Bug 292401 - SELinux is preventing /usr/bin/nautilus (unconfined_t) "write" to /dev/fd (unconfined_t)
SELinux is preventing /usr/bin/nautilus (unconfined_t) "write" to /dev/fd (un...
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
i386 Linux
medium Severity low
: ---
: ---
Assigned To: Daniel Walsh
Fedora Extras Quality Assurance
Depends On:
  Show dependency treegraph
Reported: 2007-09-16 06:31 EDT by Shyam
Modified: 2008-01-30 14:20 EST (History)
1 user (show)

See Also:
Fixed In Version: Current
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2008-01-30 14:20:31 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Shyam 2007-09-16 06:31:56 EDT
Description of problem:

SELinux denied access requested by /usr/bin/nautilus. It is not expected that
this access is required by /usr/bin/nautilus and this access may signal an
intrusion attempt. It is also possible that the specific version or
configuration of the application is causing it to require additional access.

Affected RPM Packages:  nautilus-2.18.3-1.fc7 [application]

Additional InformationSource 

Context:  root:system_r:unconfined_t:SystemLow-SystemHighTarget
Context:  root:system_r:unconfined_t:SystemLow-SystemHighTarget
Objects:  /dev/fd [ dir ]
Affected RPM Packages:  nautilus-2.18.3-1.fc7 [application]
Policy RPM:  selinux-policy-2.6.4-40.fc7
Selinux Enabled:  True
Policy Type:  targeted
MLS Enabled:  True
Enforcing Mode:  Enforcing
Plugin Name:  plugins.catchall_file
Host Name:  localhost.localdomain
Platform:  Linux localhost.localdomain #1 SMP Thu Aug 30
13:47:21 EDT 2007 i686 i686
Alert Count:  2
First Seen:  Sat 15 Sep 2007 10:53:22 AM IST
Last Seen:  Sat 15 Sep 2007 10:53:39 AM IST
Local ID:  cbf6b304-ddda-424e-9a38-733e9abe6aca
Line Numbers:  

Raw Audit Messages :

avc: denied { write } for comm="nautilus" cwd="/root" dev=00:03 egid=0 euid=0
exe="/usr/bin/nautilus" exit=-13 fsgid=0 fsuid=0 gid=0 inode=15450 item=0
items=1 mode=040500 name="fd" obj=root:system_r:unconfined_t:s0-s0:c0.c1023
ogid=0 ouid=0 path="/dev/fd" pid=3267 rdev=00:00
scontext=root:system_r:unconfined_t:s0-s0:c0.c1023 sgid=0
subj=root:system_r:unconfined_t:s0-s0:c0.c1023 suid=0 tclass=dir
tcontext=root:system_r:unconfined_t:s0-s0:c0.c1023 tty=(none) uid=0
Comment 1 Stephen Smalley 2007-09-18 12:38:21 EDT
Might be useful if they can turn on system call auditing or use strace
to get the actual syscall info.  The former now requires adding at least
one audit rule via auditctl due to the "optimization" work to avoid
audit overhead - it can be anything at all,
auditctl -a exist,always -S chroot

Not sure what nautilus is trying to do; if the user was browsing /dev
with it, it might have just been probing it with e.g. access(2) to see
what permissions it should display for the user.
Comment 2 Daniel Walsh 2007-09-25 08:46:08 EDT
I have dontaudit this access in rawhide, will backport in next F7 Release.
Comment 3 Daniel Walsh 2008-01-30 14:20:31 EST
Bulk closing all bugs in Fedora updates in the modified state.  If you bug is
not fixed, please reopen.

Note You need to log in before you can comment on or make changes to this bug.