Bug 441261 - Upstart causes multiple AVCs
Summary: Upstart causes multiple AVCs
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
(Show other bugs)
Version: rawhide
Hardware: All Linux
low
low
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Keywords:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2008-04-07 13:33 UTC by Anne
Modified: 2008-04-17 12:19 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-04-17 12:19:56 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Complete audit log. (313.82 KB, text/plain)
2008-04-07 13:33 UTC, Anne
no flags Details

Description Anne 2008-04-07 13:33:41 UTC
Description of problem:
Many AVCs are logged at upstart.  This morning listed 38 of them.


Version-Release number of selected component (if applicable):
Rawhide updated to 6th April

How reproducible:

Every day so far

Steps to Reproduce:
1.Log in normally and watch the AVC icon come up.
2.
3.
  
Actual results:

Running in permissive mode, so none visible

Expected results:


Additional info:

Comment 1 Anne 2008-04-07 13:33:41 UTC
Created attachment 301517 [details]
Complete audit log.

Comment 2 Daniel Walsh 2008-04-08 13:22:46 UTC
I think most of these are fixed in selinux-policy-3.3.1-29.fc9

Please update and report if you are seeing any?



Comment 3 Anne 2008-04-08 17:59:12 UTC
Far fewer.  Those remaining are:
SELinux is preventing 05-netfs (NetworkManager_t) "getattr" 
to /var/lock/subsys/netfs (var_lock_t). 
SELinux is preventing kdm_greet (xdm_t) "write" to ./Oxygen.colors (usr_t).
SELinux is preventing kdm_greet (xdm_t) "write" to ./kde.desktop (usr_t). 
SELinux is preventing kdm_greet (xdm_t) "write" to ./entry.desktop (locale_t). 
SELinux is preventing the lnusertemp from using potentially mislabeled files 
(cache-david.lydgate.lan). 
SELinux is preventing the lnusertemp from using potentially mislabeled files 
(/root/.kde/cache-david.lydgate.lan).
SELinux is preventing kdm_greet (xdm_t) "write" to ./kde.desktop (usr_t).
SELinux is preventing the lnusertemp from using potentially mislabeled files 
(tmp-david.lydgate.lan).
SELinux is preventing the lnusertemp from using potentially mislabeled files 
(/root/.kde/tmp-david.lydgate.lan).

Incidentally, the postfix one seems to have disappeared.  I'll report that to 
bug #441130


Comment 4 Daniel Walsh 2008-04-08 18:11:08 UTC
restorecon -R -v /etc/NetworkManager

Should clean up var_lock.

What diectory are all of these kde.desktop stuff in?  Are these in
/usr/share/xsessions/kde.desktop?   Does kdm really need to write these files?

Also are you logging in as root?



Comment 5 Anne 2008-04-16 15:26:58 UTC
Sorry this has not been answered.  For some reason I'm not getting any bug
notifications at all.

The multiple AVCs disappeared a few days ago,  I'd guess about the 11th or 12th.
 I no longer have the AVC reports, but IIRC many referred to /tmp/ksocket-anne,
and /tmp/orbit-anne.  I believe write access is necessary.

I never log in as root, though I do use a root konsole fairly often.

Comment 6 Daniel Walsh 2008-04-16 18:16:32 UTC
Well I have no idea what caused these then.   Seems something wanted to write to
/root/.kde/tmp-david.lydgate.lan  which is why I thought you were logging in as
root.  The apps requestiong access to write to /usr also seem weird, unless this
is some kind of python optimization code.

Comment 7 Anne 2008-04-16 18:46:25 UTC
Since they are no longer happening I'd be inclined to close this bug.  I'll 
report any specific ones that occur later.


Note You need to log in before you can comment on or make changes to this bug.