Description of problem: I get the following AVC denials on my system when I log in with KDE. On this system, NetworkManager is not running (not sure if that's important). I'm also not sure these denials are related; they happen to occur at first login. host=huggy.ursus.net type=AVC msg=audit(1213716699.166:5): avc: denied { read write } for pid=3541 comm="console-kit-dae" path="socket:[8670]" dev=sockfs ino=8670 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tclass=tcp_socket host=huggy.ursus.net type=AVC msg=audit(1213716699.166:5): avc: denied { read write } for pid=3541 comm="console-kit-dae" path="socket:[10668]" dev=sockfs ino=10668 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tclass=tcp_socket host=huggy.ursus.net type=SYSCALL msg=audit(1213716699.166:5): arch=c000003e syscall=59 success=yes exit=0 a0=185a870 a1=185a5c0 a2=185a010 a3=316bf67a70 items=0 ppid=3540 pid=3541 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="console-kit-dae" exe="/usr/sbin/console-kit-daemon" subj=system_u:system_r:consolekit_t:s0-s0:c0.c1023 key=(null) host=huggy.ursus.net type=AVC msg=audit(1213716769.752:12): avc: denied { read write } for pid=4263 comm="nm-system-setti" path="socket:[8670]" dev=sockfs ino=8670 scontext=system_u:system_r:NetworkManager_t:s0-s0:c0.c1023 tcontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tclass=tcp_socket host=huggy.ursus.net type=SYSCALL msg=audit(1213716769.752:12): arch=c000003e syscall=59 success=yes exit=0 a0=1aee990 a1=1aee630 a2=1aee010 a3=316bf67a70 items=0 ppid=4262 pid=4263 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="nm-system-setti" exe="/usr/sbin/nm-system-settings" subj=system_u:system_r:NetworkManager_t:s0-s0:c0.c1023 key=(null) host=huggy.ursus.net type=AVC msg=audit(1213716770.574:13): avc: denied { getattr } for pid=4263 comm="nm-system-setti" path="/dev/root" dev=tmpfs ino=351 scontext=system_u:system_r:NetworkManager_t:s0-s0:c0.c1023 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file host=huggy.ursus.net type=SYSCALL msg=audit(1213716770.574:13): arch=c000003e syscall=4 success=no exit=-13 a0=3d6c65bce5 a1=7fffe5f24460 a2=7fffe5f24460 a3=316bf67a70 items=0 ppid=1 pid=4263 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="nm-system-setti" exe="/usr/sbin/nm-system-settings" subj=system_u:system_r:NetworkManager_t:s0-s0:c0.c1023 key=(null) Version-Release number of selected component (if applicable): ConsoleKit-0.2.10-3.fc9.x86_64 NetworkManager-0.7.0-0.9.4.svn3675.fc9.x86_64 selinux-policy-targeted-3.3.1-64.fc9.noarch How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info:
The NetworkManager_t denials appear to be chained off of the nm-applet startup in /etc/xdg/autostart/nm-applet --sm-disable. What's the utility of running nm-applet and nm-settings-daemon if NetworkManager is not running at all?
er, meant to say, "/etc/xdg/autostart/nm-applet.desktop". "Problem between screen, keyboard and primary cut buffer"
On one of my systems with a fixed (wired) configuration, NetworkManager is not needed. On this system, if I uninstall NetworkManager-gnome, it causes the NetworkManager_t AVCs to go away. On another one of my systems (wireless networking with NetworkManager) the NetworkManager_t/system_dbusd_t denials do not occur, but the NetworkManager_t/root_device_t denials do still occur. On this system, the consolekit_t denials do not occur.
Are you using nssldap for authorization? There is a known file descriptor leak that consolekit and dbus are complaining about. The networkmanager looking at fixed disk is fixed in selinux-policy-3.3.1-68.fc9.noarch
yes, i'm using nss_ldap. any other symptoms i should be looking for? high gas prices, perhaps?
You can ignore those until the leaked file descriptor is fixed. *** This bug has been marked as a duplicate of 443661 ***