Bug 441261 - Upstart causes multiple AVCs
Upstart causes multiple AVCs
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
rawhide
All Linux
low Severity low
: ---
: ---
Assigned To: Daniel Walsh
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-04-07 09:33 EDT by Anne
Modified: 2008-04-17 08:19 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-04-17 08:19:56 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)
Complete audit log. (313.82 KB, text/plain)
2008-04-07 09:33 EDT, Anne
no flags Details

  None (edit)
Description Anne 2008-04-07 09:33:41 EDT
Description of problem:
Many AVCs are logged at upstart.  This morning listed 38 of them.


Version-Release number of selected component (if applicable):
Rawhide updated to 6th April

How reproducible:

Every day so far

Steps to Reproduce:
1.Log in normally and watch the AVC icon come up.
2.
3.
  
Actual results:

Running in permissive mode, so none visible

Expected results:


Additional info:
Comment 1 Anne 2008-04-07 09:33:41 EDT
Created attachment 301517 [details]
Complete audit log.
Comment 2 Daniel Walsh 2008-04-08 09:22:46 EDT
I think most of these are fixed in selinux-policy-3.3.1-29.fc9

Please update and report if you are seeing any?

Comment 3 Anne 2008-04-08 13:59:12 EDT
Far fewer.  Those remaining are:
SELinux is preventing 05-netfs (NetworkManager_t) "getattr" 
to /var/lock/subsys/netfs (var_lock_t). 
SELinux is preventing kdm_greet (xdm_t) "write" to ./Oxygen.colors (usr_t).
SELinux is preventing kdm_greet (xdm_t) "write" to ./kde.desktop (usr_t). 
SELinux is preventing kdm_greet (xdm_t) "write" to ./entry.desktop (locale_t). 
SELinux is preventing the lnusertemp from using potentially mislabeled files 
(cache-david.lydgate.lan). 
SELinux is preventing the lnusertemp from using potentially mislabeled files 
(/root/.kde/cache-david.lydgate.lan).
SELinux is preventing kdm_greet (xdm_t) "write" to ./kde.desktop (usr_t).
SELinux is preventing the lnusertemp from using potentially mislabeled files 
(tmp-david.lydgate.lan).
SELinux is preventing the lnusertemp from using potentially mislabeled files 
(/root/.kde/tmp-david.lydgate.lan).

Incidentally, the postfix one seems to have disappeared.  I'll report that to 
bug #441130
Comment 4 Daniel Walsh 2008-04-08 14:11:08 EDT
restorecon -R -v /etc/NetworkManager

Should clean up var_lock.

What diectory are all of these kde.desktop stuff in?  Are these in
/usr/share/xsessions/kde.desktop?   Does kdm really need to write these files?

Also are you logging in as root?

Comment 5 Anne 2008-04-16 11:26:58 EDT
Sorry this has not been answered.  For some reason I'm not getting any bug
notifications at all.

The multiple AVCs disappeared a few days ago,  I'd guess about the 11th or 12th.
 I no longer have the AVC reports, but IIRC many referred to /tmp/ksocket-anne,
and /tmp/orbit-anne.  I believe write access is necessary.

I never log in as root, though I do use a root konsole fairly often.
Comment 6 Daniel Walsh 2008-04-16 14:16:32 EDT
Well I have no idea what caused these then.   Seems something wanted to write to
/root/.kde/tmp-david.lydgate.lan  which is why I thought you were logging in as
root.  The apps requestiong access to write to /usr also seem weird, unless this
is some kind of python optimization code.
Comment 7 Anne 2008-04-16 14:46:25 EDT
Since they are no longer happening I'd be inclined to close this bug.  I'll 
report any specific ones that occur later.

Note You need to log in before you can comment on or make changes to this bug.