This service will be undergoing maintenance at 00:00 UTC, 2017-10-23 It is expected to last about 30 minutes
Bug 505267 - selinux preventing update to ~/.gconf settings from gnome-power-preferences
selinux preventing update to ~/.gconf settings from gnome-power-preferences
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: GConf2 (Show other bugs)
11
All Linux
low Severity medium
: ---
: ---
Assigned To: Ray Strode [halfline]
Fedora Extras Quality Assurance
: Reopened
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2009-06-11 05:12 EDT by J Gallagher
Modified: 2009-07-15 04:20 EDT (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-07-15 04:20:32 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description J Gallagher 2009-06-11 05:12:51 EDT
Description of problem:
when changing settings in gnome-power-preferences and clicking "make default" I get an selinux error

SELinux is preventing gconf-defaults- (gconfdefaultsm_t) "getattr" to /home/james/.gconf (user_home_t). 

Detailed Description:
SELinux denied access requested by gconf-defaults-. /home/james/.gconf may be a mislabeled. /home/james/.gconf default SELinux type is gconf_home_t, but its current type is user_home_t. Changing this file back to the default type, may fix your problem. 

Version-Release number of selected component (if applicable):
GConf2-2.26.0-2.fc11.x86_64
selinux-policy-3.6.12-39.fc11.noarch
libselinux-2.0.80-1.fc11.x86_64
gnome-power-manager-2.26.1-3.fc11.x86_64




How reproducible:
On a new install of F11


Steps to Reproduce:
1. open gnome-powerpreferences
2. change settings and click "Make default"
3. enter root password
  
Actual results:
setroubleshooter generates the selinux error above


Expected results:
~/.gconf settings should be updated without selinux preventing it.


Additional info:
Comment 1 Daniel Walsh 2009-06-12 07:53:06 EDT
restorecon -R -v ~/

Should fix.

THe problem is the directory got created with the wrong label on it.

You can run the restorecond service to watch for this type of thing in the future.
Comment 2 Matt Chan 2009-06-25 00:08:44 EDT
https://bugzilla.redhat.com/show_bug.cgi?id=507876

is probably a duplicate of this.

By the way, I can confirm this behaviour on my fresh F11 install.
Comment 3 Daniel Walsh 2009-06-26 16:20:52 EDT
Did the restorecon fix the labeling?  Does it work now?
Comment 4 Matt Chan 2009-06-29 00:16:28 EDT
No, the restorecon didn't fix things. 

The problem is still there. 

Here are the setroubleshootd logs: 

Source Context:  system_u:system_r:gconfdefaultsm_t:s0-s0:c0.c1023
Target Context:  system_u:object_r:security_t:s0
Target Objects:  mls [ file ]Source:  gconf-defaults-
Source Path:  /usr/libexec/gconf-defaults-mechanism
Port:  <Unknown>
Host:  laptop.unit2Source 
RPM Packages:  GConf2-2.26.2-1.fc11
Target RPM Packages:  Policy 
RPM:  selinux-policy-3.6.12-53.fc11
Selinux Enabled:  True
Policy Type:  targeted
MLS Enabled:  True
Enforcing Mode:  Permissive
Plugin Name:  catchall
Host Name:  laptop.unit2
Platform:  Linux laptop.unit2 2.6.29.4-167.fc11.i586 #1 SMP Wed May 27 17:14:37 EDT 2009 i686 i686
Alert Count:  6
First Seen:  Mon 29 Jun 2009 12:09:19 AM EDT
Last Seen:  Mon 29 Jun 2009 12:11:49 AM EDT
Local ID:  6952298d-0566-4af8-b7e6-3f2ca1d6221b
Line Numbers:  
Raw Audit Messages :
node=laptop.unit2 type=AVC msg=audit(1246248709.298:61): avc: denied { read } for pid=7268 comm="gconf-defaults-" name="mls" dev=selinuxfs ino=12 scontext=system_u:system_r:gconfdefaultsm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:security_t:s0 tclass=file 

node=laptop.unit2 type=AVC msg=audit(1246248709.298:61): avc: denied { open } for pid=7268 comm="gconf-defaults-" name="mls" dev=selinuxfs ino=12 scontext=system_u:system_r:gconfdefaultsm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:security_t:s0 tclass=file 

node=laptop.unit2 type=SYSCALL msg=audit(1246248709.298:61): arch=40000003 syscall=5 success=yes exit=3 a0=bf8054a8 a1=8000 a2=0 a3=bf8054a8 items=0 ppid=7267 pid=7268 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="gconf-defaults-" exe="/usr/libexec/gconf-defaults-mechanism" subj=system_u:system_r:gconfdefaultsm_t:s0-s0:c0.c1023 key=(null)
Comment 5 Matt Chan 2009-06-29 00:20:45 EDT
Sorry, I should mention that it has changed slightly. Where the first error was  

"preventing gconf-defaults- (gconfdefaultsm_t) "getattr" to /home/james/.gconf (user_home_t). "

It has now become:

"preventing gconf-defaults- (gconfdefaultsm_t) "read" security_t. "
Comment 6 Daniel Walsh 2009-06-29 10:53:18 EDT
The security_t thing is a separate issue fixed in selinux-policy-3.6.12-57.fc11

It should not prevent anything from working.
Comment 7 J Gallagher 2009-07-06 05:41:45 EDT
I can confirm the new selinux error, if it doesn't prevent anything working why is selinux generating an error?

selinux-policy-3.6.12-53.fc11 is the latest available in the repositories. 

can you push 3.6.12-57.fc11, so this can be resolved, thanks.

This bug should be classified as "gnome-power-preferences is generating selinux errors", and it is not "NOTABUG"

Opening until fixed in repos.
Comment 8 Martin Tack 2009-07-12 16:33:42 EDT
I have to ad a more annoying event.

While booting ,just before gdm pops up I get a message like
powermanager not properly configured .It blocks gdm ,and with
some luck and 5-10 min. wait-time ,gdm comes up amid allot 
of windows which say "powermanager not properly configured"

(was in Dutch ,have translated freely)

It also mentioned Gconf2 etc ,but I couldn't read it.
I will restart sometimes and see if a can make something
from it.

My OS is kernel linux 2.6.29.5-191.fc11.x86_64 .

Ill happily give more info when asked.

I also applied : restorecon -R -v ~/ as sugested by 
 
Daniel Walsh in comment #1  and as a result :

[root@xxxx ~]# restorecon -R -v ~/
restorecon reset /root/.xauth9y2EsK context unconfined_u:object_r:admin_home_t:s0->system_u:object_r:xauth_home_t:s0
restorecon reset /root/.local/share/Trash/files/nphelix.so context system_u:object_r:lib_t:s0->system_u:object_r:admin_home_t:s0
restorecon reset /root/.xauthRKIDrH context unconfined_u:object_r:admin_home_t:s0->system_u:object_r:xauth_home_t:s0
restorecon reset /root/.xauthy5IImQ context unconfined_u:object_r:admin_home_t:s0->system_u:object_r:xauth_home_t:s0
restorecon reset /root/.gvfs context system_u:object_r:fusefs_t:s0->system_u:object_r:admin_home_t:s0
restorecon set context /root/.gvfs->system_u:object_r:admin_home_t:s0 failed:'Operation not supported'

I think the last 2 lines are "normal" 

I hope this helps

Martin
Comment 9 Daniel Walsh 2009-07-14 10:35:47 EDT
Martin please open a diffent bugzilla for this since it is a different problem.  If you are logging in as root via GDM, this is not supported and is considered very dangerous from a security point of view.  SELinux policy will not be altered to allow it, so you if you want to login via gdm as root, you will need to put SELinux in permissive mode.
Comment 10 Martin Tack 2009-07-14 14:01:46 EDT
I'm not ,couldn't login at all .

I never (can) login as root via gdm ,I made it impossible .

Have been on a live CD for nearly 3 day's ,surfing for

equal cases ,and I don't want to destroy the installed

(failing) F11.    

I have some more information now ,and will open a different
bugzilla .

I thought my problem was related with this bug.

thanks anyway ,

Martin
Comment 11 J Gallagher 2009-07-15 04:20:32 EDT
This is now fixed with selinux-policy--3.6.12-62.fc11.noarch

Thanks.

Note You need to log in before you can comment on or make changes to this bug.