Bug 229998 - AVC produced during consolekit startup (running targeted/enforcing)
AVC produced during consolekit startup (running targeted/enforcing)
Status: CLOSED NOTABUG
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
rawhide
All Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Ben Levenson
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-02-25 12:29 EST by Tom London
Modified: 2007-11-30 17:11 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-03-04 12:51:45 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Tom London 2007-02-25 12:29:04 EST
Description of problem:
Running with SELinux in targeted/enforcing mode, get this in
/var/log/audit/audit.log:

type=USER_AVC msg=audit(1172350749.077:20): user pid=2688 uid=81 auid=4294967295
subj=system_u:system_r:system_dbusd_t:s0 msg='avc:  denied  { send_msg } for
msgtype=method_call interface=org.freedesktop.ConsoleKit.Manager
member=OpenSessionWithParameters dest=org.freedesktop.ConsoleKit spid=3419
tpid=2921 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023
tcontext=system_u:system_r:initrc_t:s0 tclass=dbus : exe="/bin/dbus-daemon"
(sauid=81, hostname=?, addr=?, terminal=?)'

Version-Release number of selected component (if applicable):
ConsoleKit-0.1.0-5.fc7

How reproducible:
Every time

Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:
Comment 1 David Zeuthen 2007-02-25 13:04:22 EST
-> selinux-policy-targeted
Comment 2 David Zeuthen 2007-02-25 13:07:48 EST
Am not sure why SELinux is denying someone to talk to the ConsoleKit daemon? For
the record, gdm, and in the future /bin/login, xinit, kdm, xdm, wdm and so forth
needs to be able to speak to ConsoleKit over D-Bus. Also, apps in a desktop
session will need to be able to speak to it.

Tell me, is the default policy to lock down access to all D-Bus services and
only open it up bit for bit? Because that's not very nice; what happens if a
third party package provides a system-wide D-Bus service? Thanks.
Comment 3 Tom London 2007-03-01 21:04:19 EST
Seems fixed in selinux-policy-2.5.6-1.fc7
Comment 4 Tom London 2007-03-04 12:51:45 EST
This one now:

type=AVC msg=audit(1173029651.416:13): avc:  denied  { write } for  pid=2891
comm="console-kit-dae" name="run" dev=dm-0 ino=65576
scontext=system_u:system_r:consolekit_t:s0
tcontext=system_u:object_r:var_run_t:s0 tclass=dir
type=SYSCALL msg=audit(1173029651.416:13): arch=40000003 syscall=5 success=no
exit=-13 a0=805280c a1=2c1 a2=1a4 a3=bf9aa720 items=0 ppid=2890 pid=2891
auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=(none) comm="console-kit-dae" exe="/usr/sbin/console-kit-daemon"
subj=system_u:system_r:consolekit_t:s0 key=(null)
Comment 5 Daniel Walsh 2007-03-06 12:57:43 EST
This is not a problem in selinux-policy-2.5.8-1

If you audit2why this avc, what does it say?
Comment 6 Tom London 2007-03-06 16:15:57 EST
Sorry, I didn't notice that this one was reassigned to selinux-policy.

To avoid confusion, I'll open a new issue.

audit2why/audit2allow implicate consolekit.

Note You need to log in before you can comment on or make changes to this bug.