Bug 441157 - Can't set time (gnome-clock-app): SELinux errors
Can't set time (gnome-clock-app): SELinux errors
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
rawhide
x86_64 Linux
low Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Ben Levenson
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-04-06 17:48 EDT by D. Wagner
Modified: 2008-04-07 22:55 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-04-07 22:55:57 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description D. Wagner 2008-04-06 17:48:12 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.8.1.13) Gecko/20080325 Fedora/2.0.0.13-1.fc8 Firefox/2.0.0.13

Description of problem:
I have a recent Fedora 9 Beta install (freshly updated with yum).  I can't set the time: I get SELinux errors.  See Additional Information for more details.

Also, the Gnome tool for reporting SELinux errors gives bogus instructions.  For instance, it suggests running
  restorecon -v 'exe'
which can't be right.  For the other SELinux denial, it suggests running
  restorecon -v './polkit-resolve-exe-helper'
which is clearly bogus as well: perhaps it meant to recommend running the following instead?
  restorecon -v /usr/libexec/polkit-resolve-exe-helper

So I classify this as two bugs: (a) the SELinux denials; (b) the bogus suggestions from the Gnome SELinux tool for showing those denial messages.

Version-Release number of selected component (if applicable):
gnome-panel-2.22.0-11.fc9.x86_64

How reproducible:
Always


Steps to Reproduce:
1. Right click on the date on the gnome panel on the upper-right hand corner of the screen.
2. Click on Adjust Date & Time.
3. Change the time.
4. Click OK.
5. Watch as you get a SELinux error.

Actual Results:
It changes the date but not the time.

Expected Results:
It should have changed both the date and time to the values I entered in.

Additional info:
Here are the versions of some RPMs that I have installed that may be relevant:
gnome-panel-2.22.0-11.fc9.x86_64
PolicyKit-0.8-0.git20080404.2.fc9.x86_64
selinux-policy-3.3.1-28.fc9.noarch
selinux-policy-targeted-3.3.1-28.fc9.noarch

I get two SELinux denials.  Here's the summary text for them from the Gnome SELinux tool, as well as the raw audit messages for each:


SELinux is preventing gnome-clock-app (gnomeclock_t) "read" to exe (unconfined_t). 
Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for exe, restorecon -v 'exe'
Raw Audit Messages :host=senfl type=AVC msg=audit(1207492678.419:182): avc: denied { read } for pid=27922 comm="gnome-clock-app" name="exe" dev=proc ino=148221 scontext=system_u:system_r:gnomeclock_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=lnk_file host=senfl type=SYSCALL msg=audit(1207492678.419:182): arch=c000003e syscall=89 success=no exit=-13 a0=7fffed3a33e0 a1=7fffed3a34f0 a2=fff a3=7fffed3a3160 items=0 ppid=1 pid=27922 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="gnome-clock-app" exe="/usr/libexec/gnome-clock-applet-mechanism" subj=system_u:system_r:gnomeclock_t:s0-s0:c0.c1023 key=(null) 


SELinux is preventing gnome-clock-app (gnomeclock_t) "execute" to ./polkit-resolve-exe-helper (bin_t). 
Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for ./polkit-resolve-exe-helper, restorecon -v './polkit-resolve-exe-helper' 
Raw Audit Messages :host=senfl type=AVC msg=audit(1207492678.420:183): avc: denied { execute } for pid=27924 comm="gnome-clock-app" name="polkit-resolve-exe-helper" dev=dm-1 ino=16818197 scontext=system_u:system_r:gnomeclock_t:s0-s0:c0.c1023 tcontext=system_u:object_r:bin_t:s0 tclass=file host=senfl type=SYSCALL msg=audit(1207492678.420:183): arch=c000003e syscall=59 success=no exit=-13 a0=3836813150 a1=7fffed3a3440 a2=7fffed3a5188 a3=7fffed3a3000 items=0 ppid=27922 pid=27924 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="gnome-clock-app" exe="/usr/libexec/gnome-clock-applet-mechanism" subj=system_u:system_r:gnomeclock_t:s0-s0:c0.c1023 key=(null)
Comment 1 Ray Strode [halfline] 2008-04-06 21:00:47 EDT
does running your suggested recommendation fix your problem?
Comment 2 D. Wagner 2008-04-06 22:13:12 EDT
(In reply to comment #1)
> does running your suggested recommendation fix your problem?

Nope, still the same problem.

In case it helps, here's the result of
ls -lZ /usr/libexec/polkit-resolve-exe-helper:

-rwsr-x---  root polkituser system_u:object_r:bin_t:s0      
/usr/libexec/polkit-resolve-exe-helper
Comment 3 Ray Strode [halfline] 2008-04-06 22:29:27 EDT
seems to be a new binary, needs policy.
Comment 4 David Zeuthen 2008-04-07 00:23:00 EDT
Right, /usr/libexec/polkit-resolve-exe-helper is a new PolicyKit helper binary.
Comment 5 David Zeuthen 2008-04-07 00:45:00 EDT
In fact, due to the way libpolkit.so works, you just need to widen the policy to
allow that security context to allow the mechanism to resolve the exe links in
/proc. Then we don't need to do invoke the helper binary to get that information.
Comment 6 Daniel Walsh 2008-04-07 22:55:57 EDT
Fixed in selinux-policy-3.3.1-29.fc9

Note You need to log in before you can comment on or make changes to this bug.