tmpfiles[2509]: stat(/run/user/1001/gvfs) failed: Permission denied
Jun 18 22:11:11 Fedora19 kernel: [  284.019727] type=1400 audit(1371618668.763:4): avc:  denied  { relabelfrom } for  pid=280 comm="systemd-tmpfile" name="lock" dev="tmpfs" ino=12797 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:iscsi_lock_t:s0 tclass=file
Jun 18 22:21:24 Fedora19 systemd-tmpfiles[1426]: stat(/run/user/1001/gvfs) failed: Permission denied
Jun 18 22:49:52 Fedora19 kernel: [   10.533060] type=1400 audit(1371620988.504:4): avc:  denied  { relabelfrom } for  pid=275 comm="systemd-tmpfile" name="lock" dev="tmpfs" ino=9028 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:iscsi_lock_t:s0 tclass=file
Jun 18 23:04:38 Fedora19 systemd-tmpfiles[2112]: stat(/run/user/1000/gvfs) failed: Permission denied
Jun 19 01:01:34 Fedora19 kernel: [    6.529689] type=1400 audit(1371628888.856:3): avc:  denied  { relabelfrom } for  pid=253 comm="systemd-tmpfile" name="lock" dev="tmpfs" ino=10621 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:iscsi_lock_t:s0 tclass=file
Jun 19 01:01:34 Fedora19 kernel: [    6.529689] type=1400 audit(1371628888.856:4): avc:  denied  { relabelto } for  pid=253 comm="systemd-tmpfile" name="lock" dev="tmpfs" ino=10621 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:iscsi_lock_t:s0 tclass=file
[root@Fedora19 dan3]# cat .xsession-errors 
touch: cannot touch ‘/home/dan3/.cache/imsettings/log’: No such file or directory
Comment 1 Dan Mashal 2013-06-19 18:38:34 UTC 
selinux-policy-3.12.1-53.fc19
selinux-policy-targeted-3.12.1-53.fc19

seem to fix this.


Please ref https://bugzilla.redhat.com/show_bug.cgi?id=975521
Comment 2 Fedora Update System 2013-06-19 19:31:03 UTC 
selinux-policy-3.12.1-53.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-53.fc19
Comment 3 Fedora Update System 2013-06-20 18:02:57 UTC 
Package selinux-policy-3.12.1-54.fc19:
* should fix your issue,
* was pushed to the Fedora 19 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-54.fc19'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-11355/selinux-policy-3.12.1-54.fc19
then log in and leave karma (feedback).
Comment 4 Adam Williamson 2013-06-21 02:18:44 UTC 
Discussed at 2013-06-20 blocker review meeting: http://meetbot.fedoraproject.org/fedora-blocker-review/2013-06-20/f19final-blocker-review-7.1.2013-06-20-15.01.html . This was rejected as a freeze exception issue: we already have an accepted FE that will cause -54 to be freeze excepted and there's no clear information why we need this separate bug or what, specifically, it's tracking.
Comment 5 Fedora Update System 2013-06-23 06:27:55 UTC 
selinux-policy-3.12.1-54.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.