This service will be undergoing maintenance at 00:00 UTC, 2017-10-23 It is expected to last about 30 minutes
Bug 446751 - hal does not mount internal partitions
hal does not mount internal partitions
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
9
All Linux
low Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Fedora Extras Quality Assurance
:
: 445523 447303 (view as bug list)
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-05-15 16:47 EDT by Rui Matos
Modified: 2008-11-17 17:03 EST (History)
7 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-11-17 17:03:53 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
avcs just recieved in se troubleshooter (2.96 KB, text/plain)
2008-05-29 09:46 EDT, You
no flags Details
messages from tail (11.54 KB, text/plain)
2008-05-29 15:13 EDT, You
no flags Details

  None (edit)
Description Rui Matos 2008-05-15 16:47:35 EDT
If I do 

$ gnome-mount -d /dev/sda6

I get the polkit authentication dialog but then nothing happens. The same
happens when clicking partition icons on nautilus' computer window.

With lshal --monitor I was able to get these messages when I ran gnome-mount as
above:

org.freedesktop.DBus.Error.NameHasNoOwner: Could not get PID of name ':1.212':
no such name

I also see that /usr/libexec/polkit-gnome-manager stays running for a while
after having run gnome-mount.
Comment 1 Rui Matos 2008-05-15 20:53:47 EDT
I've investigated this a bit more. Scrap what I said before.

I now believe that the problem lies in HAL. I stopped the haldaemon service and
on a tty did

$ sudo /usr/sbin/hald --daemon=no --verbose=yes

I've captured that log btw.

After loging into gnome again I was able to mount and unmount the internal
partitions with gnome-mount and nautilus.

Then I've killed that hald and restarted the haldaemon service.

After loging in again it no longer works. I'm puzzled.
Comment 2 Rui Matos 2008-05-16 06:31:27 EDT
Hey, I've changed the haldaemon script to start hald with --daemon=no.

When I try to mount a partition it says:

Run started hal-storage-mount (0) (1) 
!  full path is '/usr/libexec/hal-storage-mount', program_dir is '/usr/libexec'
4305: XYA attempting to get lock on /media/.hal-mtab-lock
4305: XYA got lock on /media/.hal-mtab-lock
device                           = /dev/sda6
invoked by uid                   = 500
invoked by system bus connection = :1.135
 label 'Fedora7.i386'  uuid '49046ce9-6f87-49d6-922f-e207f3c75f86'
Looking at /etc/fstab entry 'UUID=112cbc61-ef9b-4afa-920f-e81ba72c1c2b'
Looking at /etc/fstab entry 'tmpfs'
/etc/fstab: device tmpfs -> tmpfs 
Looking at /etc/fstab entry 'devpts'
/etc/fstab: device devpts -> devpts 
Looking at /etc/fstab entry 'sysfs'
/etc/fstab: device sysfs -> sysfs 
Looking at /etc/fstab entry 'proc'
/etc/fstab: device proc -> proc 
Looking at /etc/fstab entry 'UUID=1f58d5aa-9bd3-4a08-a4ab-433f089b99b0'
mount_point    = 'Fedora7.i386'
mount_fstype   = ''
mount_options  = ''
trying dir /media/Fedora7.i386
allowed_options[0] = 'ro'
allowed_options[1] = 'sync'
allowed_options[2] = 'dirsync'
allowed_options[3] = 'noatime'
allowed_options[4] = 'nodiratime'
allowed_options[5] = 'noexec'
allowed_options[6] = 'quiet'
allowed_options[7] = 'remount'
allowed_options[8] = 'exec'
allowed_options[9] = 'acl'
allowed_options[10] = 'user_xattr'
allowed_options[11] = 'data='
using action org.freedesktop.hal.storage.mount-fixed for uid 500,
system_bus_connection :1.135
polkit-resolve-exe-helper: Cannot resolve link for pid 4304
polkit-resolve-exe-helper: Cannot resolve link for pid 4304
pid 4305: rc=1 signaled=0: /usr/libexec/hal-storage-mount

But if I start hal with sudo as before I can mount things and instead of that
polkit-resolve-exe-helper message I get "passed privilege".
Comment 3 Rui Matos 2008-05-16 12:04:51 EDT
After a

$ sudo setenforce 0

I works ok. So this is probably a bug in selinux policy.
Comment 4 Rui Matos 2008-05-16 12:23:09 EDT
Sorry but I have to vent here. I can't believe I lost one day to find the root
cause for this! I don't understand why selinux doesn't log these denials like it
does for lots of others I am always getting. Damn.
Comment 5 William Lovaton 2008-05-18 12:57:45 EDT
I can confirm this problem is caused by SELinux.

My laptop has Fedora 8 and Windows XP installed on the hard drive.  I boot with
the final Fedora 9 Live USB and I can't browse my Linux and Windows partition
from the Computer place in nautilus.

Now if I disable SELinux (permissive mode) it works fine as it should but there
are no messages in the SELinux log.

I have been using Fedora for a long time and I always have to disable SELinux. 
I'd like to keep it active all the time but I can't.

I hope this can be fixed soon so there is a better chance of getting a solid
experience out of the box.

Cheers.
Comment 6 You 2008-05-18 13:28:42 EDT
*** Bug 445523 has been marked as a duplicate of this bug. ***
Comment 7 You 2008-05-18 13:33:36 EDT
More info from the dupe report: Logging in as root seems to fix the problem,
even after logging out again.

@ comment #5 - instead of disabling SElinux, you go to System >> administration
and set it to permissive. While not exactly protecting you, it should log most
SElinux violations and allow you to set it to enforcing again once this bug has
been fixed without the need for a full relabel.
Comment 8 Tomáš Bžatek 2008-05-21 10:18:01 EDT
*** Bug 447303 has been marked as a duplicate of this bug. ***
Comment 9 Peeter Puusemp 2008-05-21 10:29:45 EDT
I have the same problem. I mounted some partitions as a user (asked root
password), but they are not shown as mounted and are not accessible. Logging in
as root in the terminal and then opening Nautilus as root immediately mounts
them for the user. Every time after restarting the computer I have to open
Nautilus as root again to give the user access to those partitions. Leaving
Nautilus open as root is not needed.

Setting SELinux to permissive mode "fixes" it. Thank you, You!

I hope it will be fixed soon.
Comment 10 Martin Jürgens 2008-05-21 11:18:39 EDT
Hm is it a bug in hal or selinux-policy? If it is the latter maybe it should be
assigned to the selinux-policy maintainer. I can confirm that setting SELinux to
permissive fixes the issue and that there is no output in /var/log/audit/*.
Comment 11 Jeffrey Tadlock 2008-05-21 16:40:20 EDT
Just adding that running 'setenforce 0' and then opening the Local Disk works as
expected.  

After setting SELinux back to enforcing mode, I am no longer able to open the
Local Disk.  Nothing is logged to /var/log/audit/audit.log.
Comment 12 Daniel Walsh 2008-05-27 13:37:03 EDT
Please execute semodule -DB to turn off dontaudit messages,  Then check for the
avcs.

semoduel -B will turn them back on.
Comment 13 You 2008-05-27 19:33:43 EDT
The first command breaks the SELinux troubleshooter. mounting as normal user is
still broken. After running the second command (and a restart to fix the
troubleshooter), the troubleshooter does not seem to have logged any avcs.

Those commands only worked using "su -". Gnome mount works the same with or
without those commands - not mount as a normal user, but does mount as a
superuser. Once mounted, the partitions stay mounted til shutdown - just logging
out does not unmount them.

Could this be HAL or something not carrying out a command because it expects it
to be denied?
Comment 14 Jeffrey Tadlock 2008-05-27 20:03:48 EDT
I rebooted (just to be sure I was starting fresh) and then ran semodule -DB. 
Then I did tail -f /var/log/audit/audit.log.  Then I went to Places > Computer >
Local Disk and tried to open it.  Nothing happened after trying to double-click
on the Local Disk, but I did get these entries in the log:

type=AVC msg=audit(1211932515.341:32): avc:  denied  { siginh } for  pid=4050
comm="polkit-read-aut" scontext=system_u:system_r:hald_t:s0
tcontext=system_u:system_r:polkit_auth_t:s0 tclass=process
type=AVC msg=audit(1211932515.341:32): avc:  denied  { rlimitinh } for  pid=4050
comm="polkit-read-aut" scontext=system_u:system_r:hald_t:s0
tcontext=system_u:system_r:polkit_auth_t:s0 tclass=process
type=AVC msg=audit(1211932515.341:32): avc:  denied  { noatsecure } for 
pid=4050 comm="polkit-read-aut" scontext=system_u:system_r:hald_t:s0
tcontext=system_u:system_r:polkit_auth_t:s0 tclass=process
type=SYSCALL msg=audit(1211932515.341:32): arch=40000003 syscall=11 success=yes
exit=0 a0=729aeb4 a1=bfa20460 a2=844f490 a3=bfa20460 items=0 ppid=4049 pid=4050
auid=4294967295 uid=0 gid=68 euid=0 suid=0 fsuid=0 egid=87 sgid=87 fsgid=87
tty=(none) ses=4294967295 comm="polkit-read-aut"
exe="/usr/libexec/polkit-read-auth-helper"
subj=system_u:system_r:polkit_auth_t:s0 key=(null)
type=AVC msg=audit(1211932515.342:33): avc:  denied  { read } for  pid=4050
comm="polkit-read-aut" name="config" dev=dm-0 ino=1197606
scontext=system_u:system_r:polkit_auth_t:s0
tcontext=system_u:object_r:selinux_config_t:s0 tclass=file
type=SYSCALL msg=audit(1211932515.342:33): arch=40000003 syscall=5 success=no
exit=-13 a0=64ae92 a1=8000 a2=1b6 a3=0 items=0 ppid=4049 pid=4050
auid=4294967295 uid=0 gid=68 euid=0 suid=0 fsuid=0 egid=87 sgid=87 fsgid=87
tty=(none) ses=4294967295 comm="polkit-read-aut"
exe="/usr/libexec/polkit-read-auth-helper"
subj=system_u:system_r:polkit_auth_t:s0 key=(null)
type=AVC msg=audit(1211932515.342:34): avc:  denied  { getattr } for  pid=4050
comm="polkit-read-aut" name="/" dev=selinuxfs ino=1
scontext=system_u:system_r:polkit_auth_t:s0
tcontext=system_u:object_r:security_t:s0 tclass=filesystem
type=SYSCALL msg=audit(1211932515.342:34): arch=40000003 syscall=268 success=no
exit=-13 a0=64a3b6 a1=54 a2=bf984f70 a3=64a3b6 items=0 ppid=4049 pid=4050
auid=4294967295 uid=0 gid=68 euid=0 suid=0 fsuid=0 egid=87 sgid=87 fsgid=87
tty=(none) ses=4294967295 comm="polkit-read-aut"
exe="/usr/libexec/polkit-read-auth-helper"
subj=system_u:system_r:polkit_auth_t:s0 key=(null)
type=AVC msg=audit(1211932515.343:35): avc:  denied  { search } for  pid=4050
comm="polkit-read-aut" name="/" dev=selinuxfs ino=1
scontext=system_u:system_r:polkit_auth_t:s0
tcontext=system_u:object_r:security_t:s0 tclass=dir
type=SYSCALL msg=audit(1211932515.343:35): arch=40000003 syscall=195 success=no
exit=-13 a0=bf983f2c a1=bf983ecc a2=5e2ff4 a3=bf983f2c items=0 ppid=4049
pid=4050 auid=4294967295 uid=0 gid=68 euid=0 suid=0 fsuid=0 egid=87 sgid=87
fsgid=87 tty=(none) ses=4294967295 comm="polkit-read-aut"
exe="/usr/libexec/polkit-read-auth-helper"
subj=system_u:system_r:polkit_auth_t:s0 key=(null)
type=AVC msg=audit(1211932515.343:36): avc:  denied  { search } for  pid=4050
comm="polkit-read-aut" name="/" dev=selinuxfs ino=1
scontext=system_u:system_r:polkit_auth_t:s0
tcontext=system_u:object_r:security_t:s0 tclass=dir
type=SYSCALL msg=audit(1211932515.343:36): arch=40000003 syscall=5 success=no
exit=-13 a0=bf983f04 a1=8000 a2=0 a3=8000 items=0 ppid=4049 pid=4050
auid=4294967295 uid=0 gid=68 euid=0 suid=0 fsuid=0 egid=87 sgid=87 fsgid=87
tty=(none) ses=4294967295 comm="polkit-read-aut"
exe="/usr/libexec/polkit-read-auth-helper"
subj=system_u:system_r:polkit_auth_t:s0 key=(null)
type=AVC msg=audit(1211932515.344:37): avc:  denied  { sys_ptrace } for 
pid=4049 comm="polkit-resolve-" capability=19
scontext=system_u:system_r:hald_t:s0 tcontext=system_u:system_r:hald_t:s0
tclass=capability
type=SYSCALL msg=audit(1211932515.344:37): arch=40000003 syscall=85 success=no
exit=-13 a0=bfa206c8 a1=bfa20724 a2=fff a3=bfa206c8 items=0 ppid=2107 pid=4049
auid=4294967295 uid=0 gid=68 euid=0 suid=0 fsuid=0 egid=68 sgid=68 fsgid=68
tty=(none) ses=4294967295 comm="polkit-resolve-"
exe="/usr/libexec/polkit-resolve-exe-helper" subj=system_u:system_r:hald_t:s0
key=(null)


I tried right clicking on Local Disk and choosing open (still while tailing the
audit.log) and received this round of messages:

type=AVC msg=audit(1211932598.325:44): avc:  denied  { siginh } for  pid=4124
comm="polkit-read-aut" scontext=system_u:system_r:hald_t:s0
tcontext=system_u:system_r:polkit_auth_t:s0 tclass=process
type=AVC msg=audit(1211932598.325:44): avc:  denied  { rlimitinh } for  pid=4124
comm="polkit-read-aut" scontext=system_u:system_r:hald_t:s0
tcontext=system_u:system_r:polkit_auth_t:s0 tclass=process
type=AVC msg=audit(1211932598.325:44): avc:  denied  { noatsecure } for 
pid=4124 comm="polkit-read-aut" scontext=system_u:system_r:hald_t:s0
tcontext=system_u:system_r:polkit_auth_t:s0 tclass=process
type=SYSCALL msg=audit(1211932598.325:44): arch=40000003 syscall=11 success=yes
exit=0 a0=729aeb4 a1=bfd20760 a2=9d13490 a3=bfd20760 items=0 ppid=4123 pid=4124
auid=4294967295 uid=0 gid=68 euid=0 suid=0 fsuid=0 egid=87 sgid=87 fsgid=87
tty=(none) ses=4294967295 comm="polkit-read-aut"
exe="/usr/libexec/polkit-read-auth-helper"
subj=system_u:system_r:polkit_auth_t:s0 key=(null)
type=AVC msg=audit(1211932598.326:45): avc:  denied  { read } for  pid=4124
comm="polkit-read-aut" name="config" dev=dm-0 ino=1197606
scontext=system_u:system_r:polkit_auth_t:s0
tcontext=system_u:object_r:selinux_config_t:s0 tclass=file
type=SYSCALL msg=audit(1211932598.326:45): arch=40000003 syscall=5 success=no
exit=-13 a0=64ae92 a1=8000 a2=1b6 a3=0 items=0 ppid=4123 pid=4124
auid=4294967295 uid=0 gid=68 euid=0 suid=0 fsuid=0 egid=87 sgid=87 fsgid=87
tty=(none) ses=4294967295 comm="polkit-read-aut"
exe="/usr/libexec/polkit-read-auth-helper"
subj=system_u:system_r:polkit_auth_t:s0 key=(null)
type=AVC msg=audit(1211932598.326:46): avc:  denied  { getattr } for  pid=4124
comm="polkit-read-aut" name="/" dev=selinuxfs ino=1
scontext=system_u:system_r:polkit_auth_t:s0
tcontext=system_u:object_r:security_t:s0 tclass=filesystem
type=SYSCALL msg=audit(1211932598.326:46): arch=40000003 syscall=268 success=no
exit=-13 a0=64a3b6 a1=54 a2=bfc60a40 a3=64a3b6 items=0 ppid=4123 pid=4124
auid=4294967295 uid=0 gid=68 euid=0 suid=0 fsuid=0 egid=87 sgid=87 fsgid=87
tty=(none) ses=4294967295 comm="polkit-read-aut"
exe="/usr/libexec/polkit-read-auth-helper"
subj=system_u:system_r:polkit_auth_t:s0 key=(null)
type=AVC msg=audit(1211932598.327:47): avc:  denied  { search } for  pid=4124
comm="polkit-read-aut" name="/" dev=selinuxfs ino=1
scontext=system_u:system_r:polkit_auth_t:s0
tcontext=system_u:object_r:security_t:s0 tclass=dir
type=SYSCALL msg=audit(1211932598.327:47): arch=40000003 syscall=195 success=no
exit=-13 a0=bfc5f9fc a1=bfc5f99c a2=5e2ff4 a3=bfc5f9fc items=0 ppid=4123
pid=4124 auid=4294967295 uid=0 gid=68 euid=0 suid=0 fsuid=0 egid=87 sgid=87
fsgid=87 tty=(none) ses=4294967295 comm="polkit-read-aut"
exe="/usr/libexec/polkit-read-auth-helper"
subj=system_u:system_r:polkit_auth_t:s0 key=(null)
type=AVC msg=audit(1211932598.327:48): avc:  denied  { search } for  pid=4124
comm="polkit-read-aut" name="/" dev=selinuxfs ino=1
scontext=system_u:system_r:polkit_auth_t:s0
tcontext=system_u:object_r:security_t:s0 tclass=dir
type=SYSCALL msg=audit(1211932598.327:48): arch=40000003 syscall=5 success=no
exit=-13 a0=bfc5f9d4 a1=8000 a2=0 a3=8000 items=0 ppid=4123 pid=4124
auid=4294967295 uid=0 gid=68 euid=0 suid=0 fsuid=0 egid=87 sgid=87 fsgid=87
tty=(none) ses=4294967295 comm="polkit-read-aut"
exe="/usr/libexec/polkit-read-auth-helper"
subj=system_u:system_r:polkit_auth_t:s0 key=(null)
type=AVC msg=audit(1211932598.328:49): avc:  denied  { sys_ptrace } for 
pid=4123 comm="polkit-resolve-" capability=19
scontext=system_u:system_r:hald_t:s0 tcontext=system_u:system_r:hald_t:s0
tclass=capability
type=SYSCALL msg=audit(1211932598.328:49): arch=40000003 syscall=85 success=no
exit=-13 a0=bfd209c8 a1=bfd20a24 a2=fff a3=bfd209c8 items=0 ppid=2107 pid=4123
auid=4294967295 uid=0 gid=68 euid=0 suid=0 fsuid=0 egid=68 sgid=68 fsgid=68
tty=(none) ses=4294967295 comm="polkit-resolve-"
exe="/usr/libexec/polkit-resolve-exe-helper" subj=system_u:system_r:hald_t:s0
key=(null)

I will happily provide additional information if needed - just let me know what
you need.

Thanks!
Comment 15 Daniel Walsh 2008-05-28 06:50:25 EDT
Ok I added some fixes for selinux-policy-3.3.1-56.fc9

Please see if these fix the problem
Comment 16 Rui Matos 2008-05-28 09:53:18 EDT
(In reply to comment #15)
> Ok I added some fixes for selinux-policy-3.3.1-56.fc9

That package failed to build according to koji
http://koji.fedoraproject.org/koji/buildinfo?buildID=50745
Comment 17 Martin Jürgens 2008-05-29 05:07:09 EDT
Build was successful.. Will test it this evining if no one else tests it to that
point :)
Comment 18 You 2008-05-29 07:32:36 EDT
With updated -policy and -policy targeted (3.3.1-56), I now get an avc denial
message.

There is only one listed.


Summary:

SELinux is preventing polkit-resolve- (polkit_resolve_t) "search" to ./dbus
(system_dbusd_var_run_t).

Detailed Description:
SELinux denied access requested by polkit-resolve-. It is not expected that this
access is required by polkit-resolve- and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.

Allowing Access:

Sometimes labeling problems can cause SELinux denials. You could try to restore
the default system file context for ./dbus,
restorecon -v './dbus'-

If this does not work, there is currently no automatic way to allow this access.
Instead, you can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                system_u:system_r:polkit_resolve_t:s0
Target Context                system_u:object_r:system_dbusd_var_run_t:s0
Target Objects                ./dbus [ dir ]
Source                        polkit-resolve-
Source Path                   /usr/libexec/polkit-resolve-exe-helper
Port                          <Unknown>
Host                          localhost.localdomain
Source RPM Packages           PolicyKit-0.8-2.fc9
Target RPM Packages           
Policy RPM                    selinux-policy-3.3.1-56.fc9
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall_file
Host Name                     localhost.localdomain
Platform                      Linux localhost.localdomain 2.6.25.4-38.fc9.i686
                              #1 SMP Wed May 28 02:22:31 EDT 2008 i686 athlon
Alert Count                   2
First Seen                    Thu 29 May 2008 12:23:15 BST
Last Seen                     Thu 29 May 2008 12:25:57 BST
Local ID                      7d3524e3-0900-496e-b68e-36d9f962bc38
Line Numbers                  

Raw Audit Messages            

host=localhost.localdomain type=AVC msg=audit(1212060357.414:35): avc:  denied 
{ search } for  pid=3001 comm="polkit-resolve-" name="dbus" dev=dm-0 ino=662387
scontext=system_u:system_r:polkit_resolve_t:s0
tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=dir

host=localhost.localdomain type=SYSCALL msg=audit(1212060357.414:35):
arch=40000003 syscall=102 success=no exit=-13 a0=3 a1=bfa54340 a2=d3eff4 a3=1f
items=0 ppid=2115 pid=3001 auid=4294967295 uid=0 gid=68 euid=0 suid=0 fsuid=0
egid=68 sgid=68 fsgid=68 tty=(none) ses=4294967295 comm="polkit-resolve-"
exe="/usr/libexec/polkit-resolve-exe-helper"
subj=system_u:system_r:polkit_resolve_t:s0 key=(null)


Not sure if this is the right message as multiple attemts at mounting the
partition have only caused this one message.

Using tail as mentioned in comment 14 gives:

type=AVC msg=audit(1212060640.386:41): avc:  denied  { search } for  pid=3092
comm="polkit-resolve-" name="dbus" dev=dm-0 ino=662387
scontext=system_u:system_r:polkit_resolve_t:s0
tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=dir
type=SYSCALL msg=audit(1212060640.386:41): arch=40000003 syscall=102 success=no
exit=-13 a0=3 a1=bfcf2de0 a2=d3eff4 a3=1f items=0 ppid=2115 pid=3092
auid=4294967295 uid=0 gid=68 euid=0 suid=0 fsuid=0 egid=68 sgid=68 fsgid=68
tty=(none) ses=4294967295 comm="polkit-resolve-"
exe="/usr/libexec/polkit-resolve-exe-helper"
subj=system_u:system_r:polkit_resolve_t:s0 key=(null)
Comment 19 Jeffrey Tadlock 2008-05-29 07:55:52 EDT
I had the same results as comment 18.  I installed:

selinux-policy-targeted-3.3.1-56.fc9.noarch
selinux-policy-3.3.1-56.fc9.noarch

And when trying to open Local Disk from Places > Computer had an AVC Denial
pop-up which stated:


Summary:

SELinux is preventing polkit-resolve- (polkit_resolve_t) "search" to ./dbus
(system_dbusd_var_run_t).

Detailed Description:

SELinux denied access requested by polkit-resolve-. It is not expected that this
access is required by polkit-resolve- and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.

Allowing Access:

Sometimes labeling problems can cause SELinux denials. You could try to restore
the default system file context for ./dbus,

restorecon -v './dbus'

If this does not work, there is currently no automatic way to allow this access.
Instead, you can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                system_u:system_r:polkit_resolve_t:s0
Target Context                system_u:object_r:system_dbusd_var_run_t:s0
Target Objects                ./dbus [ dir ]
Source                        polkit-resolve-
Source Path                   /usr/libexec/polkit-resolve-exe-helper
Port                          <Unknown>
Host                          liriel.krynn.local
Source RPM Packages           PolicyKit-0.8-2.fc9
Target RPM Packages           
Policy RPM                    selinux-policy-3.3.1-56.fc9
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall_file
Host Name                     liriel.krynn.local
Platform                      Linux liriel.krynn.local 2.6.25.3-18.fc9.i686 #1
                              SMP Tue May 13 05:38:53 EDT 2008 i686 i686
Alert Count                   1
First Seen                    Thu 29 May 2008 07:42:50 AM EDT
Last Seen                     Thu 29 May 2008 07:43:24 AM EDT
Local ID                      fff6a311-da84-4052-9a2c-78638904a153
Line Numbers                  

Raw Audit Messages            

host=liriel.krynn.local type=AVC msg=audit(1212061404.190:13): avc:  denied  {
search } for  pid=3037 comm="polkit-resolve-" name="dbus" dev=dm-0 ino=1695873
scontext=system_u:system_r:polkit_resolve_t:s0
tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=dir

host=liriel.krynn.local type=SYSCALL msg=audit(1212061404.190:13): arch=40000003
syscall=102 success=no exit=-13 a0=3 a1=bf842130 a2=c74ff4 a3=1f items=0
ppid=2108 pid=3037 auid=4294967295 uid=0 gid=68 euid=0 suid=0 fsuid=0 egid=68
sgid=68 fsgid=68 tty=(none) ses=4294967295 comm="polkit-resolve-"
exe="/usr/libexec/polkit-resolve-exe-helper"
subj=system_u:system_r:polkit_resolve_t:s0 key=(null)


Thanks!
Comment 20 Daniel Walsh 2008-05-29 09:09:48 EDT
Fixed in selinux-policy-3.3.1-57.fc9.noarch
Comment 21 You 2008-05-29 09:35:24 EDT
With the new policy (57), I am getting a different avc:


Summary:

SELinux is preventing polkit-resolve- (polkit_resolve_t) "getattr" to /proc/<pid>
(hald_t).

Detailed Description:

SELinux denied access requested by polkit-resolve-. It is not expected that this
access is required by polkit-resolve- and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.

Allowing Access:

Sometimes labeling problems can cause SELinux denials. You could try to restore
the default system file context for /proc/<pid>,

restorecon -v '/proc/<pid>'

If this does not work, there is currently no automatic way to allow this access.
Instead, you can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                system_u:system_r:polkit_resolve_t:s0
Target Context                system_u:system_r:hald_t:s0
Target Objects                /proc/<pid> [ dir ]
Source                        polkit-resolve-
Source Path                   /usr/libexec/polkit-resolve-exe-helper
Port                          <Unknown>
Host                          localhost.localdomain
Source RPM Packages           PolicyKit-0.8-2.fc9
Target RPM Packages           
Policy RPM                    selinux-policy-3.3.1-57.fc9
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall_file
Host Name                     localhost.localdomain
Platform                      Linux localhost.localdomain 2.6.25.4-38.fc9.i686
                              #1 SMP Wed May 28 02:22:31 EDT 2008 i686 athlon
Alert Count                   5
First Seen                    Thu 29 May 2008 14:27:12 BST
Last Seen                     Thu 29 May 2008 14:32:17 BST
Local ID                      01782452-51be-4029-9d90-74237f24b1e9
Line Numbers                  

Raw Audit Messages            

host=localhost.localdomain type=AVC msg=audit(1212067937.94:19): avc:  denied  {
getattr } for  pid=2939 comm="polkit-resolve-" path="/proc/2118" dev=proc
ino=7663 scontext=system_u:system_r:polkit_resolve_t:s0
tcontext=system_u:system_r:hald_t:s0 tclass=dir

host=localhost.localdomain type=SYSCALL msg=audit(1212067937.94:19):
arch=40000003 syscall=195 success=no exit=-13 a0=83e61b0 a1=bff1198c a2=6acff4
a3=bff11a94 items=0 ppid=2118 pid=2939 auid=4294967295 uid=0 gid=68 euid=0
suid=0 fsuid=0 egid=68 sgid=68 fsgid=68 tty=(none) ses=4294967295
comm="polkit-resolve-" exe="/usr/libexec/polkit-resolve-exe-helper"
subj=system_u:system_r:polkit_resolve_t:s0 key=(null)


Using tail and clicking on the icon in computer gives:

type=AVC msg=audit(1212067937.094:19): avc:  denied  { getattr } for  pid=2939
comm="polkit-resolve-" path="/proc/2118" dev=proc ino=7663
scontext=system_u:system_r:polkit_resolve_t:s0
tcontext=system_u:system_r:hald_t:s0 tclass=dir
type=SYSCALL msg=audit(1212067937.094:19): arch=40000003 syscall=195 success=no
exit=-13 a0=83e61b0 a1=bff1198c a2=6acff4 a3=bff11a94 items=0 ppid=2118 pid=2939
auid=4294967295 uid=0 gid=68 euid=0 suid=0 fsuid=0 egid=68 sgid=68 fsgid=68
tty=(none) ses=4294967295 comm="polkit-resolve-"
exe="/usr/libexec/polkit-resolve-exe-helper"
subj=system_u:system_r:polkit_resolve_t:s0 key=(null)
Comment 22 You 2008-05-29 09:46:02 EDT
Created attachment 307063 [details]
avcs just recieved in se troubleshooter

Just changed the policy to permissive and mounted the drive, got a few other
avc's too.
Comment 23 Jeffrey Tadlock 2008-05-29 09:51:41 EDT
Updated to .57 and saw the same thing as comment 21.  

Here is the AVC Denial:


Summary:

SELinux is preventing polkit-resolve- (polkit_resolve_t) "getattr" to /proc/<pid>
(hald_t).

Detailed Description:

SELinux denied access requested by polkit-resolve-. It is not expected that this
access is required by polkit-resolve- and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.

Allowing Access:

Sometimes labeling problems can cause SELinux denials. You could try to restore
the default system file context for /proc/<pid>,

restorecon -v '/proc/<pid>'

If this does not work, there is currently no automatic way to allow this access.
Instead, you can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                system_u:system_r:polkit_resolve_t:s0
Target Context                system_u:system_r:hald_t:s0
Target Objects                /proc/<pid> [ dir ]
Source                        polkit-resolve-
Source Path                   /usr/libexec/polkit-resolve-exe-helper
Port                          <Unknown>
Host                          liriel.krynn.local
Source RPM Packages           PolicyKit-0.8-2.fc9
Target RPM Packages           
Policy RPM                    selinux-policy-3.3.1-57.fc9
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall_file
Host Name                     liriel.krynn.local
Platform                      Linux liriel.krynn.local 2.6.25.3-18.fc9.i686 #1
                              SMP Tue May 13 05:38:53 EDT 2008 i686 i686
Alert Count                   3
First Seen                    Thu 29 May 2008 09:34:25 AM EDT
Last Seen                     Thu 29 May 2008 09:47:00 AM EDT
Local ID                      772e997d-26a1-42ee-864d-3ebbb57f4d3f
Line Numbers                  

Raw Audit Messages            

host=liriel.krynn.local type=AVC msg=audit(1212068820.919:39): avc:  denied  {
getattr } for  pid=3403 comm="polkit-resolve-" path="/proc/2101" dev=proc
ino=7417 scontext=system_u:system_r:polkit_resolve_t:s0
tcontext=system_u:system_r:hald_t:s0 tclass=dir

host=liriel.krynn.local type=SYSCALL msg=audit(1212068820.919:39): arch=40000003
syscall=195 success=no exit=-13 a0=97501b0 a1=bffa121c a2=5e2ff4 a3=bffa1324
items=0 ppid=2101 pid=3403 auid=4294967295 uid=0 gid=68 euid=0 suid=0 fsuid=0
egid=68 sgid=68 fsgid=68 tty=(none) ses=4294967295 comm="polkit-resolve-"
exe="/usr/libexec/polkit-resolve-exe-helper"
subj=system_u:system_r:polkit_resolve_t:s0 key=(null)

And this is from the tail -f /var/log/audit/audit.log

type=AVC msg=audit(1212068680.296:27): avc:  denied  { siginh } for  pid=3252
comm="polkit-resolve-" scontext=system_u:system_r:hald_t:s0
tcontext=system_u:system_r:polkit_resolve_t:s0 tclass=process
type=AVC msg=audit(1212068680.296:27): avc:  denied  { rlimitinh } for  pid=3252
comm="polkit-resolve-" scontext=system_u:system_r:hald_t:s0
tcontext=system_u:system_r:polkit_resolve_t:s0 tclass=process
type=AVC msg=audit(1212068680.296:27): avc:  denied  { noatsecure } for 
pid=3252 comm="polkit-resolve-" scontext=system_u:system_r:hald_t:s0
tcontext=system_u:system_r:polkit_resolve_t:s0 tclass=process
type=SYSCALL msg=audit(1212068680.296:27): arch=40000003 syscall=11 success=yes
exit=0 a0=729802c a1=bffddaf4 a2=bffdf58c a3=bffddaf4 items=0 ppid=2101 pid=3252
auid=4294967295 uid=68 gid=68 euid=0 suid=0 fsuid=0 egid=68 sgid=68 fsgid=68
tty=(none) ses=4294967295 comm="polkit-resolve-"
exe="/usr/libexec/polkit-resolve-exe-helper"
subj=system_u:system_r:polkit_resolve_t:s0 key=(null)
type=AVC msg=audit(1212068680.297:28): avc:  denied  { search } for  pid=3252
comm="polkit-resolve-" name="selinux" dev=dm-0 ino=1197365
scontext=system_u:system_r:polkit_resolve_t:s0
tcontext=system_u:object_r:selinux_config_t:s0 tclass=dir
type=SYSCALL msg=audit(1212068680.297:28): arch=40000003 syscall=5 success=no
exit=-13 a0=64ae92 a1=8000 a2=1b6 a3=0 items=0 ppid=2101 pid=3252
auid=4294967295 uid=68 gid=68 euid=0 suid=0 fsuid=0 egid=68 sgid=68 fsgid=68
tty=(none) ses=4294967295 comm="polkit-resolve-"
exe="/usr/libexec/polkit-resolve-exe-helper"
subj=system_u:system_r:polkit_resolve_t:s0 key=(null)
type=AVC msg=audit(1212068680.297:29): avc:  denied  { getattr } for  pid=3252
comm="polkit-resolve-" name="/" dev=selinuxfs ino=1
scontext=system_u:system_r:polkit_resolve_t:s0
tcontext=system_u:object_r:security_t:s0 tclass=filesystem
type=SYSCALL msg=audit(1212068680.297:29): arch=40000003 syscall=268 success=no
exit=-13 a0=64a3b6 a1=54 a2=bfdcea90 a3=64a3b6 items=0 ppid=2101 pid=3252
auid=4294967295 uid=68 gid=68 euid=0 suid=0 fsuid=0 egid=68 sgid=68 fsgid=68
tty=(none) ses=4294967295 comm="polkit-resolve-"
exe="/usr/libexec/polkit-resolve-exe-helper"
subj=system_u:system_r:polkit_resolve_t:s0 key=(null)
type=AVC msg=audit(1212068680.298:30): avc:  denied  { search } for  pid=3252
comm="polkit-resolve-" name="/" dev=selinuxfs ino=1
scontext=system_u:system_r:polkit_resolve_t:s0
tcontext=system_u:object_r:security_t:s0 tclass=dir
type=SYSCALL msg=audit(1212068680.298:30): arch=40000003 syscall=195 success=no
exit=-13 a0=bfdcda4c a1=bfdcd9ec a2=5e2ff4 a3=bfdcda4c items=0 ppid=2101
pid=3252 auid=4294967295 uid=68 gid=68 euid=0 suid=0 fsuid=0 egid=68 sgid=68
fsgid=68 tty=(none) ses=4294967295 comm="polkit-resolve-"
exe="/usr/libexec/polkit-resolve-exe-helper"
subj=system_u:system_r:polkit_resolve_t:s0 key=(null)
type=AVC msg=audit(1212068680.298:31): avc:  denied  { search } for  pid=3252
comm="polkit-resolve-" name="/" dev=selinuxfs ino=1
scontext=system_u:system_r:polkit_resolve_t:s0
tcontext=system_u:object_r:security_t:s0 tclass=dir
type=SYSCALL msg=audit(1212068680.298:31): arch=40000003 syscall=5 success=no
exit=-13 a0=bfdcda24 a1=8000 a2=0 a3=8000 items=0 ppid=2101 pid=3252
auid=4294967295 uid=68 gid=68 euid=0 suid=0 fsuid=0 egid=68 sgid=68 fsgid=68
tty=(none) ses=4294967295 comm="polkit-resolve-"
exe="/usr/libexec/polkit-resolve-exe-helper"
subj=system_u:system_r:polkit_resolve_t:s0 key=(null)
type=AVC msg=audit(1212068680.302:32): avc:  denied  { getattr } for  pid=3252
comm="polkit-resolve-" path="/proc/2101" dev=proc ino=7417
scontext=system_u:system_r:polkit_resolve_t:s0
tcontext=system_u:system_r:hald_t:s0 tclass=dir
type=SYSCALL msg=audit(1212068680.302:32): arch=40000003 syscall=195 success=no
exit=-13 a0=9c0d1b0 a1=bfdcd84c a2=5e2ff4 a3=bfdcd954 items=0 ppid=2101 pid=3252
auid=4294967295 uid=0 gid=68 euid=0 suid=0 fsuid=0 egid=68 sgid=68 fsgid=68
tty=(none) ses=4294967295 comm="polkit-resolve-"
exe="/usr/libexec/polkit-resolve-exe-helper"
subj=system_u:system_r:polkit_resolve_t:s0 key=(null)

Comment 24 Daniel Walsh 2008-05-29 09:56:13 EDT
I take it you are running with semodule -DB?

Does the mount work in enforcing mode?
Comment 25 You 2008-05-29 10:00:29 EDT
The mount does not work in enforcing for me, those outputs are without the -DB
option.

Should I try again, with that?
Comment 26 Daniel Walsh 2008-05-29 13:36:37 EDT
Fixed in selinux-policy-3.3.1-58.fc9
Comment 27 You 2008-05-29 14:33:16 EDT
Never tried build 58, went straight to 59 and it still does not work.

the tail output of typing semodule -DB:

type=USER_AUTH msg=audit(1212085797.278:26): user pid=2980 uid=500 auid=500
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
msg='op=PAM:authentication acct="root" exe="/bin/su" (hostname=?, addr=?,
terminal=pts/2 res=success)'
type=USER_ACCT msg=audit(1212085797.284:27): user pid=2980 uid=500 auid=500
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
msg='op=PAM:accounting acct="root" exe="/bin/su" (hostname=?, addr=?,
terminal=pts/2 res=success)'
type=USER_START msg=audit(1212085797.296:28): user pid=2980 uid=500 auid=500
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
msg='op=PAM:session_open acct="root" exe="/bin/su" (hostname=?, addr=?,
terminal=pts/2 res=success)'
type=CRED_ACQ msg=audit(1212085797.297:29): user pid=2980 uid=500 auid=500
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:setcred
acct="root" exe="/bin/su" (hostname=?, addr=?, terminal=pts/2 res=success)'
type=USER_AVC msg=audit(1212085816.158:30): user pid=2047 uid=81 auid=4294967295
subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  received
policyload notice (seqno=2) : exe="?" (sauid=81, hostname=?, addr=?, terminal=?)'
type=MAC_POLICY_LOAD msg=audit(1212085815.454:31): policy loaded auid=500 ses=1
type=SYSCALL msg=audit(1212085815.454:31): arch=40000003 syscall=4 success=yes
exit=2252467 a0=4 a1=b7c7d008 a2=225eb3 a3=bffdab18 items=0 ppid=3012 pid=3013
auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=1
comm="load_policy" exe="/usr/sbin/load_policy"
subj=unconfined_u:unconfined_r:load_policy_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1212085816.168:32): avc:  denied  { siginh } for  pid=3014
comm="setfiles" scontext=unconfined_u:unconfined_r:semanage_t:s0-s0:c0.c1023
tcontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tclass=process
type=AVC msg=audit(1212085816.168:32): avc:  denied  { rlimitinh } for  pid=3014
comm="setfiles" scontext=unconfined_u:unconfined_r:semanage_t:s0-s0:c0.c1023
tcontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tclass=process
type=AVC msg=audit(1212085816.168:32): avc:  denied  { noatsecure } for 
pid=3014 comm="setfiles"
scontext=unconfined_u:unconfined_r:semanage_t:s0-s0:c0.c1023
tcontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tclass=process
type=SYSCALL msg=audit(1212085816.168:32): arch=40000003 syscall=11 success=yes
exit=0 a0=b846b648 a1=b9b4cc58 a2=0 a3=0 items=0 ppid=3012 pid=3014 auid=500
uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=1
comm="setfiles" exe="/sbin/setfiles"
subj=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1212085816.171:33): avc:  denied  { write } for  pid=2399
comm="setroubleshootd" name="rpm" dev=dm-0 ino=645916
scontext=system_u:system_r:setroubleshootd_t:s0
tcontext=system_u:object_r:rpm_var_lib_t:s0 tclass=dir
type=SYSCALL msg=audit(1212085816.171:33): arch=40000003 syscall=33 success=no
exit=-13 a0=99c42f8 a1=2 a2=3a9ae4 a3=9af57a0 items=0 ppid=1 pid=2399
auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=(none) ses=4294967295 comm="setroubleshootd" exe="/usr/bin/python"
subj=system_u:system_r:setroubleshootd_t:s0 key=(null)
type=AVC msg=audit(1212085816.172:34): avc:  denied  { write } for  pid=2399
comm="setroubleshootd" name="rpm" dev=dm-0 ino=645916
scontext=system_u:system_r:setroubleshootd_t:s0
tcontext=system_u:object_r:rpm_var_lib_t:s0 tclass=dir
type=SYSCALL msg=audit(1212085816.172:34): arch=40000003 syscall=33 success=no
exit=-13 a0=9b13c70 a1=2 a2=3a9ae4 a3=9b13b38 items=0 ppid=1 pid=2399
auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=(none) ses=4294967295 comm="setroubleshootd" exe="/usr/bin/python"
subj=system_u:system_r:setroubleshootd_t:s0 key=(null)
type=AVC msg=audit(1212085816.185:35): avc:  denied  { write } for  pid=2399
comm="setroubleshootd" name="rpm" dev=dm-0 ino=645916
scontext=system_u:system_r:setroubleshootd_t:s0
tcontext=system_u:object_r:rpm_var_lib_t:s0 tclass=dir
type=SYSCALL msg=audit(1212085816.185:35): arch=40000003 syscall=33 success=no
exit=-13 a0=9a84860 a1=2 a2=3a9ae4 a3=9b13260 items=0 ppid=1 pid=2399
auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=(none) ses=4294967295 comm="setroubleshootd" exe="/usr/bin/python"
subj=system_u:system_r:setroubleshootd_t:s0 key=(null)
type=AVC msg=audit(1212085816.193:36): avc:  denied  { write } for  pid=2399
comm="setroubleshootd" name="rpm" dev=dm-0 ino=645916
scontext=system_u:system_r:setroubleshootd_t:s0
tcontext=system_u:object_r:rpm_var_lib_t:s0 tclass=dir
type=SYSCALL msg=audit(1212085816.193:36): arch=40000003 syscall=33 success=no
exit=-13 a0=9ae6958 a1=2 a2=3a9ae4 a3=9af57a0 items=0 ppid=1 pid=2399
auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=(none) ses=4294967295 comm="setroubleshootd" exe="/usr/bin/python"
subj=system_u:system_r:setroubleshootd_t:s0 key=(null)
type=AVC msg=audit(1212085816.194:37): avc:  denied  { write } for  pid=2399
comm="setroubleshootd" name="rpm" dev=dm-0 ino=645916
scontext=system_u:system_r:setroubleshootd_t:s0
tcontext=system_u:object_r:rpm_var_lib_t:s0 tclass=dir
type=SYSCALL msg=audit(1212085816.194:37): arch=40000003 syscall=33 success=no
exit=-13 a0=9ae8518 a1=2 a2=3a9ae4 a3=9b13b38 items=0 ppid=1 pid=2399
auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=(none) ses=4294967295 comm="setroubleshootd" exe="/usr/bin/python"
subj=system_u:system_r:setroubleshootd_t:s0 key=(null)

and the output of clicking the volume in nautilus after that:

type=AVC msg=audit(1212085833.658:38): avc:  denied  { siginh } for  pid=3017
comm="polkit-resolve-" scontext=system_u:system_r:hald_t:s0
tcontext=system_u:system_r:polkit_resolve_t:s0 tclass=process
type=AVC msg=audit(1212085833.658:38): avc:  denied  { rlimitinh } for  pid=3017
comm="polkit-resolve-" scontext=system_u:system_r:hald_t:s0
tcontext=system_u:system_r:polkit_resolve_t:s0 tclass=process
type=AVC msg=audit(1212085833.658:38): avc:  denied  { noatsecure } for 
pid=3017 comm="polkit-resolve-" scontext=system_u:system_r:hald_t:s0
tcontext=system_u:system_r:polkit_resolve_t:s0 tclass=process
type=SYSCALL msg=audit(1212085833.658:38): arch=40000003 syscall=11 success=yes
exit=0 a0=735e02c a1=bfd621e4 a2=bfd63c7c a3=bfd621e4 items=0 ppid=2113 pid=3017
auid=4294967295 uid=68 gid=68 euid=0 suid=0 fsuid=0 egid=68 sgid=68 fsgid=68
tty=(none) ses=4294967295 comm="polkit-resolve-"
exe="/usr/libexec/polkit-resolve-exe-helper"
subj=system_u:system_r:polkit_resolve_t:s0 key=(null)
type=AVC msg=audit(1212085833.661:39): avc:  denied  { search } for  pid=3017
comm="polkit-resolve-" name="selinux" dev=dm-0 ino=810291
scontext=system_u:system_r:polkit_resolve_t:s0
tcontext=system_u:object_r:selinux_config_t:s0 tclass=dir
type=SYSCALL msg=audit(1212085833.661:39): arch=40000003 syscall=5 success=no
exit=-13 a0=714e92 a1=8000 a2=1b6 a3=0 items=0 ppid=2113 pid=3017
auid=4294967295 uid=68 gid=68 euid=0 suid=0 fsuid=0 egid=68 sgid=68 fsgid=68
tty=(none) ses=4294967295 comm="polkit-resolve-"
exe="/usr/libexec/polkit-resolve-exe-helper"
subj=system_u:system_r:polkit_resolve_t:s0 key=(null)
type=AVC msg=audit(1212085833.661:40): avc:  denied  { getattr } for  pid=3017
comm="polkit-resolve-" name="/" dev=selinuxfs ino=1
scontext=system_u:system_r:polkit_resolve_t:s0
tcontext=system_u:object_r:security_t:s0 tclass=filesystem
type=SYSCALL msg=audit(1212085833.661:40): arch=40000003 syscall=268 success=no
exit=-13 a0=7143b6 a1=54 a2=bf955e10 a3=7143b6 items=0 ppid=2113 pid=3017
auid=4294967295 uid=68 gid=68 euid=0 suid=0 fsuid=0 egid=68 sgid=68 fsgid=68
tty=(none) ses=4294967295 comm="polkit-resolve-"
exe="/usr/libexec/polkit-resolve-exe-helper"
subj=system_u:system_r:polkit_resolve_t:s0 key=(null)
type=AVC msg=audit(1212085833.662:41): avc:  denied  { search } for  pid=3017
comm="polkit-resolve-" name="/" dev=selinuxfs ino=1
scontext=system_u:system_r:polkit_resolve_t:s0
tcontext=system_u:object_r:security_t:s0 tclass=dir
type=SYSCALL msg=audit(1212085833.662:41): arch=40000003 syscall=195 success=no
exit=-13 a0=bf954dcc a1=bf954d6c a2=6acff4 a3=bf954dcc items=0 ppid=2113
pid=3017 auid=4294967295 uid=68 gid=68 euid=0 suid=0 fsuid=0 egid=68 sgid=68
fsgid=68 tty=(none) ses=4294967295 comm="polkit-resolve-"
exe="/usr/libexec/polkit-resolve-exe-helper"
subj=system_u:system_r:polkit_resolve_t:s0 key=(null)
type=AVC msg=audit(1212085833.662:42): avc:  denied  { search } for  pid=3017
comm="polkit-resolve-" name="/" dev=selinuxfs ino=1
scontext=system_u:system_r:polkit_resolve_t:s0
tcontext=system_u:object_r:security_t:s0 tclass=dir
type=SYSCALL msg=audit(1212085833.662:42): arch=40000003 syscall=5 success=no
exit=-13 a0=bf954da4 a1=8000 a2=0 a3=8000 items=0 ppid=2113 pid=3017
auid=4294967295 uid=68 gid=68 euid=0 suid=0 fsuid=0 egid=68 sgid=68 fsgid=68
tty=(none) ses=4294967295 comm="polkit-resolve-"
exe="/usr/libexec/polkit-resolve-exe-helper"
subj=system_u:system_r:polkit_resolve_t:s0 key=(null)
type=USER_AVC msg=audit(1212085833.671:43): user pid=2047 uid=81 auid=4294967295
subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  {
send_msg } for msgtype=method_call interface=org.freedesktop.ConsoleKit.Manager
member=GetSessionForUnixProcess dest=org.freedesktop.ConsoleKit spid=3017
tpid=2116 scontext=system_u:system_r:polkit_resolve_t:s0
tcontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tclass=dbus :
exe="/bin/dbus-daemon" (sauid=81, hostname=?, addr=?, terminal=?)'
type=AVC msg=audit(1212085833.672:44): avc:  denied  { search } for  pid=3017
comm="polkit-resolve-" name="PolicyKit-public" dev=dm-0 ino=662389
scontext=system_u:system_r:polkit_resolve_t:s0
tcontext=system_u:object_r:polkit_var_lib_t:s0 tclass=dir
type=SYSCALL msg=audit(1212085833.672:44): arch=40000003 syscall=5 success=no
exit=-13 a0=84dfe10 a1=8000 a2=0 a3=8000 items=0 ppid=2113 pid=3017
auid=4294967295 uid=0 gid=68 euid=0 suid=0 fsuid=0 egid=68 sgid=68 fsgid=68
tty=(none) ses=4294967295 comm="polkit-resolve-"
exe="/usr/libexec/polkit-resolve-exe-helper"
subj=system_u:system_r:polkit_resolve_t:s0 key=(null)
Comment 28 Daniel Walsh 2008-05-29 15:05:25 EDT
Can you run this in permissive mode. and gather the AVC's
Comment 29 You 2008-05-29 15:13:28 EDT
Created attachment 307124 [details]
messages from tail

Sure.

Done after running semodule -DB
Comment 30 Daniel Walsh 2008-05-29 15:44:40 EDT
Hopefully fixed in  selinux-policy-3.3.1-60.fc9
Comment 31 You 2008-05-29 16:19:34 EDT
heh, not yet. (your work is much appreciated though.)

Summary:

SELinux is preventing polkit-resolve- (polkit_resolve_t) "search" to ./2861
(unconfined_t).

Detailed Description:

SELinux denied access requested by polkit-resolve-. It is not expected that this
access is required by polkit-resolve- and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.

Allowing Access:

Sometimes labeling problems can cause SELinux denials. You could try to restore
the default system file context for ./2861,

restorecon -v './2861'

If this does not work, there is currently no automatic way to allow this access.
Instead, you can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                system_u:system_r:polkit_resolve_t:s0
Target Context                unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
                              023
Target Objects                ./2861 [ dir ]
Source                        polkit-resolve-
Source Path                   /usr/libexec/polkit-resolve-exe-helper
Port                          <Unknown>
Host                          localhost.localdomain
Source RPM Packages           PolicyKit-0.8-2.fc9
Target RPM Packages           
Policy RPM                    selinux-policy-3.3.1-60.fc9
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall_file
Host Name                     localhost.localdomain
Platform                      Linux localhost.localdomain 2.6.25.4-38.fc9.i686
                              #1 SMP Wed May 28 02:22:31 EDT 2008 i686 athlon
Alert Count                   1
First Seen                    Thu 29 May 2008 21:14:48 BST
Last Seen                     Thu 29 May 2008 21:14:48 BST
Local ID                      48ece1f3-0fc2-40ae-9048-d8a0a0a7ddab
Line Numbers                  

Raw Audit Messages            

host=localhost.localdomain type=AVC msg=audit(1212092088.26:15): avc:  denied  {
search } for  pid=2863 comm="polkit-resolve-" name="2861" dev=proc ino=21046
scontext=system_u:system_r:polkit_resolve_t:s0
tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=dir

host=localhost.localdomain type=SYSCALL msg=audit(1212092088.26:15):
arch=40000003 syscall=85 success=no exit=-13 a0=bfc6a108 a1=bfc6a164 a2=fff
a3=bfc6a108 items=0 ppid=2115 pid=2863 auid=4294967295 uid=0 gid=68 euid=0
suid=0 fsuid=0 egid=68 sgid=68 fsgid=68 tty=(none) ses=4294967295
comm="polkit-resolve-" exe="/usr/libexec/polkit-resolve-exe-helper"
subj=system_u:system_r:polkit_resolve_t:s0 key=(null)


PS I have a few of these messages, but ach one has a different number. This one
has 2861, the others are 2803, 2838, (2861,) 2888 - one for each attempt to
access the volume.

(and this is without semodule -DB)
Comment 32 Daniel Walsh 2008-05-30 09:41:20 EDT
Hopefully fixed in  selinux-policy-3.3.1-61.fc9
Comment 33 You 2008-05-30 09:59:29 EDT
Nope. message from permissive mode:

Summary:

SELinux is preventing polkit-resolve- (polkit_resolve_t) "ptrace" to <Unknown>
(unconfined_t).

Detailed Description:

[SELinux is in permissive mode, the operation would have been denied but was
permitted due to permissive mode.]

SELinux denied access requested by polkit-resolve-. It is not expected that this
access is required by polkit-resolve- and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                system_u:system_r:polkit_resolve_t:s0
Target Context                unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
                              023
Target Objects                None [ process ]
Source                        polkit-resolve-
Source Path                   /usr/libexec/polkit-resolve-exe-helper
Port                          <Unknown>
Host                          localhost.localdomain
Source RPM Packages           PolicyKit-0.8-2.fc9
Target RPM Packages           
Policy RPM                    selinux-policy-3.3.1-61.fc9
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Permissive
Plugin Name                   catchall
Host Name                     localhost.localdomain
Platform                      Linux localhost.localdomain 2.6.25.4-38.fc9.i686
                              #1 SMP Wed May 28 02:22:31 EDT 2008 i686 athlon
Alert Count                   3
First Seen                    Fri 30 May 2008 14:54:13 BST
Last Seen                     Fri 30 May 2008 14:57:59 BST
Local ID                      55d2a326-d397-4881-be34-b6c81a42fe07
Line Numbers                  

Raw Audit Messages            

host=localhost.localdomain type=AVC msg=audit(1212155879.328:19): avc:  denied 
{ ptrace } for  pid=2891 comm="polkit-resolve-"
scontext=system_u:system_r:polkit_resolve_t:s0
tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process

host=localhost.localdomain type=SYSCALL msg=audit(1212155879.328:19):
arch=40000003 syscall=85 success=yes exit=20 a0=bfaf6f98 a1=bfaf6ff4 a2=fff
a3=bfaf6f98 items=0 ppid=2117 pid=2891 auid=4294967295 uid=0 gid=68 euid=0
suid=0 fsuid=0 egid=68 sgid=68 fsgid=68 tty=(none) ses=4294967295
comm="polkit-resolve-" exe="/usr/libexec/polkit-resolve-exe-helper"
subj=system_u:system_r:polkit_resolve_t:s0 key=(null)
Comment 34 Daniel Walsh 2008-05-30 11:00:20 EDT
Policy RPM                    selinux-policy-3.3.1-62.fc9
Comment 35 You 2008-05-30 11:19:24 EDT
nope. (PS just had a check and my system does not have -policy-mls installed -
just -policy and -policy-targetted. Is this needed?) tail response after
semodule -DB:

type=AVC msg=audit(1212160643.483:27): avc:  denied  { siginh } for  pid=3018
comm="polkit-resolve-" scontext=system_u:system_r:hald_t:s0
tcontext=system_u:system_r:polkit_resolve_t:s0 tclass=process
type=AVC msg=audit(1212160643.483:27): avc:  denied  { rlimitinh } for  pid=3018
comm="polkit-resolve-" scontext=system_u:system_r:hald_t:s0
tcontext=system_u:system_r:polkit_resolve_t:s0 tclass=process
type=AVC msg=audit(1212160643.483:27): avc:  denied  { noatsecure } for 
pid=3018 comm="polkit-resolve-" scontext=system_u:system_r:hald_t:s0
tcontext=system_u:system_r:polkit_resolve_t:s0 tclass=process
type=SYSCALL msg=audit(1212160643.483:27): arch=40000003 syscall=11 success=yes
exit=0 a0=735e02c a1=bff868e4 a2=bff8837c a3=bff868e4 items=0 ppid=2119 pid=3018
auid=4294967295 uid=68 gid=68 euid=0 suid=0 fsuid=0 egid=68 sgid=68 fsgid=68
tty=(none) ses=4294967295 comm="polkit-resolve-"
exe="/usr/libexec/polkit-resolve-exe-helper"
subj=system_u:system_r:polkit_resolve_t:s0 key=(null)
type=AVC msg=audit(1212160643.485:28): avc:  denied  { search } for  pid=3018
comm="polkit-resolve-" name="selinux" dev=dm-0 ino=810291
scontext=system_u:system_r:polkit_resolve_t:s0
tcontext=system_u:object_r:selinux_config_t:s0 tclass=dir
type=SYSCALL msg=audit(1212160643.485:28): arch=40000003 syscall=5 success=no
exit=-13 a0=714e92 a1=8000 a2=1b6 a3=0 items=0 ppid=2119 pid=3018
auid=4294967295 uid=68 gid=68 euid=0 suid=0 fsuid=0 egid=68 sgid=68 fsgid=68
tty=(none) ses=4294967295 comm="polkit-resolve-"
exe="/usr/libexec/polkit-resolve-exe-helper"
subj=system_u:system_r:polkit_resolve_t:s0 key=(null)
type=AVC msg=audit(1212160643.485:29): avc:  denied  { getattr } for  pid=3018
comm="polkit-resolve-" name="/" dev=selinuxfs ino=1
scontext=system_u:system_r:polkit_resolve_t:s0
tcontext=system_u:object_r:security_t:s0 tclass=filesystem
type=SYSCALL msg=audit(1212160643.485:29): arch=40000003 syscall=268 success=no
exit=-13 a0=7143b6 a1=54 a2=bff97450 a3=7143b6 items=0 ppid=2119 pid=3018
auid=4294967295 uid=68 gid=68 euid=0 suid=0 fsuid=0 egid=68 sgid=68 fsgid=68
tty=(none) ses=4294967295 comm="polkit-resolve-"
exe="/usr/libexec/polkit-resolve-exe-helper"
subj=system_u:system_r:polkit_resolve_t:s0 key=(null)
type=AVC msg=audit(1212160643.486:30): avc:  denied  { search } for  pid=3018
comm="polkit-resolve-" name="/" dev=selinuxfs ino=1
scontext=system_u:system_r:polkit_resolve_t:s0
tcontext=system_u:object_r:security_t:s0 tclass=dir
type=SYSCALL msg=audit(1212160643.486:30): arch=40000003 syscall=195 success=no
exit=-13 a0=bff9640c a1=bff963ac a2=6acff4 a3=bff9640c items=0 ppid=2119
pid=3018 auid=4294967295 uid=68 gid=68 euid=0 suid=0 fsuid=0 egid=68 sgid=68
fsgid=68 tty=(none) ses=4294967295 comm="polkit-resolve-"
exe="/usr/libexec/polkit-resolve-exe-helper"
subj=system_u:system_r:polkit_resolve_t:s0 key=(null)
type=AVC msg=audit(1212160643.486:31): avc:  denied  { search } for  pid=3018
comm="polkit-resolve-" name="/" dev=selinuxfs ino=1
scontext=system_u:system_r:polkit_resolve_t:s0
tcontext=system_u:object_r:security_t:s0 tclass=dir
type=SYSCALL msg=audit(1212160643.486:31): arch=40000003 syscall=5 success=no
exit=-13 a0=bff963e4 a1=8000 a2=0 a3=8000 items=0 ppid=2119 pid=3018
auid=4294967295 uid=68 gid=68 euid=0 suid=0 fsuid=0 egid=68 sgid=68 fsgid=68
tty=(none) ses=4294967295 comm="polkit-resolve-"
exe="/usr/libexec/polkit-resolve-exe-helper"
subj=system_u:system_r:polkit_resolve_t:s0 key=(null)
type=AVC msg=audit(1212160643.504:32): avc:  denied  { siginh } for  pid=3019
comm="polkit-read-aut" scontext=system_u:system_r:polkit_resolve_t:s0
tcontext=system_u:system_r:polkit_auth_t:s0 tclass=process
type=AVC msg=audit(1212160643.504:32): avc:  denied  { rlimitinh } for  pid=3019
comm="polkit-read-aut" scontext=system_u:system_r:polkit_resolve_t:s0
tcontext=system_u:system_r:polkit_auth_t:s0 tclass=process
type=AVC msg=audit(1212160643.504:32): avc:  denied  { noatsecure } for 
pid=3019 comm="polkit-read-aut" scontext=system_u:system_r:polkit_resolve_t:s0
tcontext=system_u:system_r:polkit_auth_t:s0 tclass=process
type=SYSCALL msg=audit(1212160643.504:32): arch=40000003 syscall=11 success=yes
exit=0 a0=7360eb4 a1=bff961d0 a2=87f8450 a3=bff961d0 items=0 ppid=3018 pid=3019
auid=4294967295 uid=0 gid=68 euid=0 suid=0 fsuid=0 egid=87 sgid=87 fsgid=87
tty=(none) ses=4294967295 comm="polkit-read-aut"
exe="/usr/libexec/polkit-read-auth-helper"
subj=system_u:system_r:polkit_auth_t:s0 key=(null)
type=AVC msg=audit(1212160643.506:33): avc:  denied  { search } for  pid=3019
comm="polkit-read-aut" name="selinux" dev=dm-0 ino=810291
scontext=system_u:system_r:polkit_auth_t:s0
tcontext=system_u:object_r:selinux_config_t:s0 tclass=dir
type=SYSCALL msg=audit(1212160643.506:33): arch=40000003 syscall=5 success=no
exit=-13 a0=714e92 a1=8000 a2=1b6 a3=0 items=0 ppid=3018 pid=3019
auid=4294967295 uid=0 gid=68 euid=0 suid=0 fsuid=0 egid=87 sgid=87 fsgid=87
tty=(none) ses=4294967295 comm="polkit-read-aut"
exe="/usr/libexec/polkit-read-auth-helper"
subj=system_u:system_r:polkit_auth_t:s0 key=(null)
type=AVC msg=audit(1212160643.507:34): avc:  denied  { getattr } for  pid=3019
comm="polkit-read-aut" name="/" dev=selinuxfs ino=1
scontext=system_u:system_r:polkit_auth_t:s0
tcontext=system_u:object_r:security_t:s0 tclass=filesystem
type=SYSCALL msg=audit(1212160643.507:34): arch=40000003 syscall=268 success=no
exit=-13 a0=7143b6 a1=54 a2=bfd5b7e0 a3=7143b6 items=0 ppid=3018 pid=3019
auid=4294967295 uid=0 gid=68 euid=0 suid=0 fsuid=0 egid=87 sgid=87 fsgid=87
tty=(none) ses=4294967295 comm="polkit-read-aut"
exe="/usr/libexec/polkit-read-auth-helper"
subj=system_u:system_r:polkit_auth_t:s0 key=(null)
type=AVC msg=audit(1212160643.507:35): avc:  denied  { search } for  pid=3019
comm="polkit-read-aut" name="/" dev=selinuxfs ino=1
scontext=system_u:system_r:polkit_auth_t:s0
tcontext=system_u:object_r:security_t:s0 tclass=dir
type=SYSCALL msg=audit(1212160643.507:35): arch=40000003 syscall=195 success=no
exit=-13 a0=bfd5a79c a1=bfd5a73c a2=6acff4 a3=bfd5a79c items=0 ppid=3018
pid=3019 auid=4294967295 uid=0 gid=68 euid=0 suid=0 fsuid=0 egid=87 sgid=87
fsgid=87 tty=(none) ses=4294967295 comm="polkit-read-aut"
exe="/usr/libexec/polkit-read-auth-helper"
subj=system_u:system_r:polkit_auth_t:s0 key=(null)
type=AVC msg=audit(1212160643.507:36): avc:  denied  { search } for  pid=3019
comm="polkit-read-aut" name="/" dev=selinuxfs ino=1
scontext=system_u:system_r:polkit_auth_t:s0
tcontext=system_u:object_r:security_t:s0 tclass=dir
type=SYSCALL msg=audit(1212160643.507:36): arch=40000003 syscall=5 success=no
exit=-13 a0=bfd5a774 a1=8000 a2=0 a3=8000 items=0 ppid=3018 pid=3019
auid=4294967295 uid=0 gid=68 euid=0 suid=0 fsuid=0 egid=87 sgid=87 fsgid=87
tty=(none) ses=4294967295 comm="polkit-read-aut"
exe="/usr/libexec/polkit-read-auth-helper"
subj=system_u:system_r:polkit_auth_t:s0 key=(null)
type=AVC msg=audit(1212160643.510:37): avc:  denied  { ptrace } for  pid=3018
comm="polkit-resolve-" scontext=system_u:system_r:polkit_resolve_t:s0
tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process
type=SYSCALL msg=audit(1212160643.510:37): arch=40000003 syscall=85 success=no
exit=-13 a0=bff96438 a1=bff96494 a2=fff a3=bff96438 items=0 ppid=2119 pid=3018
auid=4294967295 uid=0 gid=68 euid=0 suid=0 fsuid=0 egid=68 sgid=68 fsgid=68
tty=(none) ses=4294967295 comm="polkit-resolve-"
exe="/usr/libexec/polkit-resolve-exe-helper"
subj=system_u:system_r:polkit_resolve_t:s0 key=(null)
Comment 36 Martin Jürgens 2008-06-02 14:35:05 EDT
selinux-policy-3.3.1-62.fc9 does not fix the issue for me, either.


host=kedora type=AVC msg=audit(1212431183.122:36): avc:  denied  { ptrace } for
 pid=3292 comm="polkit-resolve-" scontext=system_u:system_r:polkit_resolve_t:s0
tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process

host=kedora type=SYSCALL msg=audit(1212431183.122:36): arch=40000003 syscall=85
success=no exit=-13 a0=bf885528 a1=bf885584 a2=fff a3=bf885528 items=0 ppid=2078
pid=3292 auid=4294967295 uid=0 gid=68 euid=0 suid=0 fsuid=0 egid=68 sgid=68
fsgid=68 tty=(none) ses=4294967295 comm="polkit-resolve-"
exe="/usr/libexec/polkit-resolve-exe-helper"
subj=system_u:system_r:polkit_resolve_t:s0 key=(null)

Comment 37 Daniel Walsh 2008-06-02 15:04:55 EDT
Fixed in selinux-policy-3.3.1-64.fc9
Comment 38 Jeffrey Tadlock 2008-06-02 15:39:59 EDT
Installed:

selinux-policy-3.3.1-64.fc9
selinux-policy-targeted-3.3.1-64.fc9.noarch

And this is now working for me.

Thanks!!
Comment 39 Martin Jürgens 2008-06-02 15:44:25 EDT
> Fixed in selinux-policy-3.3.1-64.fc9

confirmed as fixing the issue
Comment 40 You 2008-06-02 19:41:02 EDT
Another confirmation that it is fixed. Thanks.
Comment 41 William Lovaton 2008-06-02 22:57:43 EDT
Daniel, could you please explain what the problem was?  Thanks for chasing this
bug down.  Cheers.
Comment 42 Daniel Walsh 2008-06-05 13:54:30 EDT
polkit_resolve examines the /proc/ table and attempts to read gather information
about the user at the console, I believe.  SELinux was preventing this access, 
 And it needed to be allowed.  
Comment 43 Daniel Walsh 2008-11-17 17:03:53 EST
Closing all bugs that have been in modified for over a month.  Please reopen if the bug is not actually fixed.

Note You need to log in before you can comment on or make changes to this bug.