Bug 444408 - SELinux is preventing polkit-resolve- (gnomeclock_t) "getattr" to <Unknown> (gnomeclock_t).
SELinux is preventing polkit-resolve- (gnomeclock_t) "getattr" to <Unknown> (...
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
All Linux
low Severity low
: ---
: ---
Assigned To: Daniel Walsh
Fedora Extras Quality Assurance
Depends On:
  Show dependency treegraph
Reported: 2008-04-28 05:13 EDT by Ruben Kerkhof
Modified: 2008-04-28 10:32 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2008-04-28 10:32:36 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Ruben Kerkhof 2008-04-28 05:13:43 EDT

SELinux is preventing polkit-resolve- (gnomeclock_t) "getattr" to <Unknown>

Detailed Description:

SELinux denied access requested by polkit-resolve-. It is not expected that this
access is required by polkit-resolve- and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                system_u:system_r:gnomeclock_t:s0-s0:c0.c1023
Target Context                system_u:system_r:gnomeclock_t:s0-s0:c0.c1023
Target Objects                None [ process ]
Source                        polkit-resolve-
Source Path                   /usr/libexec/polkit-resolve-exe-helper
Port                          <Unknown>
Host                          kl1017dv.cs.ad.klmcorp.net
Source RPM Packages           PolicyKit-0.8-2.fc9
Target RPM Packages           
Policy RPM                    selinux-policy-3.3.1-35.fc9
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     kl1017dv.cs.ad.klmcorp.net
Platform                      Linux kl1017dv.cs.ad.klmcorp.net 2.6.25-1.fc9.i686
                              #1 SMP Thu Apr 17 01:47:10 EDT 2008 i686 i686
Alert Count                   1
First Seen                    Mon 28 Apr 2008 11:08:58 AM CEST
Last Seen                     Mon 28 Apr 2008 11:08:58 AM CEST
Local ID                      c313b0cc-97b7-4aa4-80ea-d5a39f6a336f
Line Numbers                  

Raw Audit Messages            

host=kl1017dv.cs.ad.klmcorp.net type=AVC msg=audit(1209373738.254:96): avc: 
denied  { getattr } for  pid=10270 comm="polkit-resolve-"
tcontext=system_u:system_r:gnomeclock_t:s0-s0:c0.c1023 tclass=process

host=kl1017dv.cs.ad.klmcorp.net type=SYSCALL msg=audit(1209373738.254:96):
arch=40000003 syscall=3 success=no exit=-13 a0=4 a1=8ec15d0 a2=fff a3=bf9c64ac
items=0 ppid=10241 pid=10270 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="polkit-resolve-"
subj=system_u:system_r:gnomeclock_t:s0-s0:c0.c1023 key=(null)
Comment 1 Daniel Walsh 2008-04-28 10:32:36 EDT
You can allow this for now.

# audit2allow -M mypol -l -i /var/log/audit/audit.log
# semodule -i mypol.pp

Fixed in selinux-policy-3.3.1-43.fc9.noarch

Note You need to log in before you can comment on or make changes to this bug.