Bug 520100 - setroubleshoot: SELinux is preventing polkit-gnome-au (policykit_auth_t) "getattr" fonts_t.
Summary: setroubleshoot: SELinux is preventing polkit-gnome-au (policykit_auth_t)...
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: rawhide
Hardware: i386
OS: Linux
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Fedora Extras Quality Assurance
Whiteboard: setroubleshoot_trace_hash:213f1cd353a...
Depends On:
TreeView+ depends on / blocked
Reported: 2009-08-28 12:15 UTC by Andrew Hecox
Modified: 2009-10-15 19:29 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2009-10-15 19:29:07 UTC

Attachments (Terms of Use)

Description Andrew Hecox 2009-08-28 12:15:41 UTC
The following was filed automatically by setroubleshoot:


SELinux is preventing polkit-gnome-au (policykit_auth_t) "getattr" fonts_t.

Detailed Description:

SELinux denied access requested by polkit-gnome-au. It is not expected that this
access is required by polkit-gnome-au and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Please file a bug
report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package.

Additional Information:

Source Context                system_u:system_r:policykit_auth_t:s0-s0:c0.c1023
Target Context                system_u:object_r:fonts_t:s0
Target Objects                /usr/share/fonts [ dir ]
Source                        polkit-gnome-au
Source Path                   /usr/libexec/polkit-gnome-authentication-agent-1
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           polkit-gnome-0.93-3.fc12
Target RPM Packages           fontpackages-filesystem-1.22-2.fc12
Policy RPM                    selinux-policy-3.6.26-8.fc12
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     (removed)
Platform                      Linux (removed) 2.6.31-
                              #1 SMP Tue Aug 11 21:01:03 EDT 2009 i686 i686
Alert Count                   16
First Seen                    Tue 25 Aug 2009 01:00:06 PM EDT
Last Seen                     Tue 25 Aug 2009 01:00:48 PM EDT
Local ID                      6ed95fbd-54d0-4e41-a313-542417b83c20
Line Numbers                  

Raw Audit Messages            

node=(removed) type=AVC msg=audit(1251219648.678:42605): avc:  denied  { getattr } for  pid=1473 comm="polkit-gnome-au" path="/usr/share/fonts" dev=dm-0 ino=24531 scontext=system_u:system_r:policykit_auth_t:s0-s0:c0.c1023 tcontext=system_u:object_r:fonts_t:s0 tclass=dir

node=(removed) type=SYSCALL msg=audit(1251219648.678:42605): arch=40000003 syscall=195 success=no exit=-13 a0=9b00060 a1=bfffd4ec a2=107fff4 a3=3 items=0 ppid=1442 pid=1473 auid=4294967295 uid=42 gid=482 euid=42 suid=42 fsuid=42 egid=482 sgid=482 fsgid=482 tty=(none) ses=4294967295 comm="polkit-gnome-au" exe="/usr/libexec/polkit-gnome-authentication-agent-1" subj=system_u:system_r:policykit_auth_t:s0-s0:c0.c1023 key=(null)

audit2allow suggests:

#============= policykit_auth_t ==============
allow policykit_auth_t fonts_t:dir getattr;

Comment 1 Daniel Walsh 2009-08-28 13:24:52 UTC
You have a mislabeled /usr/libexec directory.

restorecon -R -v /usr/libexec

Marking this as not a bug, since I think this is an upgrade or Rawhide bug, that it did not fix the labeling.

Comment 2 Andrew Hecox 2009-08-28 14:57:31 UTC
Dan -- this is a clean install of F12 a1 from Tuesday...

if its a rawhide bug, shouldn't it be filed against ... something? Maybe I'm misunderstanding.

Very tool reporting widget, btw.

Comment 3 Daniel Walsh 2009-08-28 17:12:08 UTC
Was the file mislabeled?

Comment 4 Andrew Hecox 2009-08-28 17:21:14 UTC
I have no idea; I ran restorecon and haven't gotten a warning since, but they weren't happening all of the time.

Comment 5 Daniel Walsh 2009-08-28 17:36:01 UTC
All I know is the label should be bin_t and as of policy -8 it is bin_t.  
How it got mislabeled I do not know.  The mislabel was around in -6.  So if you installed rawhide and upgraded to -8 it should have fixed the label, but it looks like it did not.  If you installed directly -8 then rpm labeled it incorrectly.

Comment 6 Andrew Hecox 2009-08-28 17:51:27 UTC
alpha1 started with -8, so something must have relabeled it (or added mislabeled files?)

Is there a way to determine which package might have done that? I see fontpackages-filesystem-1.22-2.fc12 in the error report...

Comment 7 Daniel Walsh 2009-08-28 18:14:02 UTC
No I have no idea how it could possibly have been mislabeled.

Usually mislabeling happens when a file gets the label of its parent directory.

Could you try another Alpha1 install and see if it is mislabled?

Note You need to log in before you can comment on or make changes to this bug.