Souhrn: SELinux is preventing launchmail (staff_t) "getattr" to /usr/bin/thunderbird (thunderbird_exec_t). Podrobný popis: SELinux denied access requested by launchmail. It is not expected that this access is required by launchmail and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Povolení přístupu: Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for /usr/bin/thunderbird, restorecon -v '/usr/bin/thunderbird' If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Další informace: Kontext zdroje staff_u:staff_r:staff_t:SystemLow-SystemHigh Kontext cíle system_u:object_r:thunderbird_exec_t Objekty cíle /usr/bin/thunderbird [ file ] Zdroj which Cesta zdroje /usr/bin/which Port <Neznámé> Počítač viklef RPM balíčky zdroje bash-3.2-29.fc10 RPM balíčky cíle thunderbird-2.0.0.18-1.fc10 RPM politiky selinux-policy-3.5.13-20.fc10 Selinux povolen True Typ politiky targeted MLS povoleno True Vynucovací režim Enforcing Název zásuvného modulu catchall_file Název počítače viklef Platforma Linux viklef 2.6.27.5-120.fc10.i686 #1 SMP Tue Nov 18 20:12:41 EST 2008 i686 i686 Počet upozornění 2 Poprvé viděno Po 24. listopad 2008, 23:23:38 CET Naposledy viděno Po 24. listopad 2008, 23:23:38 CET Místní ID bcd7179a-97c6-47b6-9ae1-ca5539805a41 Čísla řádků Původní zprávy auditu node=viklef type=AVC msg=audit(1227565418.149:202): avc: denied { getattr } for pid=5541 comm="launchmail" path="/usr/bin/thunderbird" dev=dm-0 ino=5005228 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:object_r:thunderbird_exec_t:s0 tclass=file node=viklef type=SYSCALL msg=audit(1227565418.149:202): arch=40000003 syscall=195 success=no exit=-13 a0=84666b0 a1=bfb7b920 a2=b20ff4 a3=84666b0 items=0 ppid=1 pid=5541 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="launchmail" exe="/bin/bash" subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key=(null)
Probably bigger problem than that -- when running thunderbird from the gnome-terminal I get the following error and no thunderbird: Souhrn: SELinux is preventing sh (staff_t) "read" to ./thunderbird (thunderbird_exec_t). Podrobný popis: SELinux denied access requested by sh. It is not expected that this access is required by sh and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Povolení přístupu: Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for ./thunderbird, restorecon -v './thunderbird' If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Další informace: Kontext zdroje staff_u:staff_r:staff_t:SystemLow-SystemHigh Kontext cíle system_u:object_r:thunderbird_exec_t Objekty cíle ./thunderbird [ file ] Zdroj sh Cesta zdroje /bin/bash Port <Neznámé> Počítač viklef RPM balíčky zdroje bash-3.2-29.fc10 RPM balíčky cíle RPM politiky selinux-policy-3.5.13-20.fc10 Selinux povolen True Typ politiky targeted MLS povoleno True Vynucovací režim Enforcing Název zásuvného modulu catchall_file Název počítače viklef Platforma Linux viklef 2.6.27.5-120.fc10.i686 #1 SMP Tue Nov 18 20:12:41 EST 2008 i686 i686 Počet upozornění 1 Poprvé viděno Út 25. listopad 2008, 01:05:42 CET Naposledy viděno Út 25. listopad 2008, 01:05:42 CET Místní ID eeac3f37-8e99-448f-b909-644ed624aeaa Čísla řádků Původní zprávy auditu node=viklef type=AVC msg=audit(1227571542.802:269): avc: denied { read } for pid=6158 comm="sh" name="thunderbird" dev=dm-0 ino=5005228 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:object_r:thunderbird_exec_t:s0 tclass=file node=viklef type=SYSCALL msg=audit(1227571542.802:269): arch=40000003 syscall=5 success=no exit=-13 a0=9d04028 a1=8000 a2=0 a3=8000 items=0 ppid=5436 pid=6158 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=pts0 ses=1 comm="sh" exe="/bin/bash" subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key=(null)
And the same goes for evolution: Souhrn: SELinux is preventing ls (staff_t) "getattr" to /usr/bin/evolution (evolution_exec_t). Podrobný popis: SELinux denied access requested by ls. It is not expected that this access is required by ls and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Povolení přístupu: Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for /usr/bin/evolution, restorecon -v '/usr/bin/evolution' If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Další informace: Kontext zdroje staff_u:staff_r:staff_t:SystemLow-SystemHigh Kontext cíle system_u:object_r:evolution_exec_t Objekty cíle /usr/bin/evolution [ file ] Zdroj bash Cesta zdroje /bin/bash Port <Neznámé> Počítač viklef RPM balíčky zdroje coreutils-6.12-18.fc10 RPM balíčky cíle evolution-2.25.1-2.fc11 RPM politiky selinux-policy-3.5.13-20.fc10 Selinux povolen True Typ politiky targeted MLS povoleno True Vynucovací režim Enforcing Název zásuvného modulu catchall_file Název počítače viklef Platforma Linux viklef 2.6.27.5-120.fc10.i686 #1 SMP Tue Nov 18 20:12:41 EST 2008 i686 i686 Počet upozornění 5 Poprvé viděno Út 25. listopad 2008, 01:11:04 CET Naposledy viděno Út 25. listopad 2008, 01:11:20 CET Místní ID cbcdf6e0-5ce6-441c-a954-2f4f122874ba Čísla řádků Původní zprávy auditu node=viklef type=AVC msg=audit(1227571880.69:308): avc: denied { getattr } for pid=6280 comm="ls" path="/usr/bin/evolution" dev=dm-0 ino=1960657 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:object_r:evolution_exec_t:s0 tclass=file node=viklef type=SYSCALL msg=audit(1227571880.69:308): arch=40000003 syscall=195 success=no exit=-13 a0=bfebc464 a1=992a888 a2=b20ff4 a3=0 items=0 ppid=6243 pid=6280 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=pts1 ses=1 comm="ls" exe="/bin/ls" subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key=(null)
Switching to Permissive mode and getting another AVC denials (but also THunderbird, finally): Souhrn: SELinux is preventing thunderbird (staff_t) "ioctl" to /usr/bin/thunderbird (thunderbird_exec_t). Podrobný popis: [SELinux je v uvolněném režimu, operace by byla odmítnuta, ale byla povolena kvůli uvolněnému režimu.] SELinux denied access requested by thunderbird. It is not expected that this access is required by thunderbird and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Povolení přístupu: Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for /usr/bin/thunderbird, restorecon -v '/usr/bin/thunderbird' If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Další informace: Kontext zdroje staff_u:staff_r:staff_t:SystemLow-SystemHigh Kontext cíle system_u:object_r:thunderbird_exec_t Objekty cíle /usr/bin/thunderbird [ file ] Zdroj thunderbird Cesta zdroje /bin/bash Port <Neznámé> Počítač viklef RPM balíčky zdroje bash-3.2-29.fc10 RPM balíčky cíle thunderbird-2.0.0.18-1.fc10 RPM politiky selinux-policy-3.5.13-20.fc10 Selinux povolen True Typ politiky targeted MLS povoleno True Vynucovací režim Permissive Název zásuvného modulu catchall_file Název počítače viklef Platforma Linux viklef 2.6.27.5-120.fc10.i686 #1 SMP Tue Nov 18 20:12:41 EST 2008 i686 i686 Počet upozornění 1 Poprvé viděno Út 25. listopad 2008, 01:18:41 CET Naposledy viděno Út 25. listopad 2008, 01:18:41 CET Místní ID 5893f536-0770-4d14-8016-a3811d874c14 Čísla řádků Původní zprávy auditu node=viklef type=AVC msg=audit(1227572321.639:325): avc: denied { ioctl } for pid=6382 comm="thunderbird" path="/usr/bin/thunderbird" dev=dm-0 ino=5005228 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:object_r:thunderbird_exec_t:s0 tclass=file node=viklef type=SYSCALL msg=audit(1227572321.639:325): arch=40000003 syscall=54 success=no exit=-25 a0=3 a1=5401 a2=bfee8f08 a3=bfee8f48 items=0 ppid=6243 pid=6382 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=pts1 ses=1 comm="thunderbird" exe="/bin/bash" subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key=(null) ===================================================================== Souhrn: SELinux is preventing bash (staff_t) "read" to ./evolution (evolution_exec_t). Podrobný popis: SELinux denied access requested by bash. It is not expected that this access is required by bash and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Povolení přístupu: Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for ./evolution, restorecon -v './evolution' If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Další informace: Kontext zdroje staff_u:staff_r:staff_t:SystemLow-SystemHigh Kontext cíle system_u:object_r:evolution_exec_t Objekty cíle ./evolution [ file ] Zdroj bash Cesta zdroje /bin/bash Port <Neznámé> Počítač viklef RPM balíčky zdroje bash-3.2-29.fc10 RPM balíčky cíle RPM politiky selinux-policy-3.5.13-20.fc10 Selinux povolen True Typ politiky targeted MLS povoleno True Vynucovací režim Enforcing Název zásuvného modulu catchall_file Název počítače viklef Platforma Linux viklef 2.6.27.5-120.fc10.i686 #1 SMP Tue Nov 18 20:12:41 EST 2008 i686 i686 Počet upozornění 1 Poprvé viděno Út 25. listopad 2008, 01:18:17 CET Naposledy viděno Út 25. listopad 2008, 01:18:17 CET Místní ID 78594d5a-e0c2-44a8-bbe1-01d186335d1b Čísla řádků Původní zprávy auditu node=viklef type=AVC msg=audit(1227572297.25:316): avc: denied { read } for pid=6374 comm="bash" name="evolution" dev=dm-0 ino=1960657 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:object_r:evolution_exec_t:s0 tclass=file node=viklef type=SYSCALL msg=audit(1227572297.25:316): arch=40000003 syscall=33 success=no exit=-13 a0=a0a3f88 a1=4 a2=0 a3=a0a3f88 items=0 ppid=6243 pid=6374 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=pts1 ses=1 comm="bash" exe="/bin/bash" subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key=(null)
Trying this module module staffuLaunchmail 1.2; require { type staff_t; type evolution_exec_t; type thunderbird_exec_t; class file { getattr ioctl}; } #============= staff_t ============== allow staff_t thunderbird_exec_t:file getattr; allow staff_t thunderbird_exec_t:file ioctl; allow staff_t evolution_exec_t:file getattr; allow staff_t evolution_exec_t:file ioctl; and let's see what happens.
Hmm, even with this module loaded, when I switch to Enforcing mode, I get "Access denied" when trying to run /usr/bin/thunderbird.
Where are you getting this policy from? thunderbird and evolution policy is not built into targeted policy.
[root@viklef policy]# ls -lZ /usr/bin/{thunderbird,evolution}* -rwxr-xr-x root root system_u:object_r:evolution_exec_t /usr/bin/evolution -rwxr-xr-x root root system_u:object_r:thunderbird_exec_t /usr/bin/thunderbird [root@viklef policy]# restorecon -v /usr/bin/{thunderbird,evolution}* [root@viklef policy]# rpm -qf /etc/selinux/targeted/policy/policy.23 selinux-policy-targeted-3.5.13-20.fc10.noarch [root@viklef policy]#
and maybe [root@viklef policy]# id uid=0(root) gid=0(root) skupiny=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) context=staff_u:unconfined_r:unconfined_t:SystemLow-SystemHigh [root@viklef policy]# id matej uid=500(matej) gid=500(matej) skupiny=500(matej),4(adm),10(wheel),12(mail),14(uucp),100(users),51(smmsp),501(src),104(mock),105(pulse),106(pulse-rt),107(pulse-access),505(virt) [root@viklef policy]#
sorry, the latter should read [matej@viklef targeted]$ id uid=500(matej) gid=500(matej) skupiny=4(adm),10(wheel),12(mail),14(uucp),51(smmsp),100(users),104(mock),105(pulse),106(pulse-rt),107(pulse-access),500(matej),501(src),505(virt) context=staff_u:staff_r:staff_t:SystemLow-SystemHigh [matej@viklef targeted]$
semodule -r thunderbird evolution You have policy packages installed that are not part of the final release.
Not sure where you got those pp files but they should not be installed, they were not installed in F10 or F9. They were in strict policy.
OK, this notebook has a long and checkered history, so maybe I caught them somewhere on the way.
Created attachment 324623 [details] stdout of semodule -l Could I ask you for diff of your output of semodule -l against this one? It's weird because I get labeled thunderbird even on the other computer which is pretty pure Rawhide (x86_64)? If I should help you with being a guinea pig (do you need one yet?) for staff_u I need to be sure, that I don't have some trash on my computers. [root@hubmaier ~]# ls -lZ /usr/bin/thunderbird -rwxr-xr-x root root system_u:object_r:thunderbird_exec_t /usr/bin/thunderbird [matej@hubmaier ~]$ ls -lZ /usr/bin/evolution -rwxr-xr-x root root system_u:object_r:evolution_exec_t /usr/bin/evolution [matej@hubmaier ~]$
This bug appears to have been reported against 'rawhide' during the Fedora 10 development cycle. Changing version to '10'. More information and reason for this action is here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping
So, yes this bug can be closed as WHATINTHEWORLDISGOINGON?