451820 – AVC denials when logging in with KDE

Bug 451820 - AVC denials when logging in with KDE

Summary: AVC denials when logging in with KDE

Keywords:
Status:	CLOSED DUPLICATE of bug 443661
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	nss_ldap
Sub Component:
Version:	9
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Nalin Dahyabhai
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2008-06-17 16:45 UTC by Carl Roth
Modified:	2008-06-23 10:09 UTC (History)
CC List:	0 users
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2008-06-23 10:09:08 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Carl Roth 2008-06-17 16:45:08 UTC

Description of problem:

I get the following AVC denials on my system when I log in with KDE.  On this
system, NetworkManager is not running (not sure if that's important).  I'm also
not sure these denials are related; they happen to occur at first login.

host=huggy.ursus.net type=AVC msg=audit(1213716699.166:5): avc: denied { read
write } for pid=3541 comm="console-kit-dae" path="socket:[8670]" dev=sockfs
ino=8670 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023
tcontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tclass=tcp_socket 

host=huggy.ursus.net type=AVC msg=audit(1213716699.166:5): avc: denied { read
write } for pid=3541 comm="console-kit-dae" path="socket:[10668]" dev=sockfs
ino=10668 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023
tcontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tclass=tcp_socket 

host=huggy.ursus.net type=SYSCALL msg=audit(1213716699.166:5): arch=c000003e
syscall=59 success=yes exit=0 a0=185a870 a1=185a5c0 a2=185a010 a3=316bf67a70
items=0 ppid=3540 pid=3541 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="console-kit-dae"
exe="/usr/sbin/console-kit-daemon"
subj=system_u:system_r:consolekit_t:s0-s0:c0.c1023 key=(null) 

host=huggy.ursus.net type=AVC msg=audit(1213716769.752:12): avc: denied { read
write } for pid=4263 comm="nm-system-setti" path="socket:[8670]" dev=sockfs
ino=8670 scontext=system_u:system_r:NetworkManager_t:s0-s0:c0.c1023
tcontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tclass=tcp_socket 

host=huggy.ursus.net type=SYSCALL msg=audit(1213716769.752:12): arch=c000003e
syscall=59 success=yes exit=0 a0=1aee990 a1=1aee630 a2=1aee010 a3=316bf67a70
items=0 ppid=4262 pid=4263 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="nm-system-setti"
exe="/usr/sbin/nm-system-settings"
subj=system_u:system_r:NetworkManager_t:s0-s0:c0.c1023 key=(null) 

host=huggy.ursus.net type=AVC msg=audit(1213716770.574:13): avc: denied {
getattr } for pid=4263 comm="nm-system-setti" path="/dev/root" dev=tmpfs ino=351
scontext=system_u:system_r:NetworkManager_t:s0-s0:c0.c1023
tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file 

host=huggy.ursus.net type=SYSCALL msg=audit(1213716770.574:13): arch=c000003e
syscall=4 success=no exit=-13 a0=3d6c65bce5 a1=7fffe5f24460 a2=7fffe5f24460
a3=316bf67a70 items=0 ppid=1 pid=4263 auid=4294967295 uid=0 gid=0 euid=0 suid=0
fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="nm-system-setti"
exe="/usr/sbin/nm-system-settings"
subj=system_u:system_r:NetworkManager_t:s0-s0:c0.c1023 key=(null) 


Version-Release number of selected component (if applicable):

ConsoleKit-0.2.10-3.fc9.x86_64
NetworkManager-0.7.0-0.9.4.svn3675.fc9.x86_64
selinux-policy-targeted-3.3.1-64.fc9.noarch

How reproducible:


Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:

Comment 1 Carl Roth 2008-06-17 16:51:30 UTC

The NetworkManager_t denials appear to be chained off of the nm-applet startup
in /etc/xdg/autostart/nm-applet --sm-disable.

What's the utility of running nm-applet and nm-settings-daemon if NetworkManager
is not running at all?

Comment 2 Carl Roth 2008-06-17 16:58:47 UTC

er, meant to say, "/etc/xdg/autostart/nm-applet.desktop".  "Problem between
screen, keyboard and primary cut buffer"

Comment 3 Carl Roth 2008-06-17 21:22:02 UTC

On one of my systems with a fixed (wired) configuration, NetworkManager is not
needed.  On this system, if I uninstall NetworkManager-gnome, it causes the
NetworkManager_t AVCs to go away.

On another one of my systems (wireless networking with NetworkManager) the
NetworkManager_t/system_dbusd_t denials do not occur, but the
NetworkManager_t/root_device_t denials do still occur.  On this system, the
consolekit_t denials do not occur.

Comment 4 Daniel Walsh 2008-06-22 12:24:20 UTC

Are you using nssldap for authorization?  There is a known file descriptor leak
that consolekit and dbus are complaining about.


The networkmanager looking at fixed disk is fixed in
selinux-policy-3.3.1-68.fc9.noarch

Comment 5 Carl Roth 2008-06-22 17:33:21 UTC

yes, i'm using nss_ldap.  any other symptoms i should be looking for?  high gas
prices, perhaps?

Comment 6 Daniel Walsh 2008-06-23 10:09:08 UTC

You can ignore those until the leaked file descriptor is fixed.

*** This bug has been marked as a duplicate of 443661 ***

Note You need to log in before you can comment on or make changes to this bug.