If I do $ gnome-mount -d /dev/sda6 I get the polkit authentication dialog but then nothing happens. The same happens when clicking partition icons on nautilus' computer window. With lshal --monitor I was able to get these messages when I ran gnome-mount as above: org.freedesktop.DBus.Error.NameHasNoOwner: Could not get PID of name ':1.212': no such name I also see that /usr/libexec/polkit-gnome-manager stays running for a while after having run gnome-mount.
I've investigated this a bit more. Scrap what I said before. I now believe that the problem lies in HAL. I stopped the haldaemon service and on a tty did $ sudo /usr/sbin/hald --daemon=no --verbose=yes I've captured that log btw. After loging into gnome again I was able to mount and unmount the internal partitions with gnome-mount and nautilus. Then I've killed that hald and restarted the haldaemon service. After loging in again it no longer works. I'm puzzled.
Hey, I've changed the haldaemon script to start hald with --daemon=no. When I try to mount a partition it says: Run started hal-storage-mount (0) (1) ! full path is '/usr/libexec/hal-storage-mount', program_dir is '/usr/libexec' 4305: XYA attempting to get lock on /media/.hal-mtab-lock 4305: XYA got lock on /media/.hal-mtab-lock device = /dev/sda6 invoked by uid = 500 invoked by system bus connection = :1.135 label 'Fedora7.i386' uuid '49046ce9-6f87-49d6-922f-e207f3c75f86' Looking at /etc/fstab entry 'UUID=112cbc61-ef9b-4afa-920f-e81ba72c1c2b' Looking at /etc/fstab entry 'tmpfs' /etc/fstab: device tmpfs -> tmpfs Looking at /etc/fstab entry 'devpts' /etc/fstab: device devpts -> devpts Looking at /etc/fstab entry 'sysfs' /etc/fstab: device sysfs -> sysfs Looking at /etc/fstab entry 'proc' /etc/fstab: device proc -> proc Looking at /etc/fstab entry 'UUID=1f58d5aa-9bd3-4a08-a4ab-433f089b99b0' mount_point = 'Fedora7.i386' mount_fstype = '' mount_options = '' trying dir /media/Fedora7.i386 allowed_options[0] = 'ro' allowed_options[1] = 'sync' allowed_options[2] = 'dirsync' allowed_options[3] = 'noatime' allowed_options[4] = 'nodiratime' allowed_options[5] = 'noexec' allowed_options[6] = 'quiet' allowed_options[7] = 'remount' allowed_options[8] = 'exec' allowed_options[9] = 'acl' allowed_options[10] = 'user_xattr' allowed_options[11] = 'data=' using action org.freedesktop.hal.storage.mount-fixed for uid 500, system_bus_connection :1.135 polkit-resolve-exe-helper: Cannot resolve link for pid 4304 polkit-resolve-exe-helper: Cannot resolve link for pid 4304 pid 4305: rc=1 signaled=0: /usr/libexec/hal-storage-mount But if I start hal with sudo as before I can mount things and instead of that polkit-resolve-exe-helper message I get "passed privilege".
After a $ sudo setenforce 0 I works ok. So this is probably a bug in selinux policy.
Sorry but I have to vent here. I can't believe I lost one day to find the root cause for this! I don't understand why selinux doesn't log these denials like it does for lots of others I am always getting. Damn.
I can confirm this problem is caused by SELinux. My laptop has Fedora 8 and Windows XP installed on the hard drive. I boot with the final Fedora 9 Live USB and I can't browse my Linux and Windows partition from the Computer place in nautilus. Now if I disable SELinux (permissive mode) it works fine as it should but there are no messages in the SELinux log. I have been using Fedora for a long time and I always have to disable SELinux. I'd like to keep it active all the time but I can't. I hope this can be fixed soon so there is a better chance of getting a solid experience out of the box. Cheers.
*** Bug 445523 has been marked as a duplicate of this bug. ***
More info from the dupe report: Logging in as root seems to fix the problem, even after logging out again. @ comment #5 - instead of disabling SElinux, you go to System >> administration and set it to permissive. While not exactly protecting you, it should log most SElinux violations and allow you to set it to enforcing again once this bug has been fixed without the need for a full relabel.
*** Bug 447303 has been marked as a duplicate of this bug. ***
I have the same problem. I mounted some partitions as a user (asked root password), but they are not shown as mounted and are not accessible. Logging in as root in the terminal and then opening Nautilus as root immediately mounts them for the user. Every time after restarting the computer I have to open Nautilus as root again to give the user access to those partitions. Leaving Nautilus open as root is not needed. Setting SELinux to permissive mode "fixes" it. Thank you, You! I hope it will be fixed soon.
Hm is it a bug in hal or selinux-policy? If it is the latter maybe it should be assigned to the selinux-policy maintainer. I can confirm that setting SELinux to permissive fixes the issue and that there is no output in /var/log/audit/*.
Just adding that running 'setenforce 0' and then opening the Local Disk works as expected. After setting SELinux back to enforcing mode, I am no longer able to open the Local Disk. Nothing is logged to /var/log/audit/audit.log.
Please execute semodule -DB to turn off dontaudit messages, Then check for the avcs. semoduel -B will turn them back on.
The first command breaks the SELinux troubleshooter. mounting as normal user is still broken. After running the second command (and a restart to fix the troubleshooter), the troubleshooter does not seem to have logged any avcs. Those commands only worked using "su -". Gnome mount works the same with or without those commands - not mount as a normal user, but does mount as a superuser. Once mounted, the partitions stay mounted til shutdown - just logging out does not unmount them. Could this be HAL or something not carrying out a command because it expects it to be denied?
I rebooted (just to be sure I was starting fresh) and then ran semodule -DB. Then I did tail -f /var/log/audit/audit.log. Then I went to Places > Computer > Local Disk and tried to open it. Nothing happened after trying to double-click on the Local Disk, but I did get these entries in the log: type=AVC msg=audit(1211932515.341:32): avc: denied { siginh } for pid=4050 comm="polkit-read-aut" scontext=system_u:system_r:hald_t:s0 tcontext=system_u:system_r:polkit_auth_t:s0 tclass=process type=AVC msg=audit(1211932515.341:32): avc: denied { rlimitinh } for pid=4050 comm="polkit-read-aut" scontext=system_u:system_r:hald_t:s0 tcontext=system_u:system_r:polkit_auth_t:s0 tclass=process type=AVC msg=audit(1211932515.341:32): avc: denied { noatsecure } for pid=4050 comm="polkit-read-aut" scontext=system_u:system_r:hald_t:s0 tcontext=system_u:system_r:polkit_auth_t:s0 tclass=process type=SYSCALL msg=audit(1211932515.341:32): arch=40000003 syscall=11 success=yes exit=0 a0=729aeb4 a1=bfa20460 a2=844f490 a3=bfa20460 items=0 ppid=4049 pid=4050 auid=4294967295 uid=0 gid=68 euid=0 suid=0 fsuid=0 egid=87 sgid=87 fsgid=87 tty=(none) ses=4294967295 comm="polkit-read-aut" exe="/usr/libexec/polkit-read-auth-helper" subj=system_u:system_r:polkit_auth_t:s0 key=(null) type=AVC msg=audit(1211932515.342:33): avc: denied { read } for pid=4050 comm="polkit-read-aut" name="config" dev=dm-0 ino=1197606 scontext=system_u:system_r:polkit_auth_t:s0 tcontext=system_u:object_r:selinux_config_t:s0 tclass=file type=SYSCALL msg=audit(1211932515.342:33): arch=40000003 syscall=5 success=no exit=-13 a0=64ae92 a1=8000 a2=1b6 a3=0 items=0 ppid=4049 pid=4050 auid=4294967295 uid=0 gid=68 euid=0 suid=0 fsuid=0 egid=87 sgid=87 fsgid=87 tty=(none) ses=4294967295 comm="polkit-read-aut" exe="/usr/libexec/polkit-read-auth-helper" subj=system_u:system_r:polkit_auth_t:s0 key=(null) type=AVC msg=audit(1211932515.342:34): avc: denied { getattr } for pid=4050 comm="polkit-read-aut" name="/" dev=selinuxfs ino=1 scontext=system_u:system_r:polkit_auth_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=filesystem type=SYSCALL msg=audit(1211932515.342:34): arch=40000003 syscall=268 success=no exit=-13 a0=64a3b6 a1=54 a2=bf984f70 a3=64a3b6 items=0 ppid=4049 pid=4050 auid=4294967295 uid=0 gid=68 euid=0 suid=0 fsuid=0 egid=87 sgid=87 fsgid=87 tty=(none) ses=4294967295 comm="polkit-read-aut" exe="/usr/libexec/polkit-read-auth-helper" subj=system_u:system_r:polkit_auth_t:s0 key=(null) type=AVC msg=audit(1211932515.343:35): avc: denied { search } for pid=4050 comm="polkit-read-aut" name="/" dev=selinuxfs ino=1 scontext=system_u:system_r:polkit_auth_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=dir type=SYSCALL msg=audit(1211932515.343:35): arch=40000003 syscall=195 success=no exit=-13 a0=bf983f2c a1=bf983ecc a2=5e2ff4 a3=bf983f2c items=0 ppid=4049 pid=4050 auid=4294967295 uid=0 gid=68 euid=0 suid=0 fsuid=0 egid=87 sgid=87 fsgid=87 tty=(none) ses=4294967295 comm="polkit-read-aut" exe="/usr/libexec/polkit-read-auth-helper" subj=system_u:system_r:polkit_auth_t:s0 key=(null) type=AVC msg=audit(1211932515.343:36): avc: denied { search } for pid=4050 comm="polkit-read-aut" name="/" dev=selinuxfs ino=1 scontext=system_u:system_r:polkit_auth_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=dir type=SYSCALL msg=audit(1211932515.343:36): arch=40000003 syscall=5 success=no exit=-13 a0=bf983f04 a1=8000 a2=0 a3=8000 items=0 ppid=4049 pid=4050 auid=4294967295 uid=0 gid=68 euid=0 suid=0 fsuid=0 egid=87 sgid=87 fsgid=87 tty=(none) ses=4294967295 comm="polkit-read-aut" exe="/usr/libexec/polkit-read-auth-helper" subj=system_u:system_r:polkit_auth_t:s0 key=(null) type=AVC msg=audit(1211932515.344:37): avc: denied { sys_ptrace } for pid=4049 comm="polkit-resolve-" capability=19 scontext=system_u:system_r:hald_t:s0 tcontext=system_u:system_r:hald_t:s0 tclass=capability type=SYSCALL msg=audit(1211932515.344:37): arch=40000003 syscall=85 success=no exit=-13 a0=bfa206c8 a1=bfa20724 a2=fff a3=bfa206c8 items=0 ppid=2107 pid=4049 auid=4294967295 uid=0 gid=68 euid=0 suid=0 fsuid=0 egid=68 sgid=68 fsgid=68 tty=(none) ses=4294967295 comm="polkit-resolve-" exe="/usr/libexec/polkit-resolve-exe-helper" subj=system_u:system_r:hald_t:s0 key=(null) I tried right clicking on Local Disk and choosing open (still while tailing the audit.log) and received this round of messages: type=AVC msg=audit(1211932598.325:44): avc: denied { siginh } for pid=4124 comm="polkit-read-aut" scontext=system_u:system_r:hald_t:s0 tcontext=system_u:system_r:polkit_auth_t:s0 tclass=process type=AVC msg=audit(1211932598.325:44): avc: denied { rlimitinh } for pid=4124 comm="polkit-read-aut" scontext=system_u:system_r:hald_t:s0 tcontext=system_u:system_r:polkit_auth_t:s0 tclass=process type=AVC msg=audit(1211932598.325:44): avc: denied { noatsecure } for pid=4124 comm="polkit-read-aut" scontext=system_u:system_r:hald_t:s0 tcontext=system_u:system_r:polkit_auth_t:s0 tclass=process type=SYSCALL msg=audit(1211932598.325:44): arch=40000003 syscall=11 success=yes exit=0 a0=729aeb4 a1=bfd20760 a2=9d13490 a3=bfd20760 items=0 ppid=4123 pid=4124 auid=4294967295 uid=0 gid=68 euid=0 suid=0 fsuid=0 egid=87 sgid=87 fsgid=87 tty=(none) ses=4294967295 comm="polkit-read-aut" exe="/usr/libexec/polkit-read-auth-helper" subj=system_u:system_r:polkit_auth_t:s0 key=(null) type=AVC msg=audit(1211932598.326:45): avc: denied { read } for pid=4124 comm="polkit-read-aut" name="config" dev=dm-0 ino=1197606 scontext=system_u:system_r:polkit_auth_t:s0 tcontext=system_u:object_r:selinux_config_t:s0 tclass=file type=SYSCALL msg=audit(1211932598.326:45): arch=40000003 syscall=5 success=no exit=-13 a0=64ae92 a1=8000 a2=1b6 a3=0 items=0 ppid=4123 pid=4124 auid=4294967295 uid=0 gid=68 euid=0 suid=0 fsuid=0 egid=87 sgid=87 fsgid=87 tty=(none) ses=4294967295 comm="polkit-read-aut" exe="/usr/libexec/polkit-read-auth-helper" subj=system_u:system_r:polkit_auth_t:s0 key=(null) type=AVC msg=audit(1211932598.326:46): avc: denied { getattr } for pid=4124 comm="polkit-read-aut" name="/" dev=selinuxfs ino=1 scontext=system_u:system_r:polkit_auth_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=filesystem type=SYSCALL msg=audit(1211932598.326:46): arch=40000003 syscall=268 success=no exit=-13 a0=64a3b6 a1=54 a2=bfc60a40 a3=64a3b6 items=0 ppid=4123 pid=4124 auid=4294967295 uid=0 gid=68 euid=0 suid=0 fsuid=0 egid=87 sgid=87 fsgid=87 tty=(none) ses=4294967295 comm="polkit-read-aut" exe="/usr/libexec/polkit-read-auth-helper" subj=system_u:system_r:polkit_auth_t:s0 key=(null) type=AVC msg=audit(1211932598.327:47): avc: denied { search } for pid=4124 comm="polkit-read-aut" name="/" dev=selinuxfs ino=1 scontext=system_u:system_r:polkit_auth_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=dir type=SYSCALL msg=audit(1211932598.327:47): arch=40000003 syscall=195 success=no exit=-13 a0=bfc5f9fc a1=bfc5f99c a2=5e2ff4 a3=bfc5f9fc items=0 ppid=4123 pid=4124 auid=4294967295 uid=0 gid=68 euid=0 suid=0 fsuid=0 egid=87 sgid=87 fsgid=87 tty=(none) ses=4294967295 comm="polkit-read-aut" exe="/usr/libexec/polkit-read-auth-helper" subj=system_u:system_r:polkit_auth_t:s0 key=(null) type=AVC msg=audit(1211932598.327:48): avc: denied { search } for pid=4124 comm="polkit-read-aut" name="/" dev=selinuxfs ino=1 scontext=system_u:system_r:polkit_auth_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=dir type=SYSCALL msg=audit(1211932598.327:48): arch=40000003 syscall=5 success=no exit=-13 a0=bfc5f9d4 a1=8000 a2=0 a3=8000 items=0 ppid=4123 pid=4124 auid=4294967295 uid=0 gid=68 euid=0 suid=0 fsuid=0 egid=87 sgid=87 fsgid=87 tty=(none) ses=4294967295 comm="polkit-read-aut" exe="/usr/libexec/polkit-read-auth-helper" subj=system_u:system_r:polkit_auth_t:s0 key=(null) type=AVC msg=audit(1211932598.328:49): avc: denied { sys_ptrace } for pid=4123 comm="polkit-resolve-" capability=19 scontext=system_u:system_r:hald_t:s0 tcontext=system_u:system_r:hald_t:s0 tclass=capability type=SYSCALL msg=audit(1211932598.328:49): arch=40000003 syscall=85 success=no exit=-13 a0=bfd209c8 a1=bfd20a24 a2=fff a3=bfd209c8 items=0 ppid=2107 pid=4123 auid=4294967295 uid=0 gid=68 euid=0 suid=0 fsuid=0 egid=68 sgid=68 fsgid=68 tty=(none) ses=4294967295 comm="polkit-resolve-" exe="/usr/libexec/polkit-resolve-exe-helper" subj=system_u:system_r:hald_t:s0 key=(null) I will happily provide additional information if needed - just let me know what you need. Thanks!
Ok I added some fixes for selinux-policy-3.3.1-56.fc9 Please see if these fix the problem
(In reply to comment #15) > Ok I added some fixes for selinux-policy-3.3.1-56.fc9 That package failed to build according to koji http://koji.fedoraproject.org/koji/buildinfo?buildID=50745
Build was successful.. Will test it this evining if no one else tests it to that point :)
With updated -policy and -policy targeted (3.3.1-56), I now get an avc denial message. There is only one listed. Summary: SELinux is preventing polkit-resolve- (polkit_resolve_t) "search" to ./dbus (system_dbusd_var_run_t). Detailed Description: SELinux denied access requested by polkit-resolve-. It is not expected that this access is required by polkit-resolve- and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for ./dbus, restorecon -v './dbus'- If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context system_u:system_r:polkit_resolve_t:s0 Target Context system_u:object_r:system_dbusd_var_run_t:s0 Target Objects ./dbus [ dir ] Source polkit-resolve- Source Path /usr/libexec/polkit-resolve-exe-helper Port <Unknown> Host localhost.localdomain Source RPM Packages PolicyKit-0.8-2.fc9 Target RPM Packages Policy RPM selinux-policy-3.3.1-56.fc9 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall_file Host Name localhost.localdomain Platform Linux localhost.localdomain 2.6.25.4-38.fc9.i686 #1 SMP Wed May 28 02:22:31 EDT 2008 i686 athlon Alert Count 2 First Seen Thu 29 May 2008 12:23:15 BST Last Seen Thu 29 May 2008 12:25:57 BST Local ID 7d3524e3-0900-496e-b68e-36d9f962bc38 Line Numbers Raw Audit Messages host=localhost.localdomain type=AVC msg=audit(1212060357.414:35): avc: denied { search } for pid=3001 comm="polkit-resolve-" name="dbus" dev=dm-0 ino=662387 scontext=system_u:system_r:polkit_resolve_t:s0 tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=dir host=localhost.localdomain type=SYSCALL msg=audit(1212060357.414:35): arch=40000003 syscall=102 success=no exit=-13 a0=3 a1=bfa54340 a2=d3eff4 a3=1f items=0 ppid=2115 pid=3001 auid=4294967295 uid=0 gid=68 euid=0 suid=0 fsuid=0 egid=68 sgid=68 fsgid=68 tty=(none) ses=4294967295 comm="polkit-resolve-" exe="/usr/libexec/polkit-resolve-exe-helper" subj=system_u:system_r:polkit_resolve_t:s0 key=(null) Not sure if this is the right message as multiple attemts at mounting the partition have only caused this one message. Using tail as mentioned in comment 14 gives: type=AVC msg=audit(1212060640.386:41): avc: denied { search } for pid=3092 comm="polkit-resolve-" name="dbus" dev=dm-0 ino=662387 scontext=system_u:system_r:polkit_resolve_t:s0 tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=dir type=SYSCALL msg=audit(1212060640.386:41): arch=40000003 syscall=102 success=no exit=-13 a0=3 a1=bfcf2de0 a2=d3eff4 a3=1f items=0 ppid=2115 pid=3092 auid=4294967295 uid=0 gid=68 euid=0 suid=0 fsuid=0 egid=68 sgid=68 fsgid=68 tty=(none) ses=4294967295 comm="polkit-resolve-" exe="/usr/libexec/polkit-resolve-exe-helper" subj=system_u:system_r:polkit_resolve_t:s0 key=(null)
I had the same results as comment 18. I installed: selinux-policy-targeted-3.3.1-56.fc9.noarch selinux-policy-3.3.1-56.fc9.noarch And when trying to open Local Disk from Places > Computer had an AVC Denial pop-up which stated: Summary: SELinux is preventing polkit-resolve- (polkit_resolve_t) "search" to ./dbus (system_dbusd_var_run_t). Detailed Description: SELinux denied access requested by polkit-resolve-. It is not expected that this access is required by polkit-resolve- and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for ./dbus, restorecon -v './dbus' If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context system_u:system_r:polkit_resolve_t:s0 Target Context system_u:object_r:system_dbusd_var_run_t:s0 Target Objects ./dbus [ dir ] Source polkit-resolve- Source Path /usr/libexec/polkit-resolve-exe-helper Port <Unknown> Host liriel.krynn.local Source RPM Packages PolicyKit-0.8-2.fc9 Target RPM Packages Policy RPM selinux-policy-3.3.1-56.fc9 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall_file Host Name liriel.krynn.local Platform Linux liriel.krynn.local 2.6.25.3-18.fc9.i686 #1 SMP Tue May 13 05:38:53 EDT 2008 i686 i686 Alert Count 1 First Seen Thu 29 May 2008 07:42:50 AM EDT Last Seen Thu 29 May 2008 07:43:24 AM EDT Local ID fff6a311-da84-4052-9a2c-78638904a153 Line Numbers Raw Audit Messages host=liriel.krynn.local type=AVC msg=audit(1212061404.190:13): avc: denied { search } for pid=3037 comm="polkit-resolve-" name="dbus" dev=dm-0 ino=1695873 scontext=system_u:system_r:polkit_resolve_t:s0 tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=dir host=liriel.krynn.local type=SYSCALL msg=audit(1212061404.190:13): arch=40000003 syscall=102 success=no exit=-13 a0=3 a1=bf842130 a2=c74ff4 a3=1f items=0 ppid=2108 pid=3037 auid=4294967295 uid=0 gid=68 euid=0 suid=0 fsuid=0 egid=68 sgid=68 fsgid=68 tty=(none) ses=4294967295 comm="polkit-resolve-" exe="/usr/libexec/polkit-resolve-exe-helper" subj=system_u:system_r:polkit_resolve_t:s0 key=(null) Thanks!
Fixed in selinux-policy-3.3.1-57.fc9.noarch
With the new policy (57), I am getting a different avc: Summary: SELinux is preventing polkit-resolve- (polkit_resolve_t) "getattr" to /proc/<pid> (hald_t). Detailed Description: SELinux denied access requested by polkit-resolve-. It is not expected that this access is required by polkit-resolve- and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for /proc/<pid>, restorecon -v '/proc/<pid>' If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context system_u:system_r:polkit_resolve_t:s0 Target Context system_u:system_r:hald_t:s0 Target Objects /proc/<pid> [ dir ] Source polkit-resolve- Source Path /usr/libexec/polkit-resolve-exe-helper Port <Unknown> Host localhost.localdomain Source RPM Packages PolicyKit-0.8-2.fc9 Target RPM Packages Policy RPM selinux-policy-3.3.1-57.fc9 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall_file Host Name localhost.localdomain Platform Linux localhost.localdomain 2.6.25.4-38.fc9.i686 #1 SMP Wed May 28 02:22:31 EDT 2008 i686 athlon Alert Count 5 First Seen Thu 29 May 2008 14:27:12 BST Last Seen Thu 29 May 2008 14:32:17 BST Local ID 01782452-51be-4029-9d90-74237f24b1e9 Line Numbers Raw Audit Messages host=localhost.localdomain type=AVC msg=audit(1212067937.94:19): avc: denied { getattr } for pid=2939 comm="polkit-resolve-" path="/proc/2118" dev=proc ino=7663 scontext=system_u:system_r:polkit_resolve_t:s0 tcontext=system_u:system_r:hald_t:s0 tclass=dir host=localhost.localdomain type=SYSCALL msg=audit(1212067937.94:19): arch=40000003 syscall=195 success=no exit=-13 a0=83e61b0 a1=bff1198c a2=6acff4 a3=bff11a94 items=0 ppid=2118 pid=2939 auid=4294967295 uid=0 gid=68 euid=0 suid=0 fsuid=0 egid=68 sgid=68 fsgid=68 tty=(none) ses=4294967295 comm="polkit-resolve-" exe="/usr/libexec/polkit-resolve-exe-helper" subj=system_u:system_r:polkit_resolve_t:s0 key=(null) Using tail and clicking on the icon in computer gives: type=AVC msg=audit(1212067937.094:19): avc: denied { getattr } for pid=2939 comm="polkit-resolve-" path="/proc/2118" dev=proc ino=7663 scontext=system_u:system_r:polkit_resolve_t:s0 tcontext=system_u:system_r:hald_t:s0 tclass=dir type=SYSCALL msg=audit(1212067937.094:19): arch=40000003 syscall=195 success=no exit=-13 a0=83e61b0 a1=bff1198c a2=6acff4 a3=bff11a94 items=0 ppid=2118 pid=2939 auid=4294967295 uid=0 gid=68 euid=0 suid=0 fsuid=0 egid=68 sgid=68 fsgid=68 tty=(none) ses=4294967295 comm="polkit-resolve-" exe="/usr/libexec/polkit-resolve-exe-helper" subj=system_u:system_r:polkit_resolve_t:s0 key=(null)
Created attachment 307063 [details] avcs just recieved in se troubleshooter Just changed the policy to permissive and mounted the drive, got a few other avc's too.
Updated to .57 and saw the same thing as comment 21. Here is the AVC Denial: Summary: SELinux is preventing polkit-resolve- (polkit_resolve_t) "getattr" to /proc/<pid> (hald_t). Detailed Description: SELinux denied access requested by polkit-resolve-. It is not expected that this access is required by polkit-resolve- and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for /proc/<pid>, restorecon -v '/proc/<pid>' If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context system_u:system_r:polkit_resolve_t:s0 Target Context system_u:system_r:hald_t:s0 Target Objects /proc/<pid> [ dir ] Source polkit-resolve- Source Path /usr/libexec/polkit-resolve-exe-helper Port <Unknown> Host liriel.krynn.local Source RPM Packages PolicyKit-0.8-2.fc9 Target RPM Packages Policy RPM selinux-policy-3.3.1-57.fc9 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall_file Host Name liriel.krynn.local Platform Linux liriel.krynn.local 2.6.25.3-18.fc9.i686 #1 SMP Tue May 13 05:38:53 EDT 2008 i686 i686 Alert Count 3 First Seen Thu 29 May 2008 09:34:25 AM EDT Last Seen Thu 29 May 2008 09:47:00 AM EDT Local ID 772e997d-26a1-42ee-864d-3ebbb57f4d3f Line Numbers Raw Audit Messages host=liriel.krynn.local type=AVC msg=audit(1212068820.919:39): avc: denied { getattr } for pid=3403 comm="polkit-resolve-" path="/proc/2101" dev=proc ino=7417 scontext=system_u:system_r:polkit_resolve_t:s0 tcontext=system_u:system_r:hald_t:s0 tclass=dir host=liriel.krynn.local type=SYSCALL msg=audit(1212068820.919:39): arch=40000003 syscall=195 success=no exit=-13 a0=97501b0 a1=bffa121c a2=5e2ff4 a3=bffa1324 items=0 ppid=2101 pid=3403 auid=4294967295 uid=0 gid=68 euid=0 suid=0 fsuid=0 egid=68 sgid=68 fsgid=68 tty=(none) ses=4294967295 comm="polkit-resolve-" exe="/usr/libexec/polkit-resolve-exe-helper" subj=system_u:system_r:polkit_resolve_t:s0 key=(null) And this is from the tail -f /var/log/audit/audit.log type=AVC msg=audit(1212068680.296:27): avc: denied { siginh } for pid=3252 comm="polkit-resolve-" scontext=system_u:system_r:hald_t:s0 tcontext=system_u:system_r:polkit_resolve_t:s0 tclass=process type=AVC msg=audit(1212068680.296:27): avc: denied { rlimitinh } for pid=3252 comm="polkit-resolve-" scontext=system_u:system_r:hald_t:s0 tcontext=system_u:system_r:polkit_resolve_t:s0 tclass=process type=AVC msg=audit(1212068680.296:27): avc: denied { noatsecure } for pid=3252 comm="polkit-resolve-" scontext=system_u:system_r:hald_t:s0 tcontext=system_u:system_r:polkit_resolve_t:s0 tclass=process type=SYSCALL msg=audit(1212068680.296:27): arch=40000003 syscall=11 success=yes exit=0 a0=729802c a1=bffddaf4 a2=bffdf58c a3=bffddaf4 items=0 ppid=2101 pid=3252 auid=4294967295 uid=68 gid=68 euid=0 suid=0 fsuid=0 egid=68 sgid=68 fsgid=68 tty=(none) ses=4294967295 comm="polkit-resolve-" exe="/usr/libexec/polkit-resolve-exe-helper" subj=system_u:system_r:polkit_resolve_t:s0 key=(null) type=AVC msg=audit(1212068680.297:28): avc: denied { search } for pid=3252 comm="polkit-resolve-" name="selinux" dev=dm-0 ino=1197365 scontext=system_u:system_r:polkit_resolve_t:s0 tcontext=system_u:object_r:selinux_config_t:s0 tclass=dir type=SYSCALL msg=audit(1212068680.297:28): arch=40000003 syscall=5 success=no exit=-13 a0=64ae92 a1=8000 a2=1b6 a3=0 items=0 ppid=2101 pid=3252 auid=4294967295 uid=68 gid=68 euid=0 suid=0 fsuid=0 egid=68 sgid=68 fsgid=68 tty=(none) ses=4294967295 comm="polkit-resolve-" exe="/usr/libexec/polkit-resolve-exe-helper" subj=system_u:system_r:polkit_resolve_t:s0 key=(null) type=AVC msg=audit(1212068680.297:29): avc: denied { getattr } for pid=3252 comm="polkit-resolve-" name="/" dev=selinuxfs ino=1 scontext=system_u:system_r:polkit_resolve_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=filesystem type=SYSCALL msg=audit(1212068680.297:29): arch=40000003 syscall=268 success=no exit=-13 a0=64a3b6 a1=54 a2=bfdcea90 a3=64a3b6 items=0 ppid=2101 pid=3252 auid=4294967295 uid=68 gid=68 euid=0 suid=0 fsuid=0 egid=68 sgid=68 fsgid=68 tty=(none) ses=4294967295 comm="polkit-resolve-" exe="/usr/libexec/polkit-resolve-exe-helper" subj=system_u:system_r:polkit_resolve_t:s0 key=(null) type=AVC msg=audit(1212068680.298:30): avc: denied { search } for pid=3252 comm="polkit-resolve-" name="/" dev=selinuxfs ino=1 scontext=system_u:system_r:polkit_resolve_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=dir type=SYSCALL msg=audit(1212068680.298:30): arch=40000003 syscall=195 success=no exit=-13 a0=bfdcda4c a1=bfdcd9ec a2=5e2ff4 a3=bfdcda4c items=0 ppid=2101 pid=3252 auid=4294967295 uid=68 gid=68 euid=0 suid=0 fsuid=0 egid=68 sgid=68 fsgid=68 tty=(none) ses=4294967295 comm="polkit-resolve-" exe="/usr/libexec/polkit-resolve-exe-helper" subj=system_u:system_r:polkit_resolve_t:s0 key=(null) type=AVC msg=audit(1212068680.298:31): avc: denied { search } for pid=3252 comm="polkit-resolve-" name="/" dev=selinuxfs ino=1 scontext=system_u:system_r:polkit_resolve_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=dir type=SYSCALL msg=audit(1212068680.298:31): arch=40000003 syscall=5 success=no exit=-13 a0=bfdcda24 a1=8000 a2=0 a3=8000 items=0 ppid=2101 pid=3252 auid=4294967295 uid=68 gid=68 euid=0 suid=0 fsuid=0 egid=68 sgid=68 fsgid=68 tty=(none) ses=4294967295 comm="polkit-resolve-" exe="/usr/libexec/polkit-resolve-exe-helper" subj=system_u:system_r:polkit_resolve_t:s0 key=(null) type=AVC msg=audit(1212068680.302:32): avc: denied { getattr } for pid=3252 comm="polkit-resolve-" path="/proc/2101" dev=proc ino=7417 scontext=system_u:system_r:polkit_resolve_t:s0 tcontext=system_u:system_r:hald_t:s0 tclass=dir type=SYSCALL msg=audit(1212068680.302:32): arch=40000003 syscall=195 success=no exit=-13 a0=9c0d1b0 a1=bfdcd84c a2=5e2ff4 a3=bfdcd954 items=0 ppid=2101 pid=3252 auid=4294967295 uid=0 gid=68 euid=0 suid=0 fsuid=0 egid=68 sgid=68 fsgid=68 tty=(none) ses=4294967295 comm="polkit-resolve-" exe="/usr/libexec/polkit-resolve-exe-helper" subj=system_u:system_r:polkit_resolve_t:s0 key=(null)
I take it you are running with semodule -DB? Does the mount work in enforcing mode?
The mount does not work in enforcing for me, those outputs are without the -DB option. Should I try again, with that?
Fixed in selinux-policy-3.3.1-58.fc9
Never tried build 58, went straight to 59 and it still does not work. the tail output of typing semodule -DB: type=USER_AUTH msg=audit(1212085797.278:26): user pid=2980 uid=500 auid=500 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:authentication acct="root" exe="/bin/su" (hostname=?, addr=?, terminal=pts/2 res=success)' type=USER_ACCT msg=audit(1212085797.284:27): user pid=2980 uid=500 auid=500 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:accounting acct="root" exe="/bin/su" (hostname=?, addr=?, terminal=pts/2 res=success)' type=USER_START msg=audit(1212085797.296:28): user pid=2980 uid=500 auid=500 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:session_open acct="root" exe="/bin/su" (hostname=?, addr=?, terminal=pts/2 res=success)' type=CRED_ACQ msg=audit(1212085797.297:29): user pid=2980 uid=500 auid=500 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:setcred acct="root" exe="/bin/su" (hostname=?, addr=?, terminal=pts/2 res=success)' type=USER_AVC msg=audit(1212085816.158:30): user pid=2047 uid=81 auid=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: received policyload notice (seqno=2) : exe="?" (sauid=81, hostname=?, addr=?, terminal=?)' type=MAC_POLICY_LOAD msg=audit(1212085815.454:31): policy loaded auid=500 ses=1 type=SYSCALL msg=audit(1212085815.454:31): arch=40000003 syscall=4 success=yes exit=2252467 a0=4 a1=b7c7d008 a2=225eb3 a3=bffdab18 items=0 ppid=3012 pid=3013 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=1 comm="load_policy" exe="/usr/sbin/load_policy" subj=unconfined_u:unconfined_r:load_policy_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1212085816.168:32): avc: denied { siginh } for pid=3014 comm="setfiles" scontext=unconfined_u:unconfined_r:semanage_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tclass=process type=AVC msg=audit(1212085816.168:32): avc: denied { rlimitinh } for pid=3014 comm="setfiles" scontext=unconfined_u:unconfined_r:semanage_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tclass=process type=AVC msg=audit(1212085816.168:32): avc: denied { noatsecure } for pid=3014 comm="setfiles" scontext=unconfined_u:unconfined_r:semanage_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tclass=process type=SYSCALL msg=audit(1212085816.168:32): arch=40000003 syscall=11 success=yes exit=0 a0=b846b648 a1=b9b4cc58 a2=0 a3=0 items=0 ppid=3012 pid=3014 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=1 comm="setfiles" exe="/sbin/setfiles" subj=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1212085816.171:33): avc: denied { write } for pid=2399 comm="setroubleshootd" name="rpm" dev=dm-0 ino=645916 scontext=system_u:system_r:setroubleshootd_t:s0 tcontext=system_u:object_r:rpm_var_lib_t:s0 tclass=dir type=SYSCALL msg=audit(1212085816.171:33): arch=40000003 syscall=33 success=no exit=-13 a0=99c42f8 a1=2 a2=3a9ae4 a3=9af57a0 items=0 ppid=1 pid=2399 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="setroubleshootd" exe="/usr/bin/python" subj=system_u:system_r:setroubleshootd_t:s0 key=(null) type=AVC msg=audit(1212085816.172:34): avc: denied { write } for pid=2399 comm="setroubleshootd" name="rpm" dev=dm-0 ino=645916 scontext=system_u:system_r:setroubleshootd_t:s0 tcontext=system_u:object_r:rpm_var_lib_t:s0 tclass=dir type=SYSCALL msg=audit(1212085816.172:34): arch=40000003 syscall=33 success=no exit=-13 a0=9b13c70 a1=2 a2=3a9ae4 a3=9b13b38 items=0 ppid=1 pid=2399 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="setroubleshootd" exe="/usr/bin/python" subj=system_u:system_r:setroubleshootd_t:s0 key=(null) type=AVC msg=audit(1212085816.185:35): avc: denied { write } for pid=2399 comm="setroubleshootd" name="rpm" dev=dm-0 ino=645916 scontext=system_u:system_r:setroubleshootd_t:s0 tcontext=system_u:object_r:rpm_var_lib_t:s0 tclass=dir type=SYSCALL msg=audit(1212085816.185:35): arch=40000003 syscall=33 success=no exit=-13 a0=9a84860 a1=2 a2=3a9ae4 a3=9b13260 items=0 ppid=1 pid=2399 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="setroubleshootd" exe="/usr/bin/python" subj=system_u:system_r:setroubleshootd_t:s0 key=(null) type=AVC msg=audit(1212085816.193:36): avc: denied { write } for pid=2399 comm="setroubleshootd" name="rpm" dev=dm-0 ino=645916 scontext=system_u:system_r:setroubleshootd_t:s0 tcontext=system_u:object_r:rpm_var_lib_t:s0 tclass=dir type=SYSCALL msg=audit(1212085816.193:36): arch=40000003 syscall=33 success=no exit=-13 a0=9ae6958 a1=2 a2=3a9ae4 a3=9af57a0 items=0 ppid=1 pid=2399 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="setroubleshootd" exe="/usr/bin/python" subj=system_u:system_r:setroubleshootd_t:s0 key=(null) type=AVC msg=audit(1212085816.194:37): avc: denied { write } for pid=2399 comm="setroubleshootd" name="rpm" dev=dm-0 ino=645916 scontext=system_u:system_r:setroubleshootd_t:s0 tcontext=system_u:object_r:rpm_var_lib_t:s0 tclass=dir type=SYSCALL msg=audit(1212085816.194:37): arch=40000003 syscall=33 success=no exit=-13 a0=9ae8518 a1=2 a2=3a9ae4 a3=9b13b38 items=0 ppid=1 pid=2399 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="setroubleshootd" exe="/usr/bin/python" subj=system_u:system_r:setroubleshootd_t:s0 key=(null) and the output of clicking the volume in nautilus after that: type=AVC msg=audit(1212085833.658:38): avc: denied { siginh } for pid=3017 comm="polkit-resolve-" scontext=system_u:system_r:hald_t:s0 tcontext=system_u:system_r:polkit_resolve_t:s0 tclass=process type=AVC msg=audit(1212085833.658:38): avc: denied { rlimitinh } for pid=3017 comm="polkit-resolve-" scontext=system_u:system_r:hald_t:s0 tcontext=system_u:system_r:polkit_resolve_t:s0 tclass=process type=AVC msg=audit(1212085833.658:38): avc: denied { noatsecure } for pid=3017 comm="polkit-resolve-" scontext=system_u:system_r:hald_t:s0 tcontext=system_u:system_r:polkit_resolve_t:s0 tclass=process type=SYSCALL msg=audit(1212085833.658:38): arch=40000003 syscall=11 success=yes exit=0 a0=735e02c a1=bfd621e4 a2=bfd63c7c a3=bfd621e4 items=0 ppid=2113 pid=3017 auid=4294967295 uid=68 gid=68 euid=0 suid=0 fsuid=0 egid=68 sgid=68 fsgid=68 tty=(none) ses=4294967295 comm="polkit-resolve-" exe="/usr/libexec/polkit-resolve-exe-helper" subj=system_u:system_r:polkit_resolve_t:s0 key=(null) type=AVC msg=audit(1212085833.661:39): avc: denied { search } for pid=3017 comm="polkit-resolve-" name="selinux" dev=dm-0 ino=810291 scontext=system_u:system_r:polkit_resolve_t:s0 tcontext=system_u:object_r:selinux_config_t:s0 tclass=dir type=SYSCALL msg=audit(1212085833.661:39): arch=40000003 syscall=5 success=no exit=-13 a0=714e92 a1=8000 a2=1b6 a3=0 items=0 ppid=2113 pid=3017 auid=4294967295 uid=68 gid=68 euid=0 suid=0 fsuid=0 egid=68 sgid=68 fsgid=68 tty=(none) ses=4294967295 comm="polkit-resolve-" exe="/usr/libexec/polkit-resolve-exe-helper" subj=system_u:system_r:polkit_resolve_t:s0 key=(null) type=AVC msg=audit(1212085833.661:40): avc: denied { getattr } for pid=3017 comm="polkit-resolve-" name="/" dev=selinuxfs ino=1 scontext=system_u:system_r:polkit_resolve_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=filesystem type=SYSCALL msg=audit(1212085833.661:40): arch=40000003 syscall=268 success=no exit=-13 a0=7143b6 a1=54 a2=bf955e10 a3=7143b6 items=0 ppid=2113 pid=3017 auid=4294967295 uid=68 gid=68 euid=0 suid=0 fsuid=0 egid=68 sgid=68 fsgid=68 tty=(none) ses=4294967295 comm="polkit-resolve-" exe="/usr/libexec/polkit-resolve-exe-helper" subj=system_u:system_r:polkit_resolve_t:s0 key=(null) type=AVC msg=audit(1212085833.662:41): avc: denied { search } for pid=3017 comm="polkit-resolve-" name="/" dev=selinuxfs ino=1 scontext=system_u:system_r:polkit_resolve_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=dir type=SYSCALL msg=audit(1212085833.662:41): arch=40000003 syscall=195 success=no exit=-13 a0=bf954dcc a1=bf954d6c a2=6acff4 a3=bf954dcc items=0 ppid=2113 pid=3017 auid=4294967295 uid=68 gid=68 euid=0 suid=0 fsuid=0 egid=68 sgid=68 fsgid=68 tty=(none) ses=4294967295 comm="polkit-resolve-" exe="/usr/libexec/polkit-resolve-exe-helper" subj=system_u:system_r:polkit_resolve_t:s0 key=(null) type=AVC msg=audit(1212085833.662:42): avc: denied { search } for pid=3017 comm="polkit-resolve-" name="/" dev=selinuxfs ino=1 scontext=system_u:system_r:polkit_resolve_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=dir type=SYSCALL msg=audit(1212085833.662:42): arch=40000003 syscall=5 success=no exit=-13 a0=bf954da4 a1=8000 a2=0 a3=8000 items=0 ppid=2113 pid=3017 auid=4294967295 uid=68 gid=68 euid=0 suid=0 fsuid=0 egid=68 sgid=68 fsgid=68 tty=(none) ses=4294967295 comm="polkit-resolve-" exe="/usr/libexec/polkit-resolve-exe-helper" subj=system_u:system_r:polkit_resolve_t:s0 key=(null) type=USER_AVC msg=audit(1212085833.671:43): user pid=2047 uid=81 auid=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_call interface=org.freedesktop.ConsoleKit.Manager member=GetSessionForUnixProcess dest=org.freedesktop.ConsoleKit spid=3017 tpid=2116 scontext=system_u:system_r:polkit_resolve_t:s0 tcontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tclass=dbus : exe="/bin/dbus-daemon" (sauid=81, hostname=?, addr=?, terminal=?)' type=AVC msg=audit(1212085833.672:44): avc: denied { search } for pid=3017 comm="polkit-resolve-" name="PolicyKit-public" dev=dm-0 ino=662389 scontext=system_u:system_r:polkit_resolve_t:s0 tcontext=system_u:object_r:polkit_var_lib_t:s0 tclass=dir type=SYSCALL msg=audit(1212085833.672:44): arch=40000003 syscall=5 success=no exit=-13 a0=84dfe10 a1=8000 a2=0 a3=8000 items=0 ppid=2113 pid=3017 auid=4294967295 uid=0 gid=68 euid=0 suid=0 fsuid=0 egid=68 sgid=68 fsgid=68 tty=(none) ses=4294967295 comm="polkit-resolve-" exe="/usr/libexec/polkit-resolve-exe-helper" subj=system_u:system_r:polkit_resolve_t:s0 key=(null)
Can you run this in permissive mode. and gather the AVC's
Created attachment 307124 [details] messages from tail Sure. Done after running semodule -DB
Hopefully fixed in selinux-policy-3.3.1-60.fc9
heh, not yet. (your work is much appreciated though.) Summary: SELinux is preventing polkit-resolve- (polkit_resolve_t) "search" to ./2861 (unconfined_t). Detailed Description: SELinux denied access requested by polkit-resolve-. It is not expected that this access is required by polkit-resolve- and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for ./2861, restorecon -v './2861' If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context system_u:system_r:polkit_resolve_t:s0 Target Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1 023 Target Objects ./2861 [ dir ] Source polkit-resolve- Source Path /usr/libexec/polkit-resolve-exe-helper Port <Unknown> Host localhost.localdomain Source RPM Packages PolicyKit-0.8-2.fc9 Target RPM Packages Policy RPM selinux-policy-3.3.1-60.fc9 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall_file Host Name localhost.localdomain Platform Linux localhost.localdomain 2.6.25.4-38.fc9.i686 #1 SMP Wed May 28 02:22:31 EDT 2008 i686 athlon Alert Count 1 First Seen Thu 29 May 2008 21:14:48 BST Last Seen Thu 29 May 2008 21:14:48 BST Local ID 48ece1f3-0fc2-40ae-9048-d8a0a0a7ddab Line Numbers Raw Audit Messages host=localhost.localdomain type=AVC msg=audit(1212092088.26:15): avc: denied { search } for pid=2863 comm="polkit-resolve-" name="2861" dev=proc ino=21046 scontext=system_u:system_r:polkit_resolve_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=dir host=localhost.localdomain type=SYSCALL msg=audit(1212092088.26:15): arch=40000003 syscall=85 success=no exit=-13 a0=bfc6a108 a1=bfc6a164 a2=fff a3=bfc6a108 items=0 ppid=2115 pid=2863 auid=4294967295 uid=0 gid=68 euid=0 suid=0 fsuid=0 egid=68 sgid=68 fsgid=68 tty=(none) ses=4294967295 comm="polkit-resolve-" exe="/usr/libexec/polkit-resolve-exe-helper" subj=system_u:system_r:polkit_resolve_t:s0 key=(null) PS I have a few of these messages, but ach one has a different number. This one has 2861, the others are 2803, 2838, (2861,) 2888 - one for each attempt to access the volume. (and this is without semodule -DB)
Hopefully fixed in selinux-policy-3.3.1-61.fc9
Nope. message from permissive mode: Summary: SELinux is preventing polkit-resolve- (polkit_resolve_t) "ptrace" to <Unknown> (unconfined_t). Detailed Description: [SELinux is in permissive mode, the operation would have been denied but was permitted due to permissive mode.] SELinux denied access requested by polkit-resolve-. It is not expected that this access is required by polkit-resolve- and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context system_u:system_r:polkit_resolve_t:s0 Target Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1 023 Target Objects None [ process ] Source polkit-resolve- Source Path /usr/libexec/polkit-resolve-exe-helper Port <Unknown> Host localhost.localdomain Source RPM Packages PolicyKit-0.8-2.fc9 Target RPM Packages Policy RPM selinux-policy-3.3.1-61.fc9 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Permissive Plugin Name catchall Host Name localhost.localdomain Platform Linux localhost.localdomain 2.6.25.4-38.fc9.i686 #1 SMP Wed May 28 02:22:31 EDT 2008 i686 athlon Alert Count 3 First Seen Fri 30 May 2008 14:54:13 BST Last Seen Fri 30 May 2008 14:57:59 BST Local ID 55d2a326-d397-4881-be34-b6c81a42fe07 Line Numbers Raw Audit Messages host=localhost.localdomain type=AVC msg=audit(1212155879.328:19): avc: denied { ptrace } for pid=2891 comm="polkit-resolve-" scontext=system_u:system_r:polkit_resolve_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process host=localhost.localdomain type=SYSCALL msg=audit(1212155879.328:19): arch=40000003 syscall=85 success=yes exit=20 a0=bfaf6f98 a1=bfaf6ff4 a2=fff a3=bfaf6f98 items=0 ppid=2117 pid=2891 auid=4294967295 uid=0 gid=68 euid=0 suid=0 fsuid=0 egid=68 sgid=68 fsgid=68 tty=(none) ses=4294967295 comm="polkit-resolve-" exe="/usr/libexec/polkit-resolve-exe-helper" subj=system_u:system_r:polkit_resolve_t:s0 key=(null)
Policy RPM selinux-policy-3.3.1-62.fc9
nope. (PS just had a check and my system does not have -policy-mls installed - just -policy and -policy-targetted. Is this needed?) tail response after semodule -DB: type=AVC msg=audit(1212160643.483:27): avc: denied { siginh } for pid=3018 comm="polkit-resolve-" scontext=system_u:system_r:hald_t:s0 tcontext=system_u:system_r:polkit_resolve_t:s0 tclass=process type=AVC msg=audit(1212160643.483:27): avc: denied { rlimitinh } for pid=3018 comm="polkit-resolve-" scontext=system_u:system_r:hald_t:s0 tcontext=system_u:system_r:polkit_resolve_t:s0 tclass=process type=AVC msg=audit(1212160643.483:27): avc: denied { noatsecure } for pid=3018 comm="polkit-resolve-" scontext=system_u:system_r:hald_t:s0 tcontext=system_u:system_r:polkit_resolve_t:s0 tclass=process type=SYSCALL msg=audit(1212160643.483:27): arch=40000003 syscall=11 success=yes exit=0 a0=735e02c a1=bff868e4 a2=bff8837c a3=bff868e4 items=0 ppid=2119 pid=3018 auid=4294967295 uid=68 gid=68 euid=0 suid=0 fsuid=0 egid=68 sgid=68 fsgid=68 tty=(none) ses=4294967295 comm="polkit-resolve-" exe="/usr/libexec/polkit-resolve-exe-helper" subj=system_u:system_r:polkit_resolve_t:s0 key=(null) type=AVC msg=audit(1212160643.485:28): avc: denied { search } for pid=3018 comm="polkit-resolve-" name="selinux" dev=dm-0 ino=810291 scontext=system_u:system_r:polkit_resolve_t:s0 tcontext=system_u:object_r:selinux_config_t:s0 tclass=dir type=SYSCALL msg=audit(1212160643.485:28): arch=40000003 syscall=5 success=no exit=-13 a0=714e92 a1=8000 a2=1b6 a3=0 items=0 ppid=2119 pid=3018 auid=4294967295 uid=68 gid=68 euid=0 suid=0 fsuid=0 egid=68 sgid=68 fsgid=68 tty=(none) ses=4294967295 comm="polkit-resolve-" exe="/usr/libexec/polkit-resolve-exe-helper" subj=system_u:system_r:polkit_resolve_t:s0 key=(null) type=AVC msg=audit(1212160643.485:29): avc: denied { getattr } for pid=3018 comm="polkit-resolve-" name="/" dev=selinuxfs ino=1 scontext=system_u:system_r:polkit_resolve_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=filesystem type=SYSCALL msg=audit(1212160643.485:29): arch=40000003 syscall=268 success=no exit=-13 a0=7143b6 a1=54 a2=bff97450 a3=7143b6 items=0 ppid=2119 pid=3018 auid=4294967295 uid=68 gid=68 euid=0 suid=0 fsuid=0 egid=68 sgid=68 fsgid=68 tty=(none) ses=4294967295 comm="polkit-resolve-" exe="/usr/libexec/polkit-resolve-exe-helper" subj=system_u:system_r:polkit_resolve_t:s0 key=(null) type=AVC msg=audit(1212160643.486:30): avc: denied { search } for pid=3018 comm="polkit-resolve-" name="/" dev=selinuxfs ino=1 scontext=system_u:system_r:polkit_resolve_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=dir type=SYSCALL msg=audit(1212160643.486:30): arch=40000003 syscall=195 success=no exit=-13 a0=bff9640c a1=bff963ac a2=6acff4 a3=bff9640c items=0 ppid=2119 pid=3018 auid=4294967295 uid=68 gid=68 euid=0 suid=0 fsuid=0 egid=68 sgid=68 fsgid=68 tty=(none) ses=4294967295 comm="polkit-resolve-" exe="/usr/libexec/polkit-resolve-exe-helper" subj=system_u:system_r:polkit_resolve_t:s0 key=(null) type=AVC msg=audit(1212160643.486:31): avc: denied { search } for pid=3018 comm="polkit-resolve-" name="/" dev=selinuxfs ino=1 scontext=system_u:system_r:polkit_resolve_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=dir type=SYSCALL msg=audit(1212160643.486:31): arch=40000003 syscall=5 success=no exit=-13 a0=bff963e4 a1=8000 a2=0 a3=8000 items=0 ppid=2119 pid=3018 auid=4294967295 uid=68 gid=68 euid=0 suid=0 fsuid=0 egid=68 sgid=68 fsgid=68 tty=(none) ses=4294967295 comm="polkit-resolve-" exe="/usr/libexec/polkit-resolve-exe-helper" subj=system_u:system_r:polkit_resolve_t:s0 key=(null) type=AVC msg=audit(1212160643.504:32): avc: denied { siginh } for pid=3019 comm="polkit-read-aut" scontext=system_u:system_r:polkit_resolve_t:s0 tcontext=system_u:system_r:polkit_auth_t:s0 tclass=process type=AVC msg=audit(1212160643.504:32): avc: denied { rlimitinh } for pid=3019 comm="polkit-read-aut" scontext=system_u:system_r:polkit_resolve_t:s0 tcontext=system_u:system_r:polkit_auth_t:s0 tclass=process type=AVC msg=audit(1212160643.504:32): avc: denied { noatsecure } for pid=3019 comm="polkit-read-aut" scontext=system_u:system_r:polkit_resolve_t:s0 tcontext=system_u:system_r:polkit_auth_t:s0 tclass=process type=SYSCALL msg=audit(1212160643.504:32): arch=40000003 syscall=11 success=yes exit=0 a0=7360eb4 a1=bff961d0 a2=87f8450 a3=bff961d0 items=0 ppid=3018 pid=3019 auid=4294967295 uid=0 gid=68 euid=0 suid=0 fsuid=0 egid=87 sgid=87 fsgid=87 tty=(none) ses=4294967295 comm="polkit-read-aut" exe="/usr/libexec/polkit-read-auth-helper" subj=system_u:system_r:polkit_auth_t:s0 key=(null) type=AVC msg=audit(1212160643.506:33): avc: denied { search } for pid=3019 comm="polkit-read-aut" name="selinux" dev=dm-0 ino=810291 scontext=system_u:system_r:polkit_auth_t:s0 tcontext=system_u:object_r:selinux_config_t:s0 tclass=dir type=SYSCALL msg=audit(1212160643.506:33): arch=40000003 syscall=5 success=no exit=-13 a0=714e92 a1=8000 a2=1b6 a3=0 items=0 ppid=3018 pid=3019 auid=4294967295 uid=0 gid=68 euid=0 suid=0 fsuid=0 egid=87 sgid=87 fsgid=87 tty=(none) ses=4294967295 comm="polkit-read-aut" exe="/usr/libexec/polkit-read-auth-helper" subj=system_u:system_r:polkit_auth_t:s0 key=(null) type=AVC msg=audit(1212160643.507:34): avc: denied { getattr } for pid=3019 comm="polkit-read-aut" name="/" dev=selinuxfs ino=1 scontext=system_u:system_r:polkit_auth_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=filesystem type=SYSCALL msg=audit(1212160643.507:34): arch=40000003 syscall=268 success=no exit=-13 a0=7143b6 a1=54 a2=bfd5b7e0 a3=7143b6 items=0 ppid=3018 pid=3019 auid=4294967295 uid=0 gid=68 euid=0 suid=0 fsuid=0 egid=87 sgid=87 fsgid=87 tty=(none) ses=4294967295 comm="polkit-read-aut" exe="/usr/libexec/polkit-read-auth-helper" subj=system_u:system_r:polkit_auth_t:s0 key=(null) type=AVC msg=audit(1212160643.507:35): avc: denied { search } for pid=3019 comm="polkit-read-aut" name="/" dev=selinuxfs ino=1 scontext=system_u:system_r:polkit_auth_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=dir type=SYSCALL msg=audit(1212160643.507:35): arch=40000003 syscall=195 success=no exit=-13 a0=bfd5a79c a1=bfd5a73c a2=6acff4 a3=bfd5a79c items=0 ppid=3018 pid=3019 auid=4294967295 uid=0 gid=68 euid=0 suid=0 fsuid=0 egid=87 sgid=87 fsgid=87 tty=(none) ses=4294967295 comm="polkit-read-aut" exe="/usr/libexec/polkit-read-auth-helper" subj=system_u:system_r:polkit_auth_t:s0 key=(null) type=AVC msg=audit(1212160643.507:36): avc: denied { search } for pid=3019 comm="polkit-read-aut" name="/" dev=selinuxfs ino=1 scontext=system_u:system_r:polkit_auth_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=dir type=SYSCALL msg=audit(1212160643.507:36): arch=40000003 syscall=5 success=no exit=-13 a0=bfd5a774 a1=8000 a2=0 a3=8000 items=0 ppid=3018 pid=3019 auid=4294967295 uid=0 gid=68 euid=0 suid=0 fsuid=0 egid=87 sgid=87 fsgid=87 tty=(none) ses=4294967295 comm="polkit-read-aut" exe="/usr/libexec/polkit-read-auth-helper" subj=system_u:system_r:polkit_auth_t:s0 key=(null) type=AVC msg=audit(1212160643.510:37): avc: denied { ptrace } for pid=3018 comm="polkit-resolve-" scontext=system_u:system_r:polkit_resolve_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process type=SYSCALL msg=audit(1212160643.510:37): arch=40000003 syscall=85 success=no exit=-13 a0=bff96438 a1=bff96494 a2=fff a3=bff96438 items=0 ppid=2119 pid=3018 auid=4294967295 uid=0 gid=68 euid=0 suid=0 fsuid=0 egid=68 sgid=68 fsgid=68 tty=(none) ses=4294967295 comm="polkit-resolve-" exe="/usr/libexec/polkit-resolve-exe-helper" subj=system_u:system_r:polkit_resolve_t:s0 key=(null)
selinux-policy-3.3.1-62.fc9 does not fix the issue for me, either. host=kedora type=AVC msg=audit(1212431183.122:36): avc: denied { ptrace } for pid=3292 comm="polkit-resolve-" scontext=system_u:system_r:polkit_resolve_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process host=kedora type=SYSCALL msg=audit(1212431183.122:36): arch=40000003 syscall=85 success=no exit=-13 a0=bf885528 a1=bf885584 a2=fff a3=bf885528 items=0 ppid=2078 pid=3292 auid=4294967295 uid=0 gid=68 euid=0 suid=0 fsuid=0 egid=68 sgid=68 fsgid=68 tty=(none) ses=4294967295 comm="polkit-resolve-" exe="/usr/libexec/polkit-resolve-exe-helper" subj=system_u:system_r:polkit_resolve_t:s0 key=(null)
Fixed in selinux-policy-3.3.1-64.fc9
Installed: selinux-policy-3.3.1-64.fc9 selinux-policy-targeted-3.3.1-64.fc9.noarch And this is now working for me. Thanks!!
> Fixed in selinux-policy-3.3.1-64.fc9 confirmed as fixing the issue
Another confirmation that it is fixed. Thanks.
Daniel, could you please explain what the problem was? Thanks for chasing this bug down. Cheers.
polkit_resolve examines the /proc/ table and attempts to read gather information about the user at the console, I believe. SELinux was preventing this access, And it needed to be allowed.
Closing all bugs that have been in modified for over a month. Please reopen if the bug is not actually fixed.