Bug 1126142 - SELinux is preventing /usr/sbin/console-kit-daemon from 'write' accesses on the directory /var/lib/dbus.
Summary: SELinux is preventing /usr/sbin/console-kit-daemon from 'write' accesses on t...
Keywords:
Status: CLOSED EOL
Alias: None
Product: Fedora
Classification: Fedora
Component: ConsoleKit
Version: 23
Hardware: x86_64
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Dan Mashal
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: abrt_hash:133e7215eeadcd7d83fdecf9151...
: 1189916 1211099 1243547 1255419 1285136 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-08-02 14:45 UTC by Alexandre Moine
Modified: 2016-12-20 12:50 UTC (History)
37 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-12-20 12:50:09 UTC


Attachments (Terms of Use)
grep output mentioned in setroubleshoot error (28.25 KB, text/plain)
2015-06-16 22:07 UTC, Mr. Meval
no flags Details

Description Alexandre Moine 2014-08-02 14:45:50 UTC
Description of problem:
SELinux is preventing /usr/sbin/console-kit-daemon from 'write' accesses on the directory /var/lib/dbus.

*****  Plugin catchall (100. confidence) suggests   **************************

If vous pensez que console-kit-daemon devrait être autorisé à accéder write sur dbus directory par défaut.
Then vous devriez rapporter ceci en tant qu'anomalie.
Vous pouvez générer un module de stratégie local pour autoriser cet accès.
Do
autoriser cet accès pour le moment en exécutant :
# grep console-kit-dae /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:consolekit_t:s0
Target Context                system_u:object_r:system_dbusd_var_lib_t:s0
Target Objects                /var/lib/dbus [ dir ]
Source                        console-kit-dae
Source Path                   /usr/sbin/console-kit-daemon
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           ConsoleKit-0.4.5-8.fc21.x86_64
Target RPM Packages           dbus-1.8.6-2.fc21.x86_64
Policy RPM                    selinux-policy-3.13.1-68.fc21.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 3.15.0-libre.1.fc21.gnu.x86_64 #1
                              SMP Thu Jun 12 16:19:28 EDT 2014 x86_64 x86_64
Alert Count                   16
First Seen                    2014-07-29 21:30:03 CEST
Last Seen                     2014-08-02 15:41:59 CEST
Local ID                      3da9e063-6515-441d-8b4c-f70fe458bbaa

Raw Audit Messages
type=AVC msg=audit(1406986919.715:374): avc:  denied  { write } for  pid=1096 comm="console-kit-dae" name="dbus" dev="sda3" ino=1179738 scontext=system_u:system_r:consolekit_t:s0 tcontext=system_u:object_r:system_dbusd_var_lib_t:s0 tclass=dir


type=SYSCALL msg=audit(1406986919.715:374): arch=x86_64 syscall=open success=no exit=EACCES a0=1991eb0 a1=c1 a2=1a4 a3=2d items=0 ppid=1 pid=1096 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=console-kit-dae exe=/usr/sbin/console-kit-daemon subj=system_u:system_r:consolekit_t:s0 key=(null)

Hash: console-kit-dae,consolekit_t,system_dbusd_var_lib_t,dir,write

Version-Release number of selected component:
selinux-policy-3.13.1-68.fc21.noarch

Additional info:
reporter:       libreport-2.2.3
hashmarkername: setroubleshoot
kernel:         3.15.0-libre.1.fc21.gnu.x86_64
type:           libreport

Comment 1 Daniel Walsh 2014-08-06 21:41:32 UTC
What Desktop are you using?

Comment 2 Lukas Slebodnik 2014-08-18 11:32:12 UTC
Description of problem:
After rebooting my laptop I saw this AVC

Version-Release number of selected component:
selinux-policy-3.13.1-72.fc21.noarch

Additional info:
reporter:       libreport-2.2.3
hashmarkername: setroubleshoot
kernel:         3.16.0-1.fc21.x86_64
type:           libreport

Comment 3 Lukas Slebodnik 2014-08-18 11:33:53 UTC
I am using Xfce 4.10

Comment 4 Miroslav Grepl 2014-09-01 17:40:48 UTC
Lukas,
what AVC are you getting in permissive?

Comment 5 Lukas Slebodnik 2014-09-02 08:02:33 UTC
I will provide AVC after next reboot (in next days).

Comment 6 Lukas Slebodnik 2014-09-03 11:41:55 UTC
I am not able to reproduce AVC anymore.
Version of tested packages:
sh$ rpm -q selinux-policy
selinux-policy-3.13.1-77.fc21.noarch
sh$ rpm -qf /usr/sbin/console-kit-daemon
ConsoleKit-0.4.5-9.fc21.x86_64

I think we can close this bug. It can be reopened if problem appear.

Comment 7 Arnaud 2014-10-14 01:30:05 UTC
I am having this message too.

Versions:
selinux-policy-3.13.1-85.fc21.noarch
ConsoleKit-0.4.5-9.fc21.x86_64


with selinux in enforcing:

time->Tue Oct 14 02:43:38 2014
type=PROCTITLE msg=audit(1413247418.799:66): proctitle=2F7573722F7362696E2F636F6E736F6C652D6B69742D6461656D6F6E002D2D6E6F2D6461656D6F6E
type=SYSCALL msg=audit(1413247418.799:66): arch=c000003e syscall=2 success=no exit=-13 a0=21fcc40 a1=c1 a2=1a4 a3=38 items=0 ppid=1 pid=1028 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="console-kit-dae" exe="/usr/sbin/console-kit-daemon" subj=system_u:system_r:consolekit_t:s0 key=(null)
type=AVC msg=audit(1413247418.799:66): avc:  denied  { write } for  pid=1028 comm="console-kit-dae" name="dbus" dev="sda3" ino=13660 scontext=system_u:system_r:consolekit_t:s0 tcontext=system_u:object_r:system_dbusd_var_lib_t:s0 tclass=dir permissive=0


with selinux in permissive, the last one:

time->Tue Oct 14 03:22:40 2014
type=PROCTITLE msg=audit(1413249760.458:71): proctitle=2F7573722F7362696E2F636F6E736F6C652D6B69742D6461656D6F6E002D2D6E6F2D6461656D6F6E
type=SYSCALL msg=audit(1413249760.458:71): arch=c000003e syscall=82 success=yes exit=0 a0=1dff6b0 a1=3a7a4384c5 a2=0 a3=50 items=0 ppid=1 pid=1021 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="console-kit-dae" exe="/usr/sbin/console-kit-daemon" subj=system_u:system_r:consolekit_t:s0 key=(null)
type=AVC msg=audit(1413249760.458:71): avc:  denied  { rename } for  pid=1021 comm="console-kit-dae" name="machine-id.kYXHQnyS" dev="sda3" ino=6496175 scontext=system_u:system_r:consolekit_t:s0 tcontext=system_u:object_r:system_dbusd_var_lib_t:s0 tclass=file permissive=1
type=AVC msg=audit(1413249760.458:71): avc:  denied  { remove_name } for  pid=1021 comm="console-kit-dae" name="machine-id.kYXHQnyS" dev="sda3" ino=6496175 scontext=system_u:system_r:consolekit_t:s0 tcontext=system_u:object_r:system_dbusd_var_lib_t:s0 tclass=dir permissive=1


all the AVC I got:
http://fpaste.org/141630/13250132/

Comment 8 Daniel Walsh 2014-10-25 11:18:17 UTC
This looks like consolekit-daemon is creating and renameing machine-id?

Comment 9 Arnaud 2014-10-27 01:04:15 UTC
Not sure if it does it only until you put selinux in permissive.

It stopped to give that message just after that, and didn't do it anymore after I switched back to enforcing

I have now: selinux-policy-3.13.1-90.fc21.noarch

Comment 10 Daniel Demus 2014-12-11 06:17:19 UTC
Description of problem:
Noticed right afterlogin to desktop

Version-Release number of selected component:
selinux-policy-3.13.1-99.fc21.noarch

Additional info:
reporter:       libreport-2.3.0
hashmarkername: setroubleshoot
kernel:         3.17.4-301.fc21.x86_64
type:           libreport

Comment 11 Lukas Slebodnik 2014-12-11 06:41:08 UTC
(In reply to Daniel Demus from comment #10)
> Description of problem:
> Noticed right afterlogin to desktop
> 
> Version-Release number of selected component:
> selinux-policy-3.13.1-99.fc21.noarch
> 
> Additional info:
> reporter:       libreport-2.3.0
> hashmarkername: setroubleshoot
> kernel:         3.17.4-301.fc21.x86_64
> type:           libreport

Please reopen this bug if you can reproduce it.

Comment 12 Daniel Demus 2014-12-15 10:28:34 UTC
Description of problem:
Happens after every gnome logon

Version-Release number of selected component:
selinux-policy-3.13.1-99.fc21.noarch

Additional info:
reporter:       libreport-2.3.0
hashmarkername: setroubleshoot
kernel:         3.17.4-301.fc21.x86_64
type:           libreport

Comment 13 bdp 2014-12-17 02:21:57 UTC
Description of problem:
starting up linux 


may be a glitch as I fresh installed 

Version-Release number of selected component:
selinux-policy-3.13.1-99.fc21.noarch

Additional info:
reporter:       libreport-2.3.0
hashmarkername: setroubleshoot
kernel:         3.17.6-300.fc21.x86_64
type:           libreport

Comment 14 Naresh Sukhija 2014-12-19 02:11:11 UTC
Description of problem:
1. Install Default Workstation distribution
2. Install LXDE specific packages, not complete LXDE group
3. Disable gdm, enable lxdm
4. After reboot, lxdm appears, login to LXDE

Version-Release number of selected component:
selinux-policy-3.13.1-99.fc21.noarch

Additional info:
reporter:       libreport-2.3.0
hashmarkername: setroubleshoot
kernel:         3.17.6-300.fc21.x86_64
type:           libreport

Comment 15 Simon Piette 2015-01-05 19:26:34 UTC
Description of problem:
I can't reproduce that bug. It happened when I came back to unlock my laptop. I did locked it before going away.

Version-Release number of selected component:
selinux-policy-3.13.1-103.fc21.noarch

Additional info:
reporter:       libreport-2.3.0
hashmarkername: setroubleshoot
kernel:         3.17.7-300.fc21.x86_64
type:           libreport

Comment 16 bdp 2015-01-10 11:04:54 UTC
Description of problem:
normal running of Linux not sure what happened but still troubleshooting 

Version-Release number of selected component:
selinux-policy-3.13.1-103.fc21.noarch

Additional info:
reporter:       libreport-2.3.0
hashmarkername: setroubleshoot
kernel:         3.17.7-300.fc21.x86_64
type:           libreport

Comment 17 Daniel Walsh 2015-02-01 12:25:12 UTC
I thought consolkit was supposed to die several releases ago...

Comment 18 Brian J. Murrell 2015-03-16 15:15:59 UTC
Description of problem:
Not sure if it should be allowed or not, but either way, it should not result in AVC alerts.

Version-Release number of selected component:
selinux-policy-3.13.1-105.6.fc21.noarch

Additional info:
reporter:       libreport-2.3.0
hashmarkername: setroubleshoot
kernel:         3.18.9-200.fc21.x86_64
type:           libreport

Comment 19 Brian J. Murrell 2015-03-16 15:18:03 UTC
Given that this still happens in up-to-date F21 I'm going to reopen this ticket.

I'm using the Cinnamon desktop, FWIW.

Comment 20 Lukas Vrabec 2015-03-17 09:45:22 UTC
Guys from ConsoleKit, 
Could you check on comment 8? 

Thank you

Comment 21 Andrew Cooks 2015-04-02 03:26:35 UTC
Description of problem:
Happens on login.

Version-Release number of selected component:
selinux-policy-3.13.1-105.9.fc21.noarch

Additional info:
reporter:       libreport-2.3.0
hashmarkername: setroubleshoot
kernel:         3.19.3-200.fc21.x86_64
type:           libreport

Comment 22 Lukas Vrabec 2015-04-02 08:49:23 UTC
*** Bug 1189916 has been marked as a duplicate of this bug. ***

Comment 23 Miroslav Grepl 2015-04-13 12:48:10 UTC
*** Bug 1211099 has been marked as a duplicate of this bug. ***

Comment 24 Veteran 2015-04-20 11:30:00 UTC
Description of problem:
The alert popped up after login following upgrade to fedora 21

Version-Release number of selected component:
selinux-policy-3.13.1-105.11.fc21.noarch

Additional info:
reporter:       libreport-2.3.0
hashmarkername: setroubleshoot
kernel:         3.19.3-200.fc21.x86_64
type:           libreport

Comment 25 Veteran 2015-05-09 13:48:12 UTC
Description of problem:
after upgrading to twenty one and applying updates

Version-Release number of selected component:
selinux-policy-3.13.1-105.13.fc21.noarch

Additional info:
reporter:       libreport-2.3.0
hashmarkername: setroubleshoot
kernel:         3.19.5-200.fc21.i686
type:           libreport

Comment 26 Brian J. Murrell 2015-06-04 10:42:17 UTC
Description of problem:
Logging into Cinnamon 2.6

Version-Release number of selected component:
selinux-policy-3.13.1-105.13.fc21.noarch

Additional info:
reporter:       libreport-2.3.0
hashmarkername: setroubleshoot
kernel:         3.19.5-200.fc21.x86_64
type:           libreport

Comment 27 Mr. Meval 2015-06-16 22:06:30 UTC
localhost:~$ cat /etc/redhat-release 
Fedora release 22 (Twenty Two)


libselinux-2.3-10.fc22.x86_64
libselinux-debuginfo-2.3-10.fc22.x86_64
libselinux-devel-2.3-10.fc22.x86_64
libselinux-python-2.3-10.fc22.x86_64
libselinux-python3-2.3-10.fc22.x86_64
libselinux-utils-2.3-10.fc22.x86_64
rpm-plugin-selinux-4.12.0.1-9.fc22.x86_64
selinux-policy-3.13.1-128.1.fc22.noarch
selinux-policy-devel-3.13.1-128.1.fc22.noarch
selinux-policy-doc-3.13.1-128.1.fc22.noarch
selinux-policy-minimum-3.13.1-128.1.fc22.noarch
selinux-policy-mls-3.13.1-128.1.fc22.noarch
selinux-policy-sandbox-3.13.1-128.1.fc22.noarch
selinux-policy-targeted-3.13.1-128.1.fc22.noarch

setroubleshoot output

SELinux is preventing console-kit-dae from add_name access on the directory machine-id.BzASV2Nf.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that console-kit-dae should be allowed add_name access on the machine-id.BzASV2Nf directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep console-kit-dae /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:consolekit_t:s0
Target Context                system_u:object_r:system_dbusd_var_lib_t:s0
Target Objects                machine-id.BzASV2Nf [ dir ]
Source                        console-kit-dae
Source Path                   console-kit-dae
Port                          <Unknown>
Host                          localhost.localdomain
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-128.1.fc22.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     localhost.localdomain
Platform                      Linux localhost.localdomain 4.0.5-300.fc22.x86_64
                              #1 SMP Mon Jun 8 16:15:26 UTC 2015 x86_64 x86_64
Alert Count                   2
First Seen                    2015-06-16 17:59:42 EDT
Last Seen                     2015-06-16 17:59:45 EDT
Local ID                      8bd83b68-438b-479d-9f93-3592e8c1c91f

Raw Audit Messages
type=AVC msg=audit(1434491985.533:492): avc:  denied  { add_name } for  pid=1421 comm="console-kit-dae" name="machine-id.BzASV2Nf" scontext=system_u:system_r:consolekit_t:s0 tcontext=system_u:object_r:system_dbusd_var_lib_t:s0 tclass=dir permissive=0


Hash: console-kit-dae,consolekit_t,system_dbusd_var_lib_t,dir,add_name

attached is the grep mentioned above.

Comment 28 Mr. Meval 2015-06-16 22:07:54 UTC
Created attachment 1039671 [details]
grep output mentioned in setroubleshoot error

Comment 29 Eugene Kanter 2015-07-24 10:30:26 UTC
Description of problem:
I see this every time Fedora 22 is started. Upgraded from previous.

Version-Release number of selected component:
selinux-policy-3.13.1-128.4.fc22.noarch

Additional info:
reporter:       libreport-2.6.0
hashmarkername: setroubleshoot
kernel:         4.0.7-300.fc22.x86_64
type:           libreport

Comment 30 Lukas Vrabec 2015-07-28 10:38:37 UTC
*** Bug 1243547 has been marked as a duplicate of this bug. ***

Comment 31 Torbjørn Lindahl 2015-08-05 14:53:08 UTC
Description of problem:
happened at graphical login

Version-Release number of selected component:
selinux-policy-3.13.1-128.8.fc22.noarch

Additional info:
reporter:       libreport-2.6.2
hashmarkername: setroubleshoot
kernel:         4.1.3-200.fc22.x86_64
type:           libreport

Comment 32 Tore Anderson 2015-08-17 18:26:29 UTC
Description of problem:
The error shows up every time I log in to LXDE on a recently upgraded Fedora 22 laptop. I do not know what is causing it, and I do not believe I have fiddled with any default settings for any the components the error describes.

Version-Release number of selected component:
selinux-policy-3.13.1-128.8.fc22.noarch

Additional info:
reporter:       libreport-2.6.2
hashmarkername: setroubleshoot
kernel:         4.1.4-200.fc22.x86_64
type:           libreport

Comment 33 Szőke Károly 2015-08-23 06:49:25 UTC
Description of problem:
Just login to the system, the error is come.

Version-Release number of selected component:
selinux-policy-3.13.1-128.8.fc22.noarch

Additional info:
reporter:       libreport-2.6.2
hashmarkername: setroubleshoot
kernel:         4.1.4-200.fc22.x86_64
type:           libreport

Comment 34 Miroslav Grepl 2015-08-27 16:49:06 UTC
*** Bug 1255419 has been marked as a duplicate of this bug. ***

Comment 35 Veteran 2015-08-27 17:38:06 UTC
xfce 4

# rpm -qa|grep xfce
greybird-xfce4-notifyd-theme-1.5.3-2.fc21.noarch
xfce4-dict-plugin-0.7.0-4.fc21.i686
xfce4-systemload-plugin-1.1.2-1.fc21.i686
xfce4-notes-plugin-1.7.7-10.fc21.i686
xfce4-time-out-plugin-1.0.1-7.fc21.i686
xfce4-mailwatch-plugin-1.2.0-5.fc21.i686
xfce4-terminal-0.6.3-3.fc21.i686
xfce4-xkb-plugin-0.5.6-4.fc21.i686
xfce4-quicklauncher-plugin-1.9.4-18.fc21.i686
xfce4-websearch-plugin-0.1.1-0.18.20070428svn2704.fc18.i686
xfce4-places-plugin-1.6.0-3.fc21.i686
xfce4-fsguard-plugin-1.0.1-6.fc21.i686
xfce4-taskmanager-1.1.0-1.fc21.i686
xfce4-screenshooter-plugin-1.8.1-5.fc21.i686
xfce4-clipman-plugin-1.2.6-3.fc21.i686
xfce4-eyes-plugin-4.4.2-4.fc21.i686
xfce4-notifyd-0.2.4-4.fc21.i686
xfce4-session-engines-4.10.1-7.fc21.i686
xfce4-power-manager-1.4.4-1.fc21.i686
xfce4-sensors-plugin-1.2.3-10.fc21.i686
xfce4-screenshooter-1.8.1-5.fc21.i686
xfce4-netload-plugin-1.2.0-6.fc21.i686
xfce4-battery-plugin-1.0.5-7.fc21.i686
xfce4-panel-4.10.1-6.fc21.i686
xfce4-settings-4.10.1-5.fc21.i686
xfce4-mixer-4.10.0-6.fc21.i686
xfce4-diskperf-plugin-2.5.4-7.fc21.i686
xfce4-datetime-plugin-0.6.2-4.fc21.i686
xfce4-about-4.10.0-13.fc21.i686
xfce4-genmon-plugin-3.4.0-6.fc21.i686
xfce4-verve-plugin-1.0.0-13.fc21.i686
xfce4-timer-plugin-0.6.1-16.fc21.i686
xfce4-dict-0.7.0-4.fc21.i686
libxfce4util-4.10.1-4.fc21.i686
xfce4-cpugraph-plugin-1.0.5-6.fc21.i686
libxfce4ui-4.10.0-13.fc21.i686
xfce4-smartbookmark-plugin-0.4.4-9.fc21.i686
gtk-xfce-engine-3.0.1-5.fc21.i686
xfce4-session-4.10.1-7.fc21.i686
xfce4-mount-plugin-0.6.7-3.fc21.i686
xfce4-weather-plugin-0.8.4-1.fc21.i686
xfce4-appfinder-4.10.1-4.fc21.i686
libxfcegui4-4.10.0-7.fc21.i686

Comment 36 Veteran 2015-09-05 17:05:13 UTC
Description of problem:
I logged in on the console.

Version-Release number of selected component:
selinux-policy-3.13.1-105.20.fc21.noarch

Additional info:
reporter:       libreport-2.3.0
hashmarkername: setroubleshoot
kernel:         4.1.5-100.fc21.i686+PAE
type:           libreport

Comment 37 webreg.fedoraforum.org 2015-09-09 14:58:48 UTC
Description of problem:
New LXD Fedora install. Each reboot (maybe each user login?) gets an SELinux alert "SELinux is preventing console-kit-dae from create access on the file machine-id.zqr75Rnb." where the code (machine ID?) is different each time. Doing the suggested to allow access will never work as the ID changes.

Version-Release number of selected component:
selinux-policy-3.13.1-128.12.fc22.noarch

Additional info:
reporter:       libreport-2.6.2
hashmarkername: setroubleshoot
kernel:         4.1.6-200.fc22.x86_64
type:           libreport

Comment 38 Richard Jasmin 2015-11-21 08:13:00 UTC
Description of problem:
first login on fresh install

Version-Release number of selected component:
selinux-policy-3.13.1-128.18.fc22.noarch

Additional info:
reporter:       libreport-2.6.3
hashmarkername: setroubleshoot
kernel:         4.2.3-200.fc22.x86_64
type:           libreport

Comment 39 Richard Jasmin 2015-11-23 02:19:25 UTC
Description of problem:
login to mate

Version-Release number of selected component:
selinux-policy-3.13.1-128.18.fc22.noarch

Additional info:
reporter:       libreport-2.6.3
hashmarkername: setroubleshoot
kernel:         4.2.6-200.fc22.x86_64
type:           libreport

Comment 40 Lukas Vrabec 2015-11-25 09:36:43 UTC
*** Bug 1285136 has been marked as a duplicate of this bug. ***

Comment 41 Richard Jasmin 2015-11-25 09:38:29 UTC
Description of problem:
login      

Version-Release number of selected component:
selinux-policy-3.13.1-128.18.fc22.noarch

Additional info:
reporter:       libreport-2.6.3
hashmarkername: setroubleshoot
kernel:         4.2.6-200.fc22.x86_64
type:           libreport

Comment 42 Айфф 2015-12-21 14:09:21 UTC
Description of problem:
Updated Fedora from 22 to 23 and it was to appear every time computer starts.

Version-Release number of selected component:
selinux-policy-3.13.1-157.fc23.noarch

Additional info:
reporter:       libreport-2.6.3
hashmarkername: setroubleshoot
kernel:         4.2.7-300.fc23.x86_64
type:           libreport

Comment 43 Michael Hampton 2015-12-26 05:58:51 UTC
I was directed here from bug 1285136, which is marked as a duplicate (though the messages do seem subtly different to me).

I run KDE on F23, and I receive this message _hourly_. It's become quite an annoyance. It did not happen on F22; it began immediately after upgrading to F23.

SELinux is preventing console-kit-dae from write access on the directory /var/lib/dbus.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that console-kit-dae should be allowed write access on the dbus directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep console-kit-dae /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:consolekit_t:s0
Target Context                system_u:object_r:system_dbusd_var_lib_t:s0
Target Objects                /var/lib/dbus [ dir ]
Source                        console-kit-dae
Source Path                   console-kit-dae
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           dbus-1.10.6-1.fc23.x86_64
Policy RPM                    selinux-policy-3.13.1-158.fc23.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 4.2.7-300.fc23.x86_64 #1
                              SMP Wed Dec 9 22:28:30 UTC 2015 x86_64 x86_64
Alert Count                   22
First Seen                    2015-12-25 16:41:35 EST
Last Seen                     2015-12-26 00:45:41 EST
Local ID                      ae93517a-5f85-4b03-8ebf-12c8a146f549

Raw Audit Messages
type=AVC msg=audit(1451108741.674:22351): avc:  denied  { write } for  pid=6232 comm="console-kit-dae" name="dbus" dev="dm-1" ino=67830463 scontext=system_u:system_r:consolekit_t:s0 tcontext=system_u:object_r:system_dbusd_var_lib_t:s0 tclass=dir permissive=0


Hash: console-kit-dae,consolekit_t,system_dbusd_var_lib_t,dir,write

Comment 44 morgan read 2016-01-03 09:21:53 UTC
Description of problem:
Alerted by selinux following login

Version-Release number of selected component:
selinux-policy-3.13.1-128.21.fc22.noarch

Additional info:
reporter:       libreport-2.6.3
hashmarkername: setroubleshoot
kernel:         4.2.8-200.fc22.x86_64
type:           libreport

Comment 45 morgan read 2016-01-03 14:19:06 UTC
Description of problem:
Just enabled smtp service in firewalld gui

Version-Release number of selected component:
selinux-policy-3.13.1-128.21.fc22.noarch

Additional info:
reporter:       libreport-2.6.3
hashmarkername: setroubleshoot
kernel:         4.2.8-200.fc22.x86_64
type:           libreport

Comment 46 Al Dunsmuir 2016-01-04 17:33:02 UTC
Description of problem:
Log on to F23 Mate

Version-Release number of selected component:
selinux-policy-3.13.1-158.fc23.noarch

Additional info:
reporter:       libreport-2.6.3
hashmarkername: setroubleshoot
kernel:         4.2.8-300.fc23.i686+PAE
type:           libreport

Comment 47 morgan read 2016-01-04 20:04:12 UTC
Description of problem:
Something happened while I was logged in as another user...

Version-Release number of selected component:
selinux-policy-3.13.1-128.21.fc22.noarch

Additional info:
reporter:       libreport-2.6.3
hashmarkername: setroubleshoot
kernel:         4.2.8-200.fc22.x86_64
type:           libreport

Comment 48 morgan read 2016-01-07 09:24:39 UTC
Description of problem:
opened thunderbird

Version-Release number of selected component:
selinux-policy-3.13.1-128.21.fc22.noarch

Additional info:
reporter:       libreport-2.6.3
hashmarkername: setroubleshoot
kernel:         4.2.8-200.fc22.x86_64
type:           libreport

Comment 49 Leszek Matok 2016-01-18 18:47:04 UTC
Description of problem:
Just booted up as usual (auto-logged in to MATE) and this pops up, as usual.

Version-Release number of selected component:
selinux-policy-3.13.1-158.fc23.noarch

Additional info:
reporter:       libreport-2.6.3
hashmarkername: setroubleshoot
kernel:         4.3.3-300.fc23.x86_64
type:           libreport

Comment 50 Leszek Matok 2016-02-02 18:26:01 UTC
Description of problem:
Does this STILL have to pop up EVERY reboot? Seriously, how many people are already observing this 100% reproducible alert and waiting for Fedora to do something?

Version-Release number of selected component:
selinux-policy-3.13.1-158.2.fc23.noarch

Additional info:
reporter:       libreport-2.6.3
hashmarkername: setroubleshoot
kernel:         4.3.4-300.fc23.x86_64
type:           libreport

Comment 51 Leszek Matok 2016-02-02 18:29:43 UTC
setroubleshoot is so good, too...

Bug 1285136 is a duplicate, using parent bug 1126142
Undefined variable outside of [[ ]] bracket

So maybe our problem is not fixed because this bug is not what we're all hitting, just marked a duplicate?

Or maybe it's not reporting the needed data because it's a crap app spitting "undefined variable" errors at users?

We may never know.

Comment 52 Michael 2016-02-03 12:02:41 UTC
>>>
>>> Does this STILL have to pop up EVERY reboot? Seriously, how many people are already observing this 100% reproducible alert and waiting for Fedora to do something?
>>>

To workaround the problem try the following:

$ ls /var/lib/dbus/  # ensure that machine-id file does not exist
$ sudo setenforce 0
### logout from your desktop session and log in again
$ ls /var/lib/dbus/  # ensure that machine-id file has been created
$ sudo setenforce 1
### logout from your desktop session and log in again

From now on it is likely the alerts will be stopped.

Comment 53 morgan read 2016-02-15 13:00:11 UTC
Description of problem:
changing login accounts this alert flagged on new gnome login

Version-Release number of selected component:
selinux-policy-3.13.1-128.21.fc22.noarch

Additional info:
reporter:       libreport-2.6.4
hashmarkername: setroubleshoot
kernel:         4.3.4-200.fc22.x86_64
type:           libreport

Comment 54 morgan read 2016-02-22 14:21:15 UTC
Description of problem:
logging back into account from switching accounts

Version-Release number of selected component:
selinux-policy-3.13.1-128.21.fc22.noarch

Additional info:
reporter:       libreport-2.6.4
hashmarkername: setroubleshoot
kernel:         4.3.4-200.fc22.x86_64
type:           libreport

Comment 55 Lukas Vrabec 2016-02-25 14:13:56 UTC
Is it something broken on your system, or  just see this AVC?

Comment 56 morgan read 2016-03-02 18:48:18 UTC
Description of problem:
switched user

Version-Release number of selected component:
selinux-policy-3.13.1-128.21.fc22.noarch

Additional info:
reporter:       libreport-2.6.4
hashmarkername: setroubleshoot
kernel:         4.3.6-201.fc22.x86_64
type:           libreport

Comment 57 morgan read 2016-03-07 22:44:42 UTC
Description of problem:
switching users

Version-Release number of selected component:
selinux-policy-3.13.1-128.21.fc22.noarch

Additional info:
reporter:       libreport-2.6.4
hashmarkername: setroubleshoot
kernel:         4.3.6-201.fc22.x86_64
type:           libreport

Comment 58 morgan read 2016-03-28 11:44:33 UTC
Re (In reply to Lukas Vrabec from comment #55)
> Is it something broken on your system, or  just see this AVC?

I really have no idea - I was rather hoping the bug report would produce an answer to that question.  It's a fresh f22 as of the new year.

Comment 59 morgan read 2016-03-28 11:55:11 UTC
(In reply to Lukas Vrabec from comment #55)
> Is it something broken on your system, or  just see this AVC?

Also, aren't these the same thing - repeated AVC denials when doing something normal and everyday on the system, is a broken system :)

Comment 60 Leszek Matok 2016-04-30 17:03:26 UTC
Description of problem:
Simply booted up the system. (I have auto-login to MATE Desktop)

Version-Release number of selected component:
selinux-policy-3.13.1-158.14.fc23.noarch

Additional info:
reporter:       libreport-2.6.4
hashmarkername: setroubleshoot
kernel:         4.4.7-300.fc23.x86_64
type:           libreport

Comment 61 Fedora End Of Life 2016-11-24 11:12:10 UTC
This message is a reminder that Fedora 23 is nearing its end of life.
Approximately 4 (four) weeks from now Fedora will stop maintaining
and issuing updates for Fedora 23. It is Fedora's policy to close all
bug reports from releases that are no longer maintained. At that time
this bug will be closed as EOL if it remains open with a Fedora  'version'
of '23'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version.

Thank you for reporting this issue and we are sorry that we were not 
able to fix it before Fedora 23 is end of life. If you would still like 
to see this bug fixed and are able to reproduce it against a later version 
of Fedora, you are encouraged  change the 'version' to a later Fedora 
version prior this bug is closed as described in the policy above.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

Comment 62 Fedora End Of Life 2016-12-20 12:50:09 UTC
Fedora 23 changed to end-of-life (EOL) status on 2016-12-20. Fedora 23 is
no longer maintained, which means that it will not receive any further
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of
Fedora please feel free to reopen this bug against that version. If you
are unable to reopen this bug, please file a new report against the
current release. If you experience problems, please add a comment to this
bug.

Thank you for reporting this bug and we are sorry it could not be fixed.


Note You need to log in before you can comment on or make changes to this bug.