Bug 464405 - System-config-services: AVC denial
System-config-services: AVC denial
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: system-config-services (Show other bugs)
rawhide
x86_64 Linux
medium Severity medium
: ---
: ---
Assigned To: Nils Philippsen
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-09-28 05:36 EDT by Barry Clarke
Modified: 2008-10-29 04:57 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-10-29 04:57:50 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Barry Clarke 2008-09-28 05:36:14 EDT
Description of problem:
system-config-services: AVC denial

Version-Release number of selected component (if applicable):
system-config-services 0.99.23

How reproducible:
Consistent
In case it's useful, this system was installed from the Fedora 10 x64 live/KDE image.

Steps to Reproduce:
1.From console, `system-config-services`
2.Fails to open. AVC denial occurs.

Expected results:
system-config-services applet should appear.

Additional info:
Two setroubleshoot messages (below). Executing
chcon -t bin_t '/usr/share/system-config-services/system-config-services-mechanism.py'
as suggested allows the applet to open; presumably a duff context?

+----------------------------+
Summary:

SELinux is preventing the lnusertemp from using potentially mislabeled files
(./root).

Detailed Description:

SELinux has denied lnusertemp access to potentially mislabeled file(s) (./root).
This means that SELinux will not allow lnusertemp to use these files. It is
common for users to edit files in their home directory or tmp directories and
then move (mv) them to system directories. The problem is that the files end up
with the wrong file context which confined applications are not allowed to
access.

Allowing Access:

If you want lnusertemp to access this files, you need to relabel them using
restorecon -v './root'. You might want to relabel the entire directory using
restorecon -R -v './root'.

Additional Information:

Source Context                system_u:system_r:xdm_t:s0-s0:c0.c1023
Target Context                system_u:object_r:admin_home_t:s0
Target Objects                ./root [ dir ]
Source                        lnusertemp
Source Path                   /usr/libexec/kde4/lnusertemp
Port                          <Unknown>
Host                          dell.home.0ctal.co.uk
Source RPM Packages           kdelibs-4.1.1-5.fc10
Target RPM Packages           filesystem-2.4.19-1.fc10
Policy RPM                    selinux-policy-3.5.7-1.fc10
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   home_tmp_bad_labels
Host Name                     dell.home.0ctal.co.uk
Platform                      Linux dell.home.0ctal.co.uk
                              2.6.27-0.352.rc7.git1.fc10.x86_64 #1 SMP Tue Sep
                              23 21:13:29 EDT 2008 x86_64 x86_64
Alert Count                   4
First Seen                    Thu 25 Sep 2008 10:37:39 PM BST
Last Seen                     Sun 28 Sep 2008 10:08:37 AM BST
Local ID                      40a45840-27a5-4ee8-bbbc-9745ef97f526
Line Numbers                  

Raw Audit Messages            

node=dell.home.0ctal.co.uk type=AVC msg=audit(1222592917.671:10): avc:  denied  { write } for  pid=2593 comm="lnusertemp" name="root" dev=sda3 ino=98305 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:admin_home_t:s0 tclass=dir

node=dell.home.0ctal.co.uk type=SYSCALL msg=audit(1222592917.671:10): arch=c000003e syscall=83 success=no exit=-13 a0=7fff19cba800 a1=1c0 a2=ffffffff a3=ff7 items=0 ppid=2429 pid=2593 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="lnusertemp" exe="/usr/libexec/kde4/lnusertemp" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)
+----------------------------+
Summary:

SELinux is preventing the dbus-daemon-lau (system_dbusd_t) from executing
./system-config-services-mechanism.py.

Detailed Description:

SELinux has denied the dbus-daemon-lau from executing
./system-config-services-mechanism.py. If dbus-daemon-lau is supposed to be able
to execute ./system-config-services-mechanism.py, this could be a labeling
problem. Most confined domains are allowed to execute files labeled bin_t. So
you could change the labeling on this file to bin_t and retry the application.
If this dbus-daemon-lau is not supposed to execute
./system-config-services-mechanism.py, this could signal a intrusion attempt.

Allowing Access:

If you want to allow dbus-daemon-lau to execute
./system-config-services-mechanism.py: chcon -t bin_t
'./system-config-services-mechanism.py' If this fix works, please update the
file context on disk, with the following command: semanage fcontext -a -t bin_t
'./system-config-services-mechanism.py' Please specify the full path to the
executable, Please file a bug report
(http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this selinux-policy
to make sure this becomes the default labeling.

Additional Information:

Source Context                system_u:system_r:system_dbusd_t:s0-s0:c0.c1023
Target Context                system_u:object_r:usr_t:s0
Target Objects                ./system-config-services-mechanism.py [ file ]
Source                        dbus-daemon-lau
Source Path                   /lib64/dbus-1/dbus-daemon-launch-helper
Port                          <Unknown>
Host                          dell.home.0ctal.co.uk
Source RPM Packages           dbus-1.2.3-1.fc10
Target RPM Packages           
Policy RPM                    selinux-policy-3.5.7-1.fc10
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   execute
Host Name                     dell.home.0ctal.co.uk
Platform                      Linux dell.home.0ctal.co.uk
                              2.6.27-0.352.rc7.git1.fc10.x86_64 #1 SMP Tue Sep
                              23 21:13:29 EDT 2008 x86_64 x86_64
Alert Count                   2
First Seen                    Fri 26 Sep 2008 10:09:59 PM BST
Last Seen                     Sun 28 Sep 2008 10:10:43 AM BST
Local ID                      a21e6a58-ae98-43f4-b4ce-c3563fdbde42
Line Numbers                  

Raw Audit Messages            

node=dell.home.0ctal.co.uk type=AVC msg=audit(1222593043.167:15): avc:  denied  { execute } for  pid=3024 comm="dbus-daemon-lau" name="system-config-services-mechanism.py" dev=sda3 ino=22914 scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:usr_t:s0 tclass=file

node=dell.home.0ctal.co.uk type=SYSCALL msg=audit(1222593043.167:15): arch=c000003e syscall=59 success=no exit=-13 a0=6c77f0 a1=6c76e0 a2=6c6010 a3=696e616863656d2d items=0 ppid=3023 pid=3024 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="dbus-daemon-lau" exe="/lib64/dbus-1/dbus-daemon-launch-helper" subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 key=(null)
+----------------------------+
Comment 1 Nils Philippsen 2008-10-10 10:24:20 EDT
The files on your Live CD seem to be mislabeled, does this happen with newer ISOs as well?
Comment 2 Barry Clarke 2008-10-10 10:45:15 EDT
Nils - Will check this in the next few days. http://ftp.linux.org.uk/pub/distributions/fedora/linux/releases/test/10-Beta/Live/x86_64/F10-Beta-x86_64-Live.iso has recently been updated, so I'll go with that.

Barry
Comment 3 John Poelstra 2008-10-22 17:29:05 EDT
Hi,

Anything to report back?

Thanks
Comment 4 Barry Clarke 2008-10-22 18:41:17 EDT
John

Sorry, on a course at the moment...

Barry
Comment 5 Barry Clarke 2008-10-28 18:25:10 EDT
Hi

I finally managed to get this tested, and you'll be pleased to know I don't see this issue anymore!

cheers

Note You need to log in before you can comment on or make changes to this bug.