Bug 444102 - AVC errors attempting to change clock
Summary: AVC errors attempting to change clock
Keywords:
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: rawhide
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Ben Levenson
URL:
Whiteboard:
Depends On:
Blocks: F9Blocker
TreeView+ depends on / blocked
 
Reported: 2008-04-25 00:08 UTC by John Poelstra
Modified: 2008-04-25 19:23 UTC (History)
0 users

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2008-04-25 19:23:57 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)

Description John Poelstra 2008-04-25 00:08:00 UTC
Description of problem:
While encountering bug #444101, after successfully entering the "right" password
I got the AVC errors below

Version-Release number of selected component (if applicable):
selinux-policy-targeted-3.3.1-35.fc9.noarch

How reproducible:
100%

Steps to Reproduce:
1. See bug #444101


Additional info:
First:

Summary:

SELinux is preventing polkit-resolve- (gnomeclock_t) "getattr" to <Unknown>
(gnomeclock_t).

Detailed Description:

SELinux denied access requested by polkit-resolve-. It is not expected that this
access is required by polkit-resolve- and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                system_u:system_r:gnomeclock_t:s0-s0:c0.c1023
Target Context                system_u:system_r:gnomeclock_t:s0-s0:c0.c1023
Target Objects                None [ process ]
Source                        polkit-resolve-
Source Path                   /usr/libexec/polkit-resolve-exe-helper
Port                          <Unknown>
Host                          yardsale
Source RPM Packages           PolicyKit-0.8-2.fc9
Target RPM Packages           
Policy RPM                    selinux-policy-3.3.1-35.fc9
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     yardsale
Platform                      Linux yardsale 2.6.25-1.fc9.x86_64 #1 SMP Thu Apr
                              17 01:11:31 EDT 2008 x86_64 x86_64
Alert Count                   4
First Seen                    Thu 24 Apr 2008 04:43:49 PM PDT
Last Seen                     Thu 24 Apr 2008 04:44:16 PM PDT
Local ID                      b43e142d-4c49-45d3-8150-00d10ca6300c
Line Numbers                  

Raw Audit Messages            

host=yardsale type=AVC msg=audit(1209080656.416:89): avc:  denied  { getattr }
for  pid=6454 comm="polkit-resolve-"
scontext=system_u:system_r:gnomeclock_t:s0-s0:c0.c1023
tcontext=system_u:system_r:gnomeclock_t:s0-s0:c0.c1023 tclass=process

host=yardsale type=SYSCALL msg=audit(1209080656.416:89): arch=c000003e syscall=0
success=no exit=-13 a0=4 a1=25c72f0 a2=fff a3=0 items=0 ppid=6412 pid=6454
auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=(none) ses=4294967295 comm="polkit-resolve-"
exe="/usr/libexec/polkit-resolve-exe-helper"
subj=system_u:system_r:gnomeclock_t:s0-s0:c0.c1023 key=(null)

~~~~~~~~~~~~~~~~

Second:

Summary:

SELinux is preventing polkit-resolve- (gnomeclock_t) "setuid" to <Unknown>
(gnomeclock_t).

Detailed Description:

SELinux denied access requested by polkit-resolve-. It is not expected that this
access is required by polkit-resolve- and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                system_u:system_r:gnomeclock_t:s0-s0:c0.c1023
Target Context                system_u:system_r:gnomeclock_t:s0-s0:c0.c1023
Target Objects                None [ capability ]
Source                        polkit-resolve-
Source Path                   /usr/libexec/polkit-resolve-exe-helper
Port                          <Unknown>
Host                          yardsale
Source RPM Packages           PolicyKit-0.8-2.fc9
Target RPM Packages           
Policy RPM                    selinux-policy-3.3.1-35.fc9
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     yardsale
Platform                      Linux yardsale 2.6.25-1.fc9.x86_64 #1 SMP Thu Apr
                              17 01:11:31 EDT 2008 x86_64 x86_64
Alert Count                   4
First Seen                    Thu 24 Apr 2008 04:43:49 PM PDT
Last Seen                     Thu 24 Apr 2008 04:44:16 PM PDT
Local ID                      6ef11c7b-0399-483f-bf17-6736c723d7f7
Line Numbers                  

Raw Audit Messages            

host=yardsale type=AVC msg=audit(1209080656.412:88): avc:  denied  { setuid }
for  pid=6454 comm="polkit-resolve-" capability=7
scontext=system_u:system_r:gnomeclock_t:s0-s0:c0.c1023
tcontext=system_u:system_r:gnomeclock_t:s0-s0:c0.c1023 tclass=capability

host=yardsale type=SYSCALL msg=audit(1209080656.412:88): arch=c000003e
syscall=105 success=yes exit=0 a0=0 a1=7fff3f7c4598 a2=0 a3=7f80377a9780 items=0
ppid=6412 pid=6454 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="polkit-resolve-"
exe="/usr/libexec/polkit-resolve-exe-helper"
subj=system_u:system_r:gnomeclock_t:s0-s0:c0.c1023 key=(null)

~~~~~~~~~~~~~~~~

Third:


Summary:

SELinux is preventing gnome-clock-app (gnomeclock_t) "sys_ptrace" to <Unknown>
(gnomeclock_t).

Detailed Description:

SELinux denied access requested by gnome-clock-app. It is not expected that this
access is required by gnome-clock-app and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                system_u:system_r:gnomeclock_t:s0-s0:c0.c1023
Target Context                system_u:system_r:gnomeclock_t:s0-s0:c0.c1023
Target Objects                None [ capability ]
Source                        gnome-clock-app
Source Path                   /usr/libexec/gnome-clock-applet-mechanism
Port                          <Unknown>
Host                          yardsale
Source RPM Packages           gnome-panel-2.22.1.2-6.fc9
Target RPM Packages           
Policy RPM                    selinux-policy-3.3.1-35.fc9
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     yardsale
Platform                      Linux yardsale 2.6.25-1.fc9.x86_64 #1 SMP Thu Apr
                              17 01:11:31 EDT 2008 x86_64 x86_64
Alert Count                   4
First Seen                    Thu 24 Apr 2008 04:43:49 PM PDT
Last Seen                     Thu 24 Apr 2008 04:44:16 PM PDT
Local ID                      8b393e21-b938-4397-9d5a-7702cd3d3645
Line Numbers                  

Raw Audit Messages            

host=yardsale type=AVC msg=audit(1209080656.406:87): avc:  denied  { sys_ptrace
} for  pid=6412 comm="gnome-clock-app" capability=19
scontext=system_u:system_r:gnomeclock_t:s0-s0:c0.c1023
tcontext=system_u:system_r:gnomeclock_t:s0-s0:c0.c1023 tclass=capability

host=yardsale type=SYSCALL msg=audit(1209080656.406:87): arch=c000003e
syscall=89 success=no exit=-13 a0=7fffa9c52300 a1=7fffa9c52410 a2=fff
a3=8101010101010100 items=0 ppid=1 pid=6412 auid=4294967295 uid=0 gid=0 euid=0
suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295
comm="gnome-clock-app" exe="/usr/libexec/gnome-clock-applet-mechanism"
subj=system_u:system_r:gnomeclock_t:s0-s0:c0.c1023 key=(null)

Comment 1 Daniel Walsh 2008-04-25 19:23:57 UTC
Fixed in selinux-policy-3.3.1-42.fc9.noarch


Note You need to log in before you can comment on or make changes to this bug.