Bug 437908 - se linux keeps flagging this package
se linux keeps flagging this package
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: PackageKit (Show other bugs)
rawhide
i686 Linux
low Severity low
: ---
: ---
Assigned To: Robin Norwood
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-03-17 23:03 EDT by scott stilwell
Modified: 2008-03-19 17:56 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-03-19 17:56:13 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description scott stilwell 2008-03-17 23:03:16 EDT
sorry if any of the below info is not needed. I am a Linux newbie.

for convenience, I have placed stars ****** between groups of copied text of
multiple messages pertaining to the selinux errors, as they all apply to the
Package Kit. I thought this would be easier for you rather than filing a ton of
separate bug reports. 


SELinux denied access requested by /usr/sbin/packagekitd. It is not expected
that this access is required by /usr/sbin/packagekitd and this access may signal
an intrusion attempt. It is also possible that the specific version or
configuration of the application is causing it to require additional access.

Allowing AccessSometimes labeling problems can cause SELinux denials. You could
try to restore the default system file context for
/var/lib/PackageKit/transactions.db, restorecon -v
/var/lib/PackageKit/transactions.db If this does not work, there is currently no
automatic way to allow this access. Instead, you can generate a local policy
module to allow this access - see FAQ Or you can disable SELinux protection
altogether. Disabling SELinux protection is not recommended. Please file a bug
report against this package.

Additional InformationSource Context:  system_u:system_r:system_dbusd_t:s0Target
Context:  system_u:object_r:var_lib_t:s0Target
Objects:  /var/lib/PackageKit/transactions.db [ file ]

Affected RPM Packages:  PackageKit-0.1.9-1.fc9
[application]PackageKit-0.1.9-1.fc9 [target]Policy
RPM:  selinux-policy-3.0.8-44.fc8Selinux Enabled:  

TruePolicy Type:  targetedMLS Enabled:  

TrueEnforcing Mode:  PermissivePlugin 

Name:  plugins.catchall_fileHost Name:  localhost.localdomainPlatform:  Linux
localhost.localdomain 2.6.23.1-42.fc8 #1 SMP Tue Oct 30 13:55:12 EDT 2007 i686
athlonAlert 

Count:  2
First Seen:  Sun 16 Mar 2008 01:51:12 PM EDT
Last Seen:  Mon 17 Mar 2008 07:15:39 AM EDT

Local ID:  91e3152f-8edd-402e-9c49-68353f68202d

Line Numbers:  Raw Audit Messages :avc: denied { getattr } for comm=packagekitd
dev=sda2 egid=0 euid=0 exe=/usr/sbin/packagekitd exit=0 fsgid=0 fsuid=0 gid=0
items=0 path=/var/lib/PackageKit/transactions.db pid=15836
scontext=system_u:system_r:system_dbusd_t:s0 sgid=0
subj=system_u:system_r:system_dbusd_t:s0 suid=0 tclass=file
tcontext=system_u:object_r:var_lib_t:s0 tty=(none) uid=0 
****************************
Source Context:  system_u:system_r:system_dbusd_t:s0Target
Context:  system_u:object_r:inotifyfs_t:s0Target Objects:  None [ dir ]Affected
RPM Packages:  PackageKit-0.1.9-1.fc9 [application]Policy
RPM:  selinux-policy-3.0.8-44.fc8Selinux Enabled:  TruePolicy Type:  targetedMLS
Enabled:  TrueEnforcing Mode:  PermissivePlugin Name:  plugins.catchall_fileHost
Name:  localhost.localdomainPlatform:  Linux localhost.localdomain
2.6.23.1-42.fc8 #1 SMP Tue Oct 30 13:55:12 EDT 2007 i686 athlonAlert
Count:  3First Seen:  Sun 16 Mar 2008 01:51:12 PM EDTLast Seen:  Mon 17 Mar 2008
07:32:47 AM EDTLocal ID:  abe2b53a-be68-4a3d-b6ed-0fbfa32205b2Line Numbers:  Raw
Audit Messages :avc: denied { getattr } for comm=packagekitd dev=inotifyfs
egid=0 euid=0 exe=/usr/sbin/packagekitd exit=0 fsgid=0 fsuid=0 gid=0 items=0
path=inotify pid=16058 scontext=system_u:system_r:system_dbusd_t:s0 sgid=0
subj=system_u:system_r:system_dbusd_t:s0 suid=0 tclass=dir
tcontext=system_u:object_r:inotifyfs_t:s0 tty=(none) uid=0 
**********************
Raw Audit Messages :avc: denied { getsched } for comm=packagekitd egid=0 euid=0
exe=/usr/sbin/packagekitd exit=0 fsgid=0 fsuid=0 gid=0 items=0 pid=15962
scontext=system_u:system_r:system_dbusd_t:s0 sgid=0
subj=system_u:system_r:system_dbusd_t:s0 suid=0 tclass=process
tcontext=system_u:system_r:system_dbusd_t:s0 tty=(none) uid=0 
******************
Comment 1 Robin Norwood 2008-03-19 17:37:01 EDT
It looks like these rules just need to be added to the pk selinux rules.  Dan,
is this enough information for you to add the rules?
Comment 2 Daniel Walsh 2008-03-19 17:56:13 EDT
You have a fedora 8 policy installed in Rawhide.  You need to upgrade your policy

yum upgrade selinux-policy-targeted


Note You need to log in before you can comment on or make changes to this bug.