Bug 1175258 - SELinux is preventing /usr/bin/dbus-launch from 'write' accesses on the file /var/lib/sddm/.dbus/session-bus/c5b7de15f3c24e0a9eb37f4427130ae7-0.
Summary: SELinux is preventing /usr/bin/dbus-launch from 'write' accesses on the file ...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 21
Hardware: x86_64
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: abrt_hash:63876a8448f7ec03be554a2a6e0...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-12-17 11:32 UTC by Elia Devito
Modified: 2015-01-30 23:54 UTC (History)
6 users (show)

Fixed In Version: selinux-policy-3.13.1-105.fc21
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-01-30 23:54:48 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)

Description Elia Devito 2014-12-17 11:32:08 UTC
Description of problem:
SELinux is preventing /usr/bin/dbus-launch from 'write' accesses on the file /var/lib/sddm/.dbus/session-bus/c5b7de15f3c24e0a9eb37f4427130ae7-0.

*****  Plugin catchall_labels (83.8 confidence) suggests   *******************

If you want to allow dbus-launch to have write access on the c5b7de15f3c24e0a9eb37f4427130ae7-0 file
Then e' necessario modificare l'etichetta su /var/lib/sddm/.dbus/session-bus/c5b7de15f3c24e0a9eb37f4427130ae7-0
Do
# semanage fcontext -a -t TIPO_FILE '/var/lib/sddm/.dbus/session-bus/c5b7de15f3c24e0a9eb37f4427130ae7-0'
dove TIPO_FILE è uno dei seguenti: abrt_var_cache_t, afs_cache_t, anon_inodefs_t, auth_cache_t, auth_home_t, cache_home_t, cgroup_t, config_home_t, data_home_t, dbus_home_t, etc_runtime_t, faillog_t, fonts_cache_t, gconf_home_t, gkeyringd_gnome_home_t, gkeyringd_tmp_t, gnome_home_t, gstreamer_home_t, icc_data_home_t, initrc_tmp_t, initrc_var_run_t, krb5_host_rcache_t, lastlog_t, locale_t, mozilla_plugin_tmp_t, mozilla_plugin_tmpfs_t, pam_var_console_t, pam_var_run_t, puppet_tmp_t, security_t, sysfs_t, systemd_passwd_var_run_t, user_cron_spool_t, user_fonts_t, user_tmp_t, var_auth_t, wtmp_t, xauth_home_t, xdm_home_t, xdm_lock_t, xdm_log_t, xdm_rw_etc_t, xdm_spool_t, xdm_tmpfs_t, xdm_var_lib_t, xdm_var_run_t, xkb_var_lib_t, xserver_log_t, xserver_tmpfs_t. 
Quindi eseguire: 
restorecon -v '/var/lib/sddm/.dbus/session-bus/c5b7de15f3c24e0a9eb37f4427130ae7-0'


*****  Plugin catchall (17.1 confidence) suggests   **************************

If si crede che dbus-launch dovrebbe avere possibilità di accesso write sui c5b7de15f3c24e0a9eb37f4427130ae7-0 file in modo predefinito.
Then si dovrebbe riportare il problema come bug.
E' possibile generare un modulo di politica locale per consentire questo accesso.
Do
consentire questo accesso per il momento eseguendo:
# grep dbus-launch /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:xdm_t:s0-s0:c0.c1023
Target Context                system_u:object_r:var_lib_t:s0
Target Objects                /var/lib/sddm/.dbus/session-
                              bus/c5b7de15f3c24e0a9eb37f4427130ae7-0 [ file ]
Source                        dbus-launch
Source Path                   /usr/bin/dbus-launch
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           dbus-x11-1.8.6-3.fc21.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-99.fc21.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 3.17.6-300.fc21.x86_64 #1 SMP Mon
                              Dec 8 22:29:32 UTC 2014 x86_64 x86_64
Alert Count                   5
First Seen                    2014-12-13 17:43:31 CET
Last Seen                     2014-12-17 11:55:37 CET
Local ID                      06fd5d02-6f35-4c6d-b810-897592dd1f00

Raw Audit Messages
type=AVC msg=audit(1418813737.609:333): avc:  denied  { write } for  pid=1222 comm="dbus-launch" name="c5b7de15f3c24e0a9eb37f4427130ae7-0" dev="sda5" ino=2643353 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=file permissive=0


type=SYSCALL msg=audit(1418813737.609:333): arch=x86_64 syscall=open success=no exit=EACCES a0=7fd33b9437b0 a1=241 a2=1b6 a3=241 items=0 ppid=1219 pid=1222 auid=4294967295 uid=980 gid=971 euid=980 suid=980 fsuid=980 egid=971 sgid=971 fsgid=971 tty=(none) ses=4294967295 comm=dbus-launch exe=/usr/bin/dbus-launch subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)

Hash: dbus-launch,xdm_t,var_lib_t,file,write

Version-Release number of selected component:
selinux-policy-3.13.1-99.fc21.noarch

Additional info:
reporter:       libreport-2.3.0
hashmarkername: setroubleshoot
kernel:         3.17.6-300.fc21.x86_64
type:           libreport

Comment 1 Daniel Walsh 2015-01-02 16:20:20 UTC
4a3ac5c69db733a56710e85e14d686ade7f62560 fixes this in git.

Comment 2 Karel Volný 2015-01-24 08:26:06 UTC
Description of problem:
Don't know how this happened, but I believe that dbus should not try to touch this file so it looks to me like a bug in the application ...

Version-Release number of selected component:
selinux-policy-3.13.1-103.fc21.noarch

Additional info:
reporter:       libreport-2.3.0
hashmarkername: setroubleshoot
kernel:         3.17.8-300.fc21.x86_64
type:           libreport

Comment 3 Karel Volný 2015-01-24 08:53:02 UTC
ahem, I really don't understand why I got a duplicate - in my case, dbus-launch tried to write

/var/lib/sddm/state.conf

which I believe is error in dbus-launch and not a thing to be fixed by selinux-policy ...



SELinux is preventing /usr/bin/dbus-launch from write access on the file /var/lib/sddm/state.conf.

*****  Plugin catchall_labels (83.8 confidence) suggests   *******************

If you want to allow dbus-launch to have write access on the state.conf file
Then you need to change the label on /var/lib/sddm/state.conf
Do
# semanage fcontext -a -t FILE_TYPE '/var/lib/sddm/state.conf'
where FILE_TYPE is one of the following: abrt_var_cache_t, afs_cache_t, anon_inodefs_t, auth_cache_t, auth_home_t, cache_home_t, cgroup_t, config_home_t, data_home_t, dbus_home_t, etc_runtime_t, faillog_t, fonts_cache_t, gconf_home_t, gkeyringd_gnome_home_t, gkeyringd_tmp_t, gnome_home_t, gstreamer_home_t, icc_data_home_t, initrc_tmp_t, initrc_var_run_t, krb5_host_rcache_t, lastlog_t, locale_t, mnt_t, mozilla_plugin_tmp_t, mozilla_plugin_tmpfs_t, pam_var_console_t, pam_var_run_t, puppet_tmp_t, security_t, sysfs_t, systemd_passwd_var_run_t, tmp_t, user_cron_spool_t, user_fonts_t, user_tmp_t, var_auth_t, wtmp_t, xauth_home_t, xdm_home_t, xdm_lock_t, xdm_log_t, xdm_rw_etc_t, xdm_spool_t, xdm_tmpfs_t, xdm_var_lib_t, xdm_var_run_t, xkb_var_lib_t, xserver_log_t, xserver_tmpfs_t. 
Then execute: 
restorecon -v '/var/lib/sddm/state.conf'


*****  Plugin catchall (17.1 confidence) suggests   **************************

If you believe that dbus-launch should be allowed write access on the state.conf file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep dbus-launch /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:xdm_t:s0-s0:c0.c1023
Target Context                system_u:object_r:var_lib_t:s0
Target Objects                /var/lib/sddm/state.conf [ file ]
Source                        dbus-launch
Source Path                   /usr/bin/dbus-launch
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           sddm-0.10.0-2.fc21.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-103.fc21.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux kvolny.brq.redhat.com 3.17.8-300.fc21.x86_64
                              #1 SMP Thu Jan 8 23:32:49 UTC 2015 x86_64 x86_64
Alert Count                   6
First Seen                    2014-12-24 14:17:08 CET
Last Seen                     2015-01-15 00:30:01 CET
Local ID                      8a998df0-6f1f-4d76-82b5-8133eb208914

Raw Audit Messages
type=AVC msg=audit(1421278201.806:59): avc:  denied  { write } for  pid=1014 comm="sddm" name="state.conf" dev="dm-0" ino=5373953 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=file permissive=0


type=SYSCALL msg=audit(1421278201.806:59): arch=x86_64 syscall=open success=no exit=EACCES a0=7f838afc9f48 a1=80241 a2=1b6 a3=0 items=0 ppid=1 pid=1014 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=sddm exe=/usr/bin/sddm subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)

Hash: dbus-launch,xdm_t,var_lib_t,file,write

Comment 4 Fedora Update System 2015-01-27 16:49:24 UTC
selinux-policy-3.13.1-105.fc21 has been submitted as an update for Fedora 21.
https://admin.fedoraproject.org/updates/selinux-policy-3.13.1-105.fc21

Comment 5 Fedora Update System 2015-01-30 04:32:21 UTC
Package selinux-policy-3.13.1-105.fc21:
* should fix your issue,
* was pushed to the Fedora 21 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.13.1-105.fc21'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2015-1337/selinux-policy-3.13.1-105.fc21
then log in and leave karma (feedback).

Comment 6 Fedora Update System 2015-01-30 23:54:48 UTC
selinux-policy-3.13.1-105.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.