Bug 491480 - f-spot org.freedesktop.DBus.Error.AccessDenied due to SELinux policy
f-spot org.freedesktop.DBus.Error.AccessDenied due to SELinux policy
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
rawhide
All Linux
low Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Ben Levenson
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2009-03-21 12:23 EDT by Scott Tsai
Modified: 2009-04-06 08:44 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-03-23 12:59:37 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Scott Tsai 2009-03-21 12:23:12 EDT
Description of problem:
f-spot doesn't start without "setenforce 0"

Version-Release number of selected component (if applicable):
selinux-policy-targeted-3.6.8-3.fc11.noarch
f-spot-0.5.0.3-7.fc11.x86_64
dbus-1.2.4.4permissive-4.fc11.x86_64

How reproducible:
Always

Steps to Reproduce:
1. Run "f-spot"
  
Actual results:
$ f-spot
[Info  00:20:51.018] Initializing DBus
[Info  00:20:51.124] Initializing Mono.Addins
[Info  00:20:51.297] Starting new FSpot server
XXXXX
System.Exception: org.freedesktop.DBus.Error.AccessDenied: Connection ":1.1023" is not allowed to own the service "org.gnome.FSpot" due to SELinux policy
  at IBusProxy.RequestName (System.String flags, NameFlag ) [0x00000] 
  at NDesk.DBus.Bus.RequestName (System.String name, NameFlag flags) [0x00000] 
  at FSpot.Core.RegisterServer () [0x00000] 
  at FSpot.Driver.Main (System.String[] args) [0x00000] 
XXXXX
[Warn  00:20:51.356] Can't get a connection to the dbus. Trying again...
[Info  00:20:51.357] Starting new FSpot server
[Warn  00:20:51.357] Can't get a connection to the dbus. Trying again...
[Info  00:20:51.357] Starting new FSpot server
[Warn  00:20:51.357] Can't get a connection to the dbus. Trying again...
[Info  00:20:51.358] Starting new FSpot server
[Warn  00:20:51.358] Can't get a connection to the dbus. Trying again...
[Info  00:20:51.358] Starting new FSpot server
[Warn  00:20:51.358] Can't get a connection to the dbus. Trying again...
[Info  00:20:51.359] Starting new FSpot server
[Warn  00:20:51.359] Can't get a connection to the dbus. Trying again...
[Error 00:20:51.359] Sorry, couldn't start F-Spot


Expected results:
Pretty GUI.

Additional info:
"sudo setenforce 0 && f-spot" works.
Comment 1 Daniel Walsh 2009-03-23 09:37:18 EDT
I run f-spot and it runs fine on my rawhide box.

Are you seeing any AVC messages in /var/log/audit/audit.log?
Comment 2 Scott Tsai 2009-03-23 11:01:46 EDT
Running f-spot in enforcing mode does not produce any new entries in /var/log/audit/audit.log but fails with:
[Info  22:57:50.360] Starting new FSpot server
XXXXX
System.Exception: org.freedesktop.DBus.Error.AccessDenied: Connection ":1.2" is not allowed to own the service "org.gnome.FSpot" due to SELinux policy
  at IBusProxy.RequestName (System.String flags, NameFlag ) [0x00000] 
  at NDesk.DBus.Bus.RequestName (System.String name, NameFlag flags) [0x00000] 
  at FSpot.Core.RegisterServer () [0x00000] 
  at FSpot.Driver.Main (System.String[] args) [0x00000] 
XXXXX

Running f-spot in permissive mode works.

Some un-educated attempts at diagnosing this:
Which component is responsible for the "Connection ":1.2" is not allowed to own the service "org.gnome.FSpot" due to SELinux policy" part of the message? dbus? Are you also running dbus-1.2.4.4permissive-4.fc11 ?
Comment 3 Scott Tsai 2009-03-23 11:17:45 EDT
I found the AVC message in /var/log/messages:
dbus: avc:  denied  { acquire_svc } for service=org.gnome.FSpot spid=22381 scontext=unconfined_u:unconfined_r:unconfined_mono_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=dbus
Comment 4 Daniel Walsh 2009-03-23 12:59:37 EDT
You can add these rules for now using

# grep avc /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Fixed in selinux-policy-3.6.10-1.fc11.noarch
Comment 5 Pavel Rosenboim 2009-04-05 09:19:07 EDT
I still see same error with fully updated rawhide with selinux-policy-3.6.10-8.fc11.noarch
Comment 6 Daniel Walsh 2009-04-06 08:44:07 EDT
Fixed in selinux-policy-3.6.10-9.fc11

Note You need to log in before you can comment on or make changes to this bug.