Bug 473474 - SELinux is preventing console-kit-dae (consolekit_t) "sys_resource" consolekit_t.
SELinux is preventing console-kit-dae (consolekit_t) "sys_resource" consoleki...
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: ConsoleKit (Show other bugs)
10
All Linux
medium Severity medium
: ---
: ---
Assigned To: Bill Nottingham
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-11-28 13:32 EST by Nicolas Troncoso Carrere
Modified: 2014-03-16 23:16 EDT (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-09-24 11:20:55 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Nicolas Troncoso Carrere 2008-11-28 13:32:32 EST
How reproducible:
Some times


Additional info:
Summary:
SELinux is preventing console-kit-dae (consolekit_t) "sys_resource" consolekit_t. 

Detailed Description:
SELinux denied access requested by console-kit-dae. It is not expected that this access is required by console-kit-dae and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. 

Allowing Access:
You can generate a local policy module to allow this access - see FAQ Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report against this package. 

Additional Information:
Source Context:  system_u:system_r:consolekit_t:s0-s0:c0.c1023
Target Context:  system_u:system_r:consolekit_t:s0-s0:c0.c1023
Target Objects:  None [ capability ]
Source:  console-kit-dae
Source Path:  /usr/sbin/console-kit-daemon
Port:  <Unknown>
Host:  cortana
Source RPM Packages:  ConsoleKit-0.3.0-2.fc10
Target RPM Packages:  
Policy RPM:  selinux-policy-3.5.13-18.fc10
Selinux Enabled:  True
Policy Type:  targeted
MLS Enabled:  True
Enforcing Mode:  Enforcing
Plugin Name:  catchall
Host Name:  cortana
Platform:  Linux cortana 2.6.27.5-117.fc10.i686 #1 SMP Tue Nov 18 12:19:59 EST 2008 i686 i686
Alert Count:  12
First Seen:  Wed 26 Nov 2008 01:21:04 AM CLS
TLast Seen:  Wed 26 Nov 2008 01:21:34 AM CLS
TLocal ID:  bfd901a2-3b39-4a50-b983-288e1d370471
Line Numbers:  
Raw Audit Messages :node=cortana type=AVC msg=audit(1227673294.830:97): avc: denied { sys_resource } for pid=2087 comm="console-kit-dae" capability=24 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tclass=capability

node=cortana type=SYSCALL msg=audit(1227673294.830:97): arch=40000003 syscall=4 success=yes exit=654 a0=52 a1=b7a2c0c0 a2=28e a3=b7a2c0c0 items=0 ppid=1 pid=2087 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="console-kit-dae" exe="/usr/sbin/console-kit-daemon" subj=system_u:system_r:consolekit_t:s0-s0:c0.c1023 key=(null)
Comment 1 Luis Montalvo 2008-12-05 12:28:27 EST
After an update from FC8 to FC10, I get a similar SELinux message for the files consolekit_log_t and consolekit_var_run_t.

1) Output from sealert for consolekit_var_run_t:

Summary
    SELinux is preventing /usr/sbin/console-kit-daemon (system_dbusd_t) "unlink"
    to <Unknown> (consolekit_var_run_t).

Detailed Description
    SELinux denied access requested by /usr/sbin/console-kit-daemon. It is not
    expected that this access is required by /usr/sbin/console-kit-daemon and
    this access may signal an intrusion attempt. It is also possible that the
    specific version or configuration of the application is causing it to
    require additional access.

Allowing Access
    Sometimes labeling problems can cause SELinux denials.  You could try to
    restore the default system file context for <Unknown>, restorecon -v
    <Unknown> If this does not work, there is currently no automatic way to
    allow this access. Instead,  you can generate a local policy module to allow
    this access - see http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385
    Or you can disable SELinux protection altogether. Disabling SELinux
    protection is not recommended. Please file a
    http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package.

Additional Information        

Source Context                system_u:system_r:system_dbusd_t:s0-s0:c0.c1023
Target Context                system_u:object_r:consolekit_var_run_t:s0
Target Objects                None [ file ]
Affected RPM Packages         ConsoleKit-0.3.0-2.fc10 [application]
Policy RPM                    selinux-policy-3.5.13-26.fc10
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Permissive
Plugin Name                   plugins.catchall_file
Host Name                     colibri.localdomain
Platform                      Linux colibri.localdomain 2.6.27.5-117.fc10.i686
                              #1 SMP Tue Nov 18 12:19:59 EST 2008 i686 athlon
Alert Count                   1
First Seen                    Wed Dec  3 23:58:03 2008
Last Seen                     Wed Dec  3 23:58:03 2008
Local ID                      b86cee3b-20b7-4a44-90b0-d513dd3422d1
Line Numbers                  

Raw Audit Messages            

avc: denied { unlink } for comm=console-kit-dae dev=dm-0 egid=0 euid=0
exe=/usr/sbin/console-kit-daemon exit=0 fsgid=0 fsuid=0 gid=0 items=0
name=database pid=2131 scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023
sgid=0 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 suid=0 tclass=file
tcontext=system_u:object_r:consolekit_var_run_t:s0 tty=(none) uid=0

2) Output from sealert for consolekit_log_t:

Summary
    SELinux is preventing /usr/sbin/console-kit-daemon (system_dbusd_t) "read"
    to <Unknown> (consolekit_log_t).

Detailed Description
    SELinux denied access requested by /usr/sbin/console-kit-daemon. It is not
    expected that this access is required by /usr/sbin/console-kit-daemon and
    this access may signal an intrusion attempt. It is also possible that the
    specific version or configuration of the application is causing it to
    require additional access.

Allowing Access
    Sometimes labeling problems can cause SELinux denials.  You could try to
    restore the default system file context for <Unknown>, restorecon -v
    <Unknown> If this does not work, there is currently no automatic way to
    allow this access. Instead,  you can generate a local policy module to allow
    this access - see http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385
    Or you can disable SELinux protection altogether. Disabling SELinux
    protection is not recommended. Please file a
    http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package.

Additional Information        

Source Context                system_u:system_r:system_dbusd_t:s0-s0:c0.c1023
Target Context                system_u:object_r:consolekit_log_t:s0
Target Objects                None [ file ]
Affected RPM Packages         ConsoleKit-0.3.0-2.fc10 [application]
Policy RPM                    selinux-policy-3.5.13-26.fc10
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Permissive
Plugin Name                   plugins.catchall_file
Host Name                     colibri.localdomain
Platform                      Linux colibri.localdomain 2.6.27.5-117.fc10.i686
                              #1 SMP Tue Nov 18 12:19:59 EST 2008 i686 athlon
Alert Count                   1
First Seen                    Wed Dec  3 23:58:03 2008
Last Seen                     Wed Dec  3 23:58:03 2008
Local ID                      11adec9f-a14b-4e56-b076-3ab12964d0df
Line Numbers                  

Raw Audit Messages            

avc: denied { read } for comm=console-kit-dae dev=dm-0 egid=0 euid=0
exe=/usr/sbin/console-kit-daemon exit=27 fsgid=0 fsuid=0 gid=0 items=0
name=history pid=2132 scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023
sgid=0 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 suid=0 tclass=file
tcontext=system_u:object_r:consolekit_log_t:s0 tty=(none) uid=0
Comment 2 Alex Bennee 2009-02-10 03:09:57 EST
I'm also seeing this on a fresh FC-10 install. While waiting a GDM prompt the log keeps spewing at a rate of about 1 a second:

Feb 10 07:39:23 localhost setroubleshoot: SELinux is preventing
console-kit-dae (consolekit_t) "sys_admin" consolekit_t. For complete
SELinux messages. run sealert -l c81cff7e-fe95-4b0e-a53e-7c511bf227d0


07:43 root@trent/i686 [~] >sealert -l c81cff7e-fe95-4b0e-a53e-7c511bf227d0

Summary:

SELinux is preventing console-kit-dae (consolekit_t) "sys_admin" consolekit_t.

Detailed Description:

SELinux denied access requested by console-kit-dae. It is not expected that this
access is required by console-kit-dae and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                system_u:system_r:consolekit_t:s0-s0:c0.c1023
Target Context                system_u:system_r:consolekit_t:s0-s0:c0.c1023
Target Objects                None [ capability ]
Source                        console-kit-dae
Source Path                   /usr/sbin/console-kit-daemon
Port                          <Unknown>
Host                          trent
Source RPM Packages           ConsoleKit-0.3.0-2.fc10
Target RPM Packages           
Policy RPM                    selinux-policy-3.5.13-41.fc10
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     trent
Platform                      Linux trent 2.6.27.12-170.2.5.fc10.i686 #1 SMP Wed
                              Jan 21 02:09:37 EST 2009 i686 i686
Alert Count                   96
First Seen                    Tue Feb 10 07:38:02 2009
Last Seen                     Tue Feb 10 07:38:03 2009
Local ID                      c81cff7e-fe95-4b0e-a53e-7c511bf227d0
Line Numbers                  

Raw Audit Messages            

node=trent type=AVC msg=audit(1234251483.880:151): avc:  denied  { sys_admin } for  pid=1839 comm="console-kit-dae" capability=21 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tclass=capability

node=trent type=SYSCALL msg=audit(1234251483.880:151): arch=40000003 syscall=5 success=no exit=-23 a0=81a6640 a1=20401 a2=180 a3=ffffffff items=0 ppid=1 pid=1839 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="console-kit-dae" exe="/usr/sbin/console-kit-daemon" subj=system_u:system_r:consolekit_t:s0-s0:c0.c1023 key=(null)


Feb 10 07:39:24 localhost setroubleshoot: SELinux is preventing console-kit-dae (consolekit_t) "sys_admin" consolekit_t. For complete SELinux messages. run sealert -l c81cff7e-fe95-4b0e-a53e-7c511bf227d0

When I finally log in I see a few more different warnings.

Feb 10 07:39:25 localhost setroubleshoot: SELinux is preventing
polkit-read-aut (polkit_auth_t) "write" to /var/log/gdm/:0-greeter.log
(xserver_log_t). For complete SELinux messages. run sealert -l
3f091cbe-1960-4248-b23a-604a896242e0

07:45 root@trent/i686 [~] >sealert -l 3f091cbe-1960-4248-b23a-604a896242e0

Summary:

SELinux is preventing polkit-read-aut (polkit_auth_t) "write" to
/var/log/gdm/:0-greeter.log (xserver_log_t).

Detailed Description:

SELinux denied access requested by polkit-read-aut. It is not expected that this
access is required by polkit-read-aut and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.

Allowing Access:

Sometimes labeling problems can cause SELinux denials. You could try to restore
the default system file context for /var/log/gdm/:0-greeter.log,

restorecon -v '/var/log/gdm/:0-greeter.log'

If this does not work, there is currently no automatic way to allow this access.
Instead, you can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                system_u:system_r:polkit_auth_t:s0-s0:c0.c1023
Target Context                system_u:object_r:xserver_log_t:s0
Target Objects                /var/log/gdm/:0-greeter.log [ file ]
Source                        polkit-read-aut
Source Path                   /usr/libexec/polkit-read-auth-helper
Port                          <Unknown>
Host                          trent
Source RPM Packages           PolicyKit-0.9-4.fc10
Target RPM Packages           
Policy RPM                    selinux-policy-3.5.13-41.fc10
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall_file
Host Name                     trent
Platform                      Linux trent 2.6.27.12-170.2.5.fc10.i686 #1 SMP Wed
                              Jan 21 02:09:37 EST 2009 i686 i686
Alert Count                   60
First Seen                    Mon Feb  2 21:07:32 2009
Last Seen                     Tue Feb 10 07:39:15 2009
Local ID                      3f091cbe-1960-4248-b23a-604a896242e0
Line Numbers                  

Raw Audit Messages            

node=trent type=AVC msg=audit(1234251555.460:272): avc:  denied  { write } for  pid=8662 comm="polkit-read-aut" path="/var/log/gdm/:0-greeter.log" dev=dm-0 ino=107325 scontext=system_u:system_r:polkit_auth_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xserver_log_t:s0 tclass=file

node=trent type=SYSCALL msg=audit(1234251555.460:272): arch=40000003 syscall=11 success=yes exit=0 a0=2c50fb4 a1=bfe01d40 a2=bfe0275c a3=bfe01d40 items=0 ppid=8407 pid=8662 auid=4294967295 uid=42 gid=42 euid=42 suid=42 fsuid=42 egid=87 sgid=87 fsgid=87 tty=(none) ses=4294967295 comm="polkit-read-aut" exe="/usr/libexec/polkit-read-auth-helper" subj=system_u:system_r:polkit_auth_t:s0-s0:c0.c1023 key=(null)
Comment 3 Fedora Admin XMLRPC Client 2009-04-08 13:00:35 EDT
This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.
Comment 4 Daniel Walsh 2009-09-24 11:20:55 EDT
This must be fixed in F10.  Closing.
Comment 5 Alex Bennee 2009-09-24 11:55:24 EDT
Which package version was the fix included in?
Comment 6 Daniel Walsh 2009-09-24 14:23:59 EDT
I would figure selinux-policy  If you still see the bug please close.

selinux-policy-3.5.13-71.fc10 is the latest F10 package I believe.

Note You need to log in before you can comment on or make changes to this bug.