Bug 473176 - (staff_u) SELinux is preventing bonobo-activati (staff_t) "execute" to ./evolution-data-server-2.26 (unlabeled_t).
Summary: (staff_u) SELinux is preventing bonobo-activati (staff_t) "execute" to ./evol...
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Fedora
Classification: Fedora
Component: evolution-data-server
Version: rawhide
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Matthew Barnes
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2008-11-26 22:39 UTC by Matěj Cepl
Modified: 2018-04-11 08:51 UTC (History)
5 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2008-11-26 23:28:04 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)

Description Matěj Cepl 2008-11-26 22:39:30 UTC
When trying to click on the clock applet to show calendar, I get this:

SELinux is preventing bonobo-activati (staff_t) "execute" to
./evolution-data-server-2.26 (unlabeled_t).

Podrobný popis:

SELinux denied access requested by bonobo-activati. It is not expected that this
access is required by bonobo-activati and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.

Povolení přístupu:

Sometimes labeling problems can cause SELinux denials. You could try to restore
the default system file context for ./evolution-data-server-2.26,

restorecon -v './evolution-data-server-2.26'

If this does not work, there is currently no automatic way to allow this access.
Instead, you can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Další informace:

Kontext zdroje                staff_u:staff_r:staff_t:SystemLow-SystemHigh
Kontext cíle                 system_u:object_r:unlabeled_t
Objekty cíle                 ./evolution-data-server-2.26 [ file ]
Zdroj                         bonobo-activati
Cesta zdroje                  /usr/libexec/bonobo-activation-server
Port                          <Neznámé>
Počítač                    viklef
RPM balíčky zdroje          libbonobo-2.24.0-2.fc10
RPM balíčky cíle           
RPM politiky                  selinux-policy-3.5.13-26.fc10
Selinux povolen               True
Typ politiky                  targeted
MLS povoleno                  True
Vynucovací režim            Enforcing
Název zásuvného modulu     catchall_file
Název počítače            viklef
Platforma                     Linux viklef 2.6.27.5-120.fc10.i686 #1 SMP Tue Nov
                              18 20:12:41 EST 2008 i686 i686
Počet upozornění           4
Poprvé viděno               St 26. listopad 2008, 23:01:31 CET
Naposledy viděno             St 26. listopad 2008, 23:02:16 CET
Místní ID                   ec281f50-fa16-4223-bf98-a69d41bb06c5
Čísla řádků              

Původní zprávy auditu      

node=viklef type=AVC msg=audit(1227736936.760:98): avc:  denied  { execute } for  pid=26272 comm="bonobo-activati" name="evolution-data-server-2.26" dev=dm-0 ino=5022557 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file

node=viklef type=SYSCALL msg=audit(1227736936.760:98): arch=40000003 syscall=11 success=no exit=-13 a0=8a739b8 a1=8a78278 a2=8a99420 a3=8a739b8 items=0 ppid=26271 pid=26272 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="bonobo-activati" exe="/usr/libexec/bonobo-activation-server" subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key=(null)

Comment 1 Matěj Cepl 2008-11-26 23:25:07 UTC
Actually, all applications connecting to e-d-s do this (pidgin, evolution itself, international clock, and something else which I forgot ;-))

Comment 2 Matěj Cepl 2008-11-26 23:28:04 UTC
Yes, nonsense, this is bad labelling (after removal of evolution module).


Note You need to log in before you can comment on or make changes to this bug.