Red Hat Bugzilla – Bug 444102
AVC errors attempting to change clock
Last modified: 2008-04-25 15:23:57 EDT
Description of problem: While encountering bug #444101, after successfully entering the "right" password I got the AVC errors below Version-Release number of selected component (if applicable): selinux-policy-targeted-3.3.1-35.fc9.noarch How reproducible: 100% Steps to Reproduce: 1. See bug #444101 Additional info: First: Summary: SELinux is preventing polkit-resolve- (gnomeclock_t) "getattr" to <Unknown> (gnomeclock_t). Detailed Description: SELinux denied access requested by polkit-resolve-. It is not expected that this access is required by polkit-resolve- and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context system_u:system_r:gnomeclock_t:s0-s0:c0.c1023 Target Context system_u:system_r:gnomeclock_t:s0-s0:c0.c1023 Target Objects None [ process ] Source polkit-resolve- Source Path /usr/libexec/polkit-resolve-exe-helper Port <Unknown> Host yardsale Source RPM Packages PolicyKit-0.8-2.fc9 Target RPM Packages Policy RPM selinux-policy-3.3.1-35.fc9 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall Host Name yardsale Platform Linux yardsale 2.6.25-1.fc9.x86_64 #1 SMP Thu Apr 17 01:11:31 EDT 2008 x86_64 x86_64 Alert Count 4 First Seen Thu 24 Apr 2008 04:43:49 PM PDT Last Seen Thu 24 Apr 2008 04:44:16 PM PDT Local ID b43e142d-4c49-45d3-8150-00d10ca6300c Line Numbers Raw Audit Messages host=yardsale type=AVC msg=audit(1209080656.416:89): avc: denied { getattr } for pid=6454 comm="polkit-resolve-" scontext=system_u:system_r:gnomeclock_t:s0-s0:c0.c1023 tcontext=system_u:system_r:gnomeclock_t:s0-s0:c0.c1023 tclass=process host=yardsale type=SYSCALL msg=audit(1209080656.416:89): arch=c000003e syscall=0 success=no exit=-13 a0=4 a1=25c72f0 a2=fff a3=0 items=0 ppid=6412 pid=6454 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="polkit-resolve-" exe="/usr/libexec/polkit-resolve-exe-helper" subj=system_u:system_r:gnomeclock_t:s0-s0:c0.c1023 key=(null) ~~~~~~~~~~~~~~~~ Second: Summary: SELinux is preventing polkit-resolve- (gnomeclock_t) "setuid" to <Unknown> (gnomeclock_t). Detailed Description: SELinux denied access requested by polkit-resolve-. It is not expected that this access is required by polkit-resolve- and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context system_u:system_r:gnomeclock_t:s0-s0:c0.c1023 Target Context system_u:system_r:gnomeclock_t:s0-s0:c0.c1023 Target Objects None [ capability ] Source polkit-resolve- Source Path /usr/libexec/polkit-resolve-exe-helper Port <Unknown> Host yardsale Source RPM Packages PolicyKit-0.8-2.fc9 Target RPM Packages Policy RPM selinux-policy-3.3.1-35.fc9 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall Host Name yardsale Platform Linux yardsale 2.6.25-1.fc9.x86_64 #1 SMP Thu Apr 17 01:11:31 EDT 2008 x86_64 x86_64 Alert Count 4 First Seen Thu 24 Apr 2008 04:43:49 PM PDT Last Seen Thu 24 Apr 2008 04:44:16 PM PDT Local ID 6ef11c7b-0399-483f-bf17-6736c723d7f7 Line Numbers Raw Audit Messages host=yardsale type=AVC msg=audit(1209080656.412:88): avc: denied { setuid } for pid=6454 comm="polkit-resolve-" capability=7 scontext=system_u:system_r:gnomeclock_t:s0-s0:c0.c1023 tcontext=system_u:system_r:gnomeclock_t:s0-s0:c0.c1023 tclass=capability host=yardsale type=SYSCALL msg=audit(1209080656.412:88): arch=c000003e syscall=105 success=yes exit=0 a0=0 a1=7fff3f7c4598 a2=0 a3=7f80377a9780 items=0 ppid=6412 pid=6454 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="polkit-resolve-" exe="/usr/libexec/polkit-resolve-exe-helper" subj=system_u:system_r:gnomeclock_t:s0-s0:c0.c1023 key=(null) ~~~~~~~~~~~~~~~~ Third: Summary: SELinux is preventing gnome-clock-app (gnomeclock_t) "sys_ptrace" to <Unknown> (gnomeclock_t). Detailed Description: SELinux denied access requested by gnome-clock-app. It is not expected that this access is required by gnome-clock-app and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context system_u:system_r:gnomeclock_t:s0-s0:c0.c1023 Target Context system_u:system_r:gnomeclock_t:s0-s0:c0.c1023 Target Objects None [ capability ] Source gnome-clock-app Source Path /usr/libexec/gnome-clock-applet-mechanism Port <Unknown> Host yardsale Source RPM Packages gnome-panel-2.22.1.2-6.fc9 Target RPM Packages Policy RPM selinux-policy-3.3.1-35.fc9 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall Host Name yardsale Platform Linux yardsale 2.6.25-1.fc9.x86_64 #1 SMP Thu Apr 17 01:11:31 EDT 2008 x86_64 x86_64 Alert Count 4 First Seen Thu 24 Apr 2008 04:43:49 PM PDT Last Seen Thu 24 Apr 2008 04:44:16 PM PDT Local ID 8b393e21-b938-4397-9d5a-7702cd3d3645 Line Numbers Raw Audit Messages host=yardsale type=AVC msg=audit(1209080656.406:87): avc: denied { sys_ptrace } for pid=6412 comm="gnome-clock-app" capability=19 scontext=system_u:system_r:gnomeclock_t:s0-s0:c0.c1023 tcontext=system_u:system_r:gnomeclock_t:s0-s0:c0.c1023 tclass=capability host=yardsale type=SYSCALL msg=audit(1209080656.406:87): arch=c000003e syscall=89 success=no exit=-13 a0=7fffa9c52300 a1=7fffa9c52410 a2=fff a3=8101010101010100 items=0 ppid=1 pid=6412 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="gnome-clock-app" exe="/usr/libexec/gnome-clock-applet-mechanism" subj=system_u:system_r:gnomeclock_t:s0-s0:c0.c1023 key=(null)
Fixed in selinux-policy-3.3.1-42.fc9.noarch