Bug 491866 - SELinux causes f-spot DBus access denial
Summary: SELinux causes f-spot DBus access denial
Keywords:
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: rawhide
Hardware: All
OS: Linux
low
medium
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-03-24 13:49 UTC by Michel Lind
Modified: 2009-05-01 17:56 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2009-05-01 17:56:33 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)

Description Michel Lind 2009-03-24 13:49:32 UTC
Description of problem:
When running SELinux on Rawhide, SELinux policy prevents ndesk-dbus from owning org.gnome.FSpot

Version-Release number of selected component (if applicable):
selinux-policy-targeted-3.6.8-3.fc11.noarch
f-spot-0.5.0.3-7.fc11.x86_64
ndesk-dbus-0.6.1a-4.fc11.x86_64

(Same on i586)

How reproducible:
Always

Steps to Reproduce:
1. yum install f-spot
2. f-spot --debug
  
Actual results:
$ f-spot --debug
** Running f-spot in Debug Mode **
** Running Mono with --debug   **
[Info  09:44:05.052] Initializing DBus
[Debug 09:44:05.193] DBusInitialization took 0.131913s
[Info  09:44:05.193] Initializing Mono.Addins
[Debug 09:44:05.429] Mono.Addins Initialization took 0.236513s
[Info  09:44:05.436] Starting new FSpot server
XXXXX
System.Exception: org.freedesktop.DBus.Error.AccessDenied: Connection ":1.98" is not allowed to own the service "org.gnome.FSpot" due to SELinux policy
  at IBusProxy.RequestName (System.String flags, NameFlag ) [0x00000] 
  at NDesk.DBus.Bus.RequestName (System.String name, NameFlag flags) [0x00000] in /builddir/build/BUILD/ndesk-dbus-0.6.1a/src/Bus.cs:128 
  at FSpot.Core.RegisterServer () [0x00000] 
  at FSpot.Driver.Main (System.String[] args) [0x00000] 
XXXXX
[Warn  09:44:05.516] Can't get a connection to the dbus. Trying again...
[Info  09:44:05.516] Starting new FSpot server
[Warn  09:44:05.516] Can't get a connection to the dbus. Trying again...
[Info  09:44:05.517] Starting new FSpot server
[Warn  09:44:05.517] Can't get a connection to the dbus. Trying again...
[Info  09:44:05.518] Starting new FSpot server
[Warn  09:44:05.519] Can't get a connection to the dbus. Trying again...
[Info  09:44:05.519] Starting new FSpot server
[Warn  09:44:05.520] Can't get a connection to the dbus. Trying again...
[Info  09:44:05.521] Starting new FSpot server
[Warn  09:44:05.521] Can't get a connection to the dbus. Trying again...
[Error 09:44:05.521] Sorry, couldn't start F-Spot


Expected results:
f-spot should work normally (it still works using setenforce 0)

Additional info:

Comment 1 Daniel Walsh 2009-03-24 14:33:05 UTC
Fixed in selinux-policy-3.6.10-1.fc11.noarch

Comment 2 Michel Lind 2009-03-24 17:26:12 UTC
I pulled selinux-policy and selinux-policy-targeted 3.6.10-1 from Koji and the problem is still occuring.

Tried with the latest kernels pushed to Rawhide:
kernel-2.6.29-0.218.rc7.git2.fc11.x86_64
kernel-2.6.29-0.258.rc8.git2.fc11.x86_64

Comment 3 Daniel Walsh 2009-03-24 19:29:50 UTC
Do you see any avc messages in /var/log/audit/audit.log or /var/log/messages

We had a similar bugzilla earlier and I though I had fixed it.

Comment 4 Jean-François Martin 2009-04-06 14:09:07 UTC
I have the same problem.

The message reported in /var/log/messages :

Apr  6 16:05:35 jin dbus: avc:  denied  { acquire_svc } for service=org.gnome.FSpot spid=6449 scontext=unconfined_u:unconfined_r:unconfined_mono_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=dbus

Comment 5 Daniel Walsh 2009-05-01 17:56:33 UTC
Fixed in selinux-policy-3.6.12-27.fc11.noarch


Note You need to log in before you can comment on or make changes to this bug.