1232870 – SELinux is preventing /usr/libexec/colord from 'read' accesses on the file .

Bug 1232870 - SELinux is preventing /usr/libexec/colord from 'read' accesses on the file .

Summary: SELinux is preventing /usr/libexec/colord from 'read' accesses on the file .

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	20
Hardware:	x86_64
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Miroslav Grepl
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:	abrt_hash:2f61ba1d1e84e2564cffbdb8381...
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2015-06-17 17:12 UTC by jd1008
Modified:	2015-06-18 00:09 UTC (History)
CC List:	5 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2015-06-17 21:51:41 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description jd1008 2015-06-17 17:12:04 UTC

Description of problem:
I logged in and while the DT was coming up, I got the alert
SELinux is preventing /usr/libexec/colord from 'read' accesses on the file .

*****  Plugin catchall_labels (83.8 confidence) suggests   *******************

If you want to allow colord to have read access on the  file
Then you need to change the label on $FIX_TARGET_PATH
Do
# semanage fcontext -a -t FILE_TYPE '$FIX_TARGET_PATH'
where FILE_TYPE is one of the following: NetworkManager_tmp_t, abrt_helper_exec_t, abrt_tmp_t, abrt_upload_watch_tmp_t, abrt_var_cache_t, abrt_var_run_t, admin_crontab_tmp_t, afs_cache_t, alsa_home_t, alsa_tmp_t, amanda_tmp_t, antivirus_home_t, antivirus_tmp_t, apcupsd_tmp_t, apmd_tmp_t, arpwatch_tmp_t, asterisk_tmp_t, audio_home_t, auditadm_sudo_tmp_t, auth_home_t, autofs_t, automount_tmp_t, awstats_tmp_t, bin_t, bitlbee_tmp_t, bluetooth_helper_tmp_t, bluetooth_tmp_t, boinc_project_tmp_t, boinc_tmp_t, boot_t, bootloader_tmp_t, cache_home_t, cardmgr_dev_t, ccs_tmp_t, cdcc_tmp_t, cert_t, cgroup_t, chrome_sandbox_home_t, chrome_sandbox_tmp_t, cifs_t, cinder_api_tmp_t, cinder_backup_tmp_t, cinder_scheduler_tmp_t, cinder_volume_tmp_t, cloud_init_tmp_t, cluster_conf_t, cluster_tmp_t, cluster_var_lib_t, cluster_var_run_t, cobbler_tmp_t, colord_exec_t, colord_tmp_t, colord_tmpfs_t, colord_var_lib_t, comsat_tmp_t, condor_master_tmp_t, condor_schedd_tmp_t, condor_startd_tmp_t, config_home_t, couchdb_tmp_t, cpu_online_t, crack_tmp_t, crond_tmp_t, crontab_tmp_t, ctdbd_tmp_t, cups_pdf_tmp_t, cupsd_etc_t, cupsd_lpd_tmp_t, cupsd_rw_etc_t, cupsd_tmp_t, cvs_home_t, cvs_tmp_t, cyphesis_tmp_t, cyrus_tmp_t, data_home_t, dbadm_sudo_tmp_t, dbskkd_tmp_t, dbus_home_t, dbusd_etc_t, dcc_client_tmp_t, dcc_dbclean_tmp_t, dccd_tmp_t, dccifd_tmp_t, dccm_tmp_t, ddclient_tmp_t, deltacloudd_tmp_t, devicekit_tmp_t, dhcpc_tmp_t, dhcpd_tmp_t, dirsrv_tmp_t, dirsrvadmin_tmp_t, disk_munin_plugin_tmp_t, dkim_milter_tmp_t, docker_tmp_t, dosfs_t, dovecot_auth_tmp_t, dovecot_deliver_tmp_t, dovecot_tmp_t, ecryptfs_t, efivarfs_t, etc_runtime_t, etc_t, exim_tmp_t, fail2ban_tmp_t, fail2ban_var_lib_t, fenced_tmp_t, fetchmail_home_t, file_context_t, firewalld_tmp_t, firewallgui_tmp_t, fonts_cache_t, fonts_t, fsadm_tmp_t, fsdaemon_tmp_t, ftpd_tmp_t, ftpdctl_tmp_t, fusefs_t, games_tmp_t, gconf_home_t, gconf_tmp_t, geoclue_tmp_t, getty_tmp_t, git_user_content_t, gkeyringd_gnome_home_t, gkeyringd_tmp_t, glance_registry_tmp_t, glance_tmp_t, glusterd_tmp_t, gnome_home_t, gpg_agent_tmp_t, gpg_pinentry_tmp_t, gpg_secret_t, gpm_tmp_t, gssd_tmp_t, gstreamer_home_t, home_bin_t, home_cert_t, hostname_etc_t, httpd_bugzilla_tmp_t, httpd_collectd_script_tmp_t, httpd_mojomojo_tmp_t, httpd_munin_script_tmp_t, httpd_php_tmp_t, httpd_suexec_tmp_t, httpd_tmp_t, httpd_user_content_t, httpd_user_htaccess_t, httpd_user_ra_content_t, httpd_user_rw_content_t, httpd_user_script_exec_t, httpd_w3c_validator_tmp_t, icc_data_home_t, iceauth_home_t, ifconfig_exec_t, inetd_child_tmp_t, inetd_tmp_t, init_tmp_t, initrc_tmp_t, ipsec_tmp_t, iptables_tmp_t, irc_home_t, irc_tmp_t, irssi_home_t, iscsi_tmp_t, iso9660_t, kadmind_tmp_t, kdumpctl_tmp_t, kdumpgui_tmp_t, keystone_tmp_t, kismet_home_t, kismet_tmp_t, kismet_tmpfs_t, klogd_tmp_t, krb5_conf_t, krb5_home_t, krb5_host_rcache_t, krb5kdc_tmp_t, ktalkd_tmp_t, l2tpd_tmp_t, ld_so_cache_t, ld_so_t, ldconfig_tmp_t, lib_t, livecd_tmp_t, local_login_home_t, locale_t, logrotate_mail_tmp_t, logrotate_tmp_t, logwatch_mail_tmp_t, logwatch_tmp_t, lpd_tmp_t, lpr_tmp_t, lsassd_tmp_t, lsmd_plugin_tmp_t, lvm_tmp_t, machineid_t, mail_home_rw_t, mail_home_t, mail_munin_plugin_tmp_t, mailman_cgi_tmp_t, mailman_mail_tmp_t, mailman_queue_tmp_t, man_cache_t, man_t, mandb_cache_t, mandb_home_t, mdadm_tmp_t, mock_tmp_t, mongod_tmp_t, mount_tmp_t, mozilla_home_t, mozilla_plugin_tmp_t, mozilla_tmp_t, mpd_home_t, mpd_tmp_t, mpd_user_data_t, mplayer_home_t, mscan_tmp_t, munin_tmp_t, mysqld_home_t, mysqld_tmp_t, nagios_eventhandler_plugin_tmp_t, nagios_openshift_plugin_tmp_t, nagios_system_plugin_tmp_t, nagios_tmp_t, named_tmp_t, net_conf_t, netutils_tmp_t, neutron_tmp_t, nfs_t, nova_ajax_tmp_t, nova_api_tmp_t, nova_cert_tmp_t, nova_compute_tmp_t, nova_conductor_tmp_t, nova_console_tmp_t, nova_direct_tmp_t, nova_network_tmp_t, nova_objectstore_tmp_t, nova_scheduler_tmp_t, nova_vncproxy_tmp_t, nova_volume_tmp_t, ntop_tmp_t, ntpd_tmp_t, nut_upsd_tmp_t, nut_upsdrvctl_tmp_t, nut_upsmon_tmp_t, nx_server_tmp_t, openshift_cgroup_read_tmp_t, openshift_cron_tmp_t, openshift_initrc_tmp_t, openshift_tmp_t, openshift_var_lib_t, openvpn_tmp_t, openvswitch_tmp_t, openwsman_tmp_t, pam_timestamp_tmp_t, passenger_tmp_t, passwd_file_t, pcp_tmp_t, pegasus_openlmi_storage_tmp_t, pegasus_tmp_t, piranha_web_tmp_t, pkcsslotd_tmp_t, pki_tomcat_tmp_t, podsleuth_tmp_t, policykit_auth_exec_t, policykit_reload_t, policykit_tmp_t, policykit_var_lib_t, polipo_cache_home_t, polipo_config_home_t, portmap_tmp_t, postfix_bounce_tmp_t, postfix_cleanup_tmp_t, postfix_local_tmp_t, postfix_map_tmp_t, postfix_pickup_tmp_t, postfix_pipe_tmp_t, postfix_qmgr_tmp_t, postfix_smtp_tmp_t, postfix_smtpd_tmp_t, postfix_virtual_tmp_t, postgresql_tmp_t, pppd_tmp_t, prelink_exec_t, prelink_tmp_t, prelude_lml_tmp_t, proc_t, procmail_home_t, procmail_tmp_t, psad_tmp_t, pulseaudio_home_t, puppet_tmp_t, puppetmaster_tmp_t, qpidd_tmp_t, racoon_tmp_t, realmd_tmp_t, removable_t, rhev_agentd_tmp_t, rhsmcertd_tmp_t, ricci_tmp_t, rlogind_home_t, rlogind_tmp_t, rpm_script_tmp_t, rpm_tmp_t, rssh_ro_t, rssh_rw_t, rsync_tmp_t, rtas_errd_tmp_t, samba_etc_t, samba_net_tmp_t, samba_var_t, sandbox_file_t, sblim_tmp_t, screen_home_t, secadm_sudo_tmp_t, sectool_tmp_t, selinux_munin_plugin_tmp_t, semanage_tmp_t, sendmail_tmp_t, services_munin_plugin_tmp_t, session_dbusd_tmp_t, sge_tmp_t, shell_exec_t, shorewall_tmp_t, slapd_tmp_t, smbd_tmp_t, smoltclient_tmp_t, smsd_tmp_t, snapperd_home_t, snort_tmp_t, sosreport_tmp_t, soundd_tmp_t, spamc_home_t, spamc_tmp_t, spamd_tmp_t, speech-dispatcher_tmp_t, squid_tmp_t, squirrelmail_spool_t, src_t, ssh_agent_tmp_t, ssh_home_t, ssh_keygen_tmp_t, sssd_public_t, sssd_var_lib_t, staff_sudo_tmp_t, stapserver_tmp_t, stunnel_tmp_t, svirt_home_t, svirt_sandbox_file_t, svirt_tmp_t, svnserve_tmp_t, swat_tmp_t, swift_tmp_t, sysadm_passwd_tmp_t, sysadm_sudo_tmp_t, sysfs_t, syslogd_tmp_t, system_conf_t, system_cronjob_tmp_t, system_cronjob_var_lib_t, system_db_t, system_dbusd_tmp_t, system_dbusd_var_lib_t, system_mail_tmp_t, system_munin_plugin_tmp_t, systemd_home_t, systemd_logind_sessions_t, sysv_t, tcpd_tmp_t, telepathy_cache_home_t, telepathy_data_home_t, telepathy_gabble_cache_home_t, telepathy_gabble_tmp_t, telepathy_idle_tmp_t, telepathy_logger_cache_home_t, telepathy_logger_data_home_t, telepathy_logger_tmp_t, telepathy_mission_control_cache_home_t, telepathy_mission_control_data_home_t, telepathy_mission_control_home_t, telepathy_mission_control_tmp_t, telepathy_msn_tmp_t, telepathy_salut_tmp_t, telepathy_sofiasip_tmp_t, telepathy_stream_engine_tmp_t, telepathy_sunshine_home_t, telepathy_sunshine_tmp_t, telnetd_tmp_t, tetex_data_t, texlive_home_t, textrel_shlib_t, tgtd_tmp_t, thumb_home_t, thumb_tmp_t, tmp_t, tomcat_tmp_t, tuned_tmp_t, tvtime_home_t, tvtime_tmp_t, udev_tmp_t, udev_var_run_t, uml_ro_t, uml_rw_t, uml_tmp_t, unconfined_munin_plugin_tmp_t, update_modules_tmp_t, usbfs_t, user_cron_spool_t, user_fonts_cache_t, user_fonts_config_t, user_fonts_t, user_home_t, user_mail_tmp_t, user_tmp_t, user_tmpfs_t, usr_t, uucpd_tmp_t, var_spool_t, varnishd_tmp_t, virt_content_t, virt_home_t, virt_qemu_ga_tmp_t, virt_tmp_t, vmblock_t, vmtools_tmp_t, vmware_conf_t, vmware_file_t, vmware_host_tmp_t, vmware_tmp_t, vpnc_tmp_t, vxfs_t, webadm_tmp_t, webalizer_tmp_t, wine_home_t, wireshark_home_t, wireshark_tmp_t, xauth_home_t, xauth_tmp_t, xdm_home_t, xdm_tmp_t, xdm_var_lib_t, xdm_var_run_t, xend_tmp_t, xenfs_t, xenstored_tmp_t, ypbind_tmp_t, ypserv_tmp_t, zabbix_tmp_t, zarafa_deliver_tmp_t, zarafa_indexer_tmp_t, zarafa_server_tmp_t, zarafa_var_lib_t, zebra_tmp_t, zoneminder_tmpfs_t. 
Then execute: 
restorecon -v '$FIX_TARGET_PATH'


*****  Plugin catchall (17.1 confidence) suggests   **************************

If you believe that colord should be allowed read access on the  file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep gdbus /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:colord_t:s0
Target Context                unconfined_u:object_r:default_t:s0
Target Objects                 [ file ]
Source                        gdbus
Source Path                   /usr/libexec/colord
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           colord-1.1.8-1.fc20.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.12.1-197.fc20.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 3.11.10-301.fc20.x86_64 #1 SMP Thu
                              Dec 5 14:01:17 UTC 2013 x86_64 x86_64
Alert Count                   1
First Seen                    2015-06-17 10:51:43 MDT
Last Seen                     2015-06-17 10:51:43 MDT
Local ID                      bf68841e-8513-4c85-b199-7052b2bda818

Raw Audit Messages
type=AVC msg=audit(1434559903.884:281): avc:  denied  { read } for  pid=1019 comm="gdbus" path="/sdb3/home/jd/.local/share/icc/edid-04b3cefbf8b086127c92f505655f4074.icc" dev="sdb3" ino=64487673 scontext=system_u:system_r:colord_t:s0 tcontext=unconfined_u:object_r:default_t:s0 tclass=file


type=SYSCALL msg=audit(1434559903.884:281): arch=x86_64 syscall=recvmsg success=yes exit=EBUSY a0=9 a1=7fd72a3aeb50 a2=40000000 a3=0 items=0 ppid=1 pid=1019 auid=4294967295 uid=998 gid=998 euid=998 suid=998 fsuid=998 egid=998 sgid=998 fsgid=998 ses=4294967295 tty=(none) comm=gdbus exe=/usr/libexec/colord subj=system_u:system_r:colord_t:s0 key=(null)

Hash: gdbus,colord_t,default_t,file,read

Additional info:
reporter:       libreport-2.2.3
hashmarkername: setroubleshoot
kernel:         3.11.10-301.fc20.x86_64
type:           libreport

Comment 1 jd1008 2015-06-17 17:56:45 UTC

 would like to add that the alerts are not very helpful in the sense that
when the user is advised to run retorecon,  s/he is not given a list
of pathnames to apply restorecon for.
At least the alert should provide a command or list of commands
to run to extract these pathnames and ask the user to apply restorecon
on each one of them (if the user so wishes).

Regards,

JD

Comment 2 Daniel Walsh 2015-06-17 21:51:41 UTC

You moved the directory of /home ot a new location.

You need to do something like

# semanage fcontext -a -e /home /sdb3/home
# restorecon -R -v /sdb3/home

Which should fix your issue.

Comment 3 jd1008 2015-06-18 00:09:36 UTC

Thank you kindly!
I just ran the commands and I hope the issues will disappear 
for the next reboot.

Cheers,

JD

Note You need to log in before you can comment on or make changes to this bug.