Bug 229998 - AVC produced during consolekit startup (running targeted/enforcing)
Summary: AVC produced during consolekit startup (running targeted/enforcing)
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted   
(Show other bugs)
Version: rawhide
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Ben Levenson
Depends On:
TreeView+ depends on / blocked
Reported: 2007-02-25 17:29 UTC by Tom London
Modified: 2007-11-30 22:11 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2007-03-04 17:51:45 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

Description Tom London 2007-02-25 17:29:04 UTC
Description of problem:
Running with SELinux in targeted/enforcing mode, get this in

type=USER_AVC msg=audit(1172350749.077:20): user pid=2688 uid=81 auid=4294967295
subj=system_u:system_r:system_dbusd_t:s0 msg='avc:  denied  { send_msg } for
msgtype=method_call interface=org.freedesktop.ConsoleKit.Manager
member=OpenSessionWithParameters dest=org.freedesktop.ConsoleKit spid=3419
tpid=2921 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023
tcontext=system_u:system_r:initrc_t:s0 tclass=dbus : exe="/bin/dbus-daemon"
(sauid=81, hostname=?, addr=?, terminal=?)'

Version-Release number of selected component (if applicable):

How reproducible:
Every time

Steps to Reproduce:
Actual results:

Expected results:

Additional info:

Comment 1 David Zeuthen 2007-02-25 18:04:22 UTC
-> selinux-policy-targeted

Comment 2 David Zeuthen 2007-02-25 18:07:48 UTC
Am not sure why SELinux is denying someone to talk to the ConsoleKit daemon? For
the record, gdm, and in the future /bin/login, xinit, kdm, xdm, wdm and so forth
needs to be able to speak to ConsoleKit over D-Bus. Also, apps in a desktop
session will need to be able to speak to it.

Tell me, is the default policy to lock down access to all D-Bus services and
only open it up bit for bit? Because that's not very nice; what happens if a
third party package provides a system-wide D-Bus service? Thanks.

Comment 3 Tom London 2007-03-02 02:04:19 UTC
Seems fixed in selinux-policy-2.5.6-1.fc7

Comment 4 Tom London 2007-03-04 17:51:45 UTC
This one now:

type=AVC msg=audit(1173029651.416:13): avc:  denied  { write } for  pid=2891
comm="console-kit-dae" name="run" dev=dm-0 ino=65576
tcontext=system_u:object_r:var_run_t:s0 tclass=dir
type=SYSCALL msg=audit(1173029651.416:13): arch=40000003 syscall=5 success=no
exit=-13 a0=805280c a1=2c1 a2=1a4 a3=bf9aa720 items=0 ppid=2890 pid=2891
auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=(none) comm="console-kit-dae" exe="/usr/sbin/console-kit-daemon"
subj=system_u:system_r:consolekit_t:s0 key=(null)

Comment 5 Daniel Walsh 2007-03-06 17:57:43 UTC
This is not a problem in selinux-policy-2.5.8-1

If you audit2why this avc, what does it say?

Comment 6 Tom London 2007-03-06 21:15:57 UTC
Sorry, I didn't notice that this one was reassigned to selinux-policy.

To avoid confusion, I'll open a new issue.

audit2why/audit2allow implicate consolekit.

Note You need to log in before you can comment on or make changes to this bug.