Bug 428343 - Nautilus denied access by SELinux when navigating to /proc
Summary: Nautilus denied access by SELinux when navigating to /proc
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 8
Hardware: athlon
OS: Linux
low
low
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2008-01-10 23:12 UTC by Bruce Drake
Modified: 2008-03-05 22:17 UTC (History)
0 users

Fixed In Version: Current
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2008-03-05 22:17:28 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)

Description Bruce Drake 2008-01-10 23:12:12 UTC 
Description of problem:

Summary
    SELinux is preventing /usr/bin/nautilus (unconfined_t) "write" to <Unknown>
    (sysctl_irq_t).

Detailed Description
    SELinux denied access requested by /usr/bin/nautilus. It is not expected
    that this access is required by /usr/bin/nautilus and this access may signal
    an intrusion attempt. It is also possible that the specific version or
    configuration of the application is causing it to require additional access.

Allowing Access
    Sometimes labeling problems can cause SELinux denials.  You could try to
    restore the default system file context for <Unknown>, restorecon -v
    <Unknown> If this does not work, there is currently no automatic way to
    allow this access. Instead,  you can generate a local policy module to allow
    this access - see http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385
    Or you can disable SELinux protection altogether. Disabling SELinux
    protection is not recommended. Please file a
    http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package.

Additional Information        

Source Context                system_u:system_r:unconfined_t:s0-s0:c0.c1023
Target Context                system_u:object_r:sysctl_irq_t:s0
Target Objects                None [ dir ]
Affected RPM Packages         nautilus-2.20.0-6.fc8 [application]
Policy RPM                    selinux-policy-3.0.8-72.fc8
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Permissive
Plugin Name                   plugins.catchall_file
Host Name                     localhost.localdomain
Platform                      Linux localhost.localdomain 2.6.23.9-85.fc8 #1 SMP
                              Fri Dec 7 15:49:59 EST 2007 i686 athlon
Alert Count                   1
First Seen                    Thu 10 Jan 2008 05:35:33 PM EST
Last Seen                     Thu 10 Jan 2008 05:35:33 PM EST
Local ID                      9ba1631f-7f47-48d9-b472-70f27bc8b44a
Line Numbers                  

Raw Audit Messages            

avc: denied { write } for comm=nautilus dev=proc egid=0 euid=0
exe=/usr/bin/nautilus exit=0 fsgid=0 fsuid=0 gid=0 items=0 name=irq pid=3078
scontext=system_u:system_r:unconfined_t:s0-s0:c0.c1023 sgid=0
subj=system_u:system_r:unconfined_t:s0-s0:c0.c1023 suid=0 tclass=dir
tcontext=system_u:object_r:sysctl_irq_t:s0 tty=(none) uid=0



Version-Release number of selected component (if applicable):
See above

How reproducible:
Each time attempted in a fresh session

Steps to Reproduce:
1. Open File Browser
2. Navigate to /
3. Click on /proc (or the arrow to the left of)
  
Actual results:
The above bug report info in the SELinux Troubleshooter is pasted above it its
entirety.

Expected results:
Want to see contents of /proc!

Additional info:
Won't replicate by clicking on proc again in the same session, must at least
restart the session.
Comment 1 Daniel Walsh 2008-01-11 20:18:13 UTC 
Fixed in selinux-policy-3.0.8-75.fc8
Comment 2 Daniel Walsh 2008-03-05 22:17:28 UTC 
Bugs have been in modified for over one month.  Closing as fixed in current
release please reopen if the problem still persists.
Note You need to log in before you can comment on or make changes to this bug.