Bug 498758 - Summary: SELinux is preventing console-kit-dae (consolekit_t) "sys_admin" consolekit_t. i
Summary: SELinux is preventing console-kit-dae (consolekit_t) "sys_admin" co...
Status: CLOSED UPSTREAM
Product: Fedora
Classification: Fedora
Component: kernel (Show other bugs)
10
All Linux
low Severity medium
: ---
: ---
Assigned To: Eric Paris
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2009-05-02 19:18 EDT by cdlyon255
Modified: 2009-08-12 11:25 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-08-12 11:25:42 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description cdlyon255 2009-05-02 19:18:25 EDT
Description of problem:

Summary:

SELinux is preventing console-kit-dae (consolekit_t) "sys_admin" consolekit_t.

Detailed Description:

SELinux denied access requested by console-kit-dae. It is not expected that this
access is required by console-kit-dae and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                system_u:system_r:consolekit_t:s0-s0:c0.c1023
Target Context                system_u:system_r:consolekit_t:s0-s0:c0.c1023
Target Objects                None [ capability ]
Source                        console-kit-dae
Source Path                   <Unknown>
Port                          <Unknown>
Host                          christoper.localdomain
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.5.13-57.fc10
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     christoper.localdomain
Platform                      Linux christoper.localdomain
                              2.6.27.21-170.2.56.fc10.i686 #1 SMP Mon Mar 23
                              23:37:54 EDT 2009 i686 i686
Alert Count                   61
First Seen                    Sat 04 Apr 2009 12:43:07 AM EDT
Last Seen                     Sat 02 May 2009 04:14:20 PM EDT
Local ID                      ed642e6e-9da6-431b-bcda-b9b5af3ef966
Line Numbers                  

Raw Audit Messages            

node=christoper.localdomain type=AVC msg=audit(1241295260.930:53): avc:  denied  { sys_admin } for  pid=1788 comm="console-kit-dae" capability=21 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tclass=capability

node=christoper.localdomain type=AVC msg=audit(1241295260.930:53): avc:  denied  { sys_resource } for  pid=1788 comm="console-kit-dae" capability=24 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tclass=capability

node=christoper.localdomain type=AVC msg=audit(1241295260.930:53): avc:  denied  { sys_rawio } for  pid=1788 comm="console-kit-dae" capability=17 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tclass=capability

node=christoper.localdomain type=AVC msg=audit(1241295260.930:53): avc:  denied  { sys_admin } for  pid=1789 comm="console-kit-dae" capability=21 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tclass=capability

node=christoper.localdomain type=AVC msg=audit(1241295260.930:53): avc:  denied  { sys_resource } for  pid=1789 comm="console-kit-dae" capability=24 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tclass=capability

node=christoper.localdomain type=AVC msg=audit(1241295260.930:53): avc:  denied  { sys_rawio } for  pid=1789 comm="console-kit-dae" capability=17 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tclass=capability

node=christoper.localdomain type=AVC msg=audit(1241295260.930:53): avc:  denied  { sys_admin } for  pid=1790 comm="console-kit-dae" capability=21 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tclass=capability

node=christoper.localdomain type=AVC msg=audit(1241295260.930:53): avc:  denied  { sys_resource } for  pid=1790 comm="console-kit-dae" capability=24 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tclass=capability

node=christoper.localdomain type=AVC msg=audit(1241295260.930:53): avc:  denied  { sys_rawio } for  pid=1790 comm="console-kit-dae" capability=17 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tclass=capability

node=christoper.localdomain type=AVC msg=audit(1241295260.930:53): avc:  denied  { sys_admin } for  pid=1791 comm="console-kit-dae" capability=21 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tclass=capability

node=christoper.localdomain type=AVC msg=audit(1241295260.930:53): avc:  denied  { sys_resource } for  pid=1791 comm="console-kit-dae" capability=24 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tclass=capability

node=christoper.localdomain type=AVC msg=audit(1241295260.930:53): avc:  denied  { sys_rawio } for  pid=1791 comm="console-kit-dae" capability=17 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tclass=capability

node=christoper.localdomain type=AVC msg=audit(1241295260.930:53): avc:  denied  { sys_admin } for  pid=1792 comm="console-kit-dae" capability=21 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tclass=capability

node=christoper.localdomain type=AVC msg=audit(1241295260.930:53): avc:  denied  { sys_resource } for  pid=1792 comm="console-kit-dae" capability=24 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tclass=capability

node=christoper.localdomain type=AVC msg=audit(1241295260.930:53): avc:  denied  { sys_rawio } for  pid=1792 comm="console-kit-dae" capability=17 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tclass=capability

node=christoper.localdomain type=AVC msg=audit(1241295260.930:53): avc:  denied  { sys_admin } for  pid=1793 comm="console-kit-dae" capability=21 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tclass=capability

node=christoper.localdomain type=AVC msg=audit(1241295260.930:53): avc:  denied  { sys_resource } for  pid=1793 comm="console-kit-dae" capability=24 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tclass=capability

node=christoper.localdomain type=AVC msg=audit(1241295260.930:53): avc:  denied  { sys_rawio } for  pid=1793 comm="console-kit-dae" capability=17 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tclass=capability

node=christoper.localdomain type=AVC msg=audit(1241295260.930:53): avc:  denied  { sys_admin } for  pid=1794 comm="console-kit-dae" capability=21 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tclass=capability

node=christoper.localdomain type=AVC msg=audit(1241295260.930:53): avc:  denied  { sys_resource } for  pid=1794 comm="console-kit-dae" capability=24 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tclass=capability

node=christoper.localdomain type=AVC msg=audit(1241295260.930:53): avc:  denied  { sys_rawio } for  pid=1794 comm="console-kit-dae" capability=17 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tclass=capability

node=christoper.localdomain type=AVC msg=audit(1241295260.930:53): avc:  denied  { sys_admin } for  pid=1795 comm="console-kit-dae" capability=21 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tclass=capability

node=christoper.localdomain type=AVC msg=audit(1241295260.930:53): avc:  denied  { sys_resource } for  pid=1795 comm="console-kit-dae" capability=24 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tclass=capability

node=christoper.localdomain type=AVC msg=audit(1241295260.930:53): avc:  denied  { sys_rawio } for  pid=1795 comm="console-kit-dae" capability=17 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tclass=capability

node=christoper.localdomain type=AVC msg=audit(1241295260.930:53): avc:  denied  { sys_admin } for  pid=1796 comm="console-kit-dae" capability=21 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tclass=capability

node=christoper.localdomain type=AVC msg=audit(1241295260.930:53): avc:  denied  { sys_resource } for  pid=1796 comm="console-kit-dae" capability=24 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tclass=capability

node=christoper.localdomain type=AVC msg=audit(1241295260.930:53): avc:  denied  { sys_rawio } for  pid=1796 comm="console-kit-dae" capability=17 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tclass=capability

node=christoper.localdomain type=AVC msg=audit(1241295260.930:53): avc:  denied  { sys_admin } for  pid=1797 comm="console-kit-dae" capability=21 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tclass=capability

node=christoper.localdomain type=AVC msg=audit(1241295260.930:53): avc:  denied  { sys_resource } for  pid=1797 comm="console-kit-dae" capability=24 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tclass=capability

node=christoper.localdomain type=AVC msg=audit(1241295260.930:53): avc:  denied  { sys_rawio } for  pid=1797 comm="console-kit-dae" capability=17 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tclass=capability

node=christoper.localdomain type=AVC msg=audit(1241295260.930:53): avc:  denied  { sys_admin } for  pid=1798 comm="console-kit-dae" capability=21 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tclass=capability




Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:
Comment 1 Daniel Walsh 2009-05-04 12:14:31 EDT
Were you running out of space when this happened or were you running ext4 or btrfs file system?
Comment 2 Eric Paris 2009-05-04 12:43:33 EDT
Those 3 together look more like an OOM (out of memory) than full filesystem.  Do you have an OOM message in the logs?  And potentially a lot more denials for other programs that look like this?  May you looked at the /proc/pid/oom_score for this task?   In any case, this should be fixed in newer kernels (2.6.28 and later I believe)
Comment 3 cdlyon255 2009-05-17 23:54:59 EDT
(In reply to comment #1)
> Were you running out of space when this happened or were you running ext4 or
> btrfs file system?  

If you mean disk space,no I have plenty of space. Memory could be better, but it's not real bad. Set-up is dual-boot on 80G Dell Dimension 4700 box, even split with windowsXP on other half. used ext3 on Omega10 install. Can't really give you a detailed description of how I would get these selinux alerts they just show up while I am online using Firefox as browser. I doubt it has anything to do with a website because they show up all the time.
Comment 4 cdlyon255 2009-05-18 00:06:03 EDT
(In reply to comment #1)
> Were you running out of space when this happened or were you running ext4 or
> btrfs file system?  

If you mean disk space,no I have plenty of space. Memory could be better, but it's not real bad. Set-up is dual-boot on 80G Dell Dimension 4700 box, even split with windowsXP on other half. used ext3 on Omega10 install. Can't really give you a detailed description of how I would get these selinux alerts they just show up while I am online using Firefox as browser. I doubt it has anything to do with a website because they show up all the time.(In reply to comment #2)
> Those 3 together look more like an OOM (out of memory) than full filesystem. 
> Do you have an OOM message in the logs?  And potentially a lot more denials for
> other programs that look like this?  May you looked at the /proc/pid/oom_score
> for this task?   In any case, this should be fixed in newer kernels (2.6.28 and
> later I believe)  
I think I'm using the 2.6.28 kernel presently, and yeah there are more denials that are similar, but memory as stated above isn't bad. Can't give an exact figure but I think I have 30%-40% free memory still available.
Comment 5 Daniel Walsh 2009-05-18 09:51:51 EDT
Well this is a kernel issue.  When we have seen these types of access requests in the past it has been related to file systems problems like using btrfs or to oomkiller firing off because a runaway process has eaton all of the memory.
Comment 6 Eric Paris 2009-08-12 11:25:42 EDT
Fixed upstream my no auditing these denials.  Closing bug, let us know if oyu see these problems again.

Note You need to log in before you can comment on or make changes to this bug.