Bug 426248 - tomboy fails to start in enforcing mode
tomboy fails to start in enforcing mode
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
rawhide
All Linux
low Severity low
: ---
: ---
Assigned To: Daniel Walsh
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-12-19 10:51 EST by Tom London
Modified: 2008-01-05 14:42 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-01-05 14:42:49 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
AVCs starting tomboy, permissive mode, 'semange -DB' (3.41 KB, text/plain)
2007-12-19 10:51 EST, Tom London
no flags Details

  None (edit)
Description Tom London 2007-12-19 10:51:34 EST
Description of problem:
Running selinux-policy-3.2.4-5.fc9 targeted/enforcing [I added a few local rules
to get it to start X, etc.]

tomboy fails to start:

[tbl@localhost ~]$ tomboy
GC Warning: Couldn't read /proc/stat
GC Warning: GC_get_nprocs() returned -1

(Tomboy:3256): libgnomevfs-WARNING **: Error: ~/.gnome2 must be a directory.
Could not create gnome accelerators directory `/home/tbl/.gnome2/accels':
Permission denied
[tbl@localhost ~]$

No AVCs.  Starts in permissive mode.

Running 'semanage -DB' and setting permissive mode, I get these (AVC attached
below):

#============= unconfined_mono_t ==============
allow unconfined_mono_t proc_t:file { read getattr };
allow unconfined_mono_t security_t:file read;
allow unconfined_mono_t user_gnome_home_t:dir { getattr search };

#============= xdm_xserver_t ==============
allow xdm_xserver_t unconfined_mono_t:process ptrace;

I'm guessing 'unconfined_mono_t' should be allowed access to '~/gnome2/accels',
et al.

Version-Release number of selected component (if applicable):
tomboy-0.9.1-1.fc9


How reproducible:
Every time

Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:
Comment 1 Tom London 2007-12-19 10:51:34 EST
Created attachment 290036 [details]
AVCs starting tomboy, permissive mode, 'semange -DB'
Comment 2 Tom London 2007-12-20 10:20:31 EST
With today's policy: selinux-policy-3.2.5-2.fc9, running targeted/enforcing,
tomboy/mono starts, but I got this in /var/log/messages:

Dec 20 07:01:05 localhost dbus: avc:  denied  { send_msg } for
msgtype=method_call interface=org.freedesktop.DBus member=Hello
dest=org.freedesktop.DBus spid=3065 scontext=unconfined_u:unconfined_r:mono_t:s0
tcontext=unconfined_u:unconfined_r:unconfined_dbusd_t:s0 tclass=dbus

This appears to replace this message:

Dec 20 06:31:14 localhost kernel: security:  invalidating context
unconfined_u:unconfined_r:unconfined_mono_t:s0


Comment 3 Daniel Walsh 2007-12-21 02:51:35 EST
Ok I am letting all uncofined_domains talk to all dbusds.

Fixed in selinux-policy-3.2.5-4.fc9
Comment 4 Tom London 2007-12-21 10:18:46 EST
tomboy continues to start with selinux-policy-3.2.5-4.fc9

But continue to get

Dec 21 07:03:05 localhost dbus: avc:  denied  { send_msg } for
msgtype=method_call interface=org.freedesktop.DBus member=Hello
dest=org.freedesktop.DBus spid=3092 scontext=unconfined_u:unconfined_r:mono_t:s0
tcontext=unconfined_u:unconfined_r:unconfined_dbusd_t:s0 tclass=dbus


That right?

Note You need to log in before you can comment on or make changes to this bug.