Bug 527739 - setroubleshoot: SELinux is preventing /usr/libexec/polkit-1/polkitd "read" access on meminfo.
Summary: setroubleshoot: SELinux is preventing /usr/libexec/polkit-1/polkitd "read" ac...
Keywords:
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: rawhide
Hardware: i386
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: setroubleshoot_trace_hash:2b7ef1e94d0...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-10-07 14:52 UTC by James Laska
Modified: 2013-09-02 06:40 UTC (History)
26 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2009-10-07 21:54:54 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)

Description James Laska 2009-10-07 14:52:42 UTC
The following was filed automatically by setroubleshoot:

Summary:

SELinux is preventing /usr/libexec/polkit-1/polkitd "read" access on meminfo.

Detailed Description:

SELinux denied access requested by polkitd. It is not expected that this access
is required by polkitd and this access may signal an intrusion attempt. It is
also possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Please file a bug
report.

Additional Information:

Source Context                system_u:system_r:policykit_t:s0-s0:c0.c1023
Target Context                system_u:object_r:proc_t:s0
Target Objects                meminfo [ file ]
Source                        polkitd
Source Path                   /usr/libexec/polkit-1/polkitd
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           polkit-0.95-0.git20090913.2.fc12
Target RPM Packages           
Policy RPM                    selinux-policy-3.6.32-12.fc12
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     (removed)
Platform                      Linux (removed) 2.6.31.1-56.fc12.i686
                              #1 SMP Tue Sep 29 16:32:02 EDT 2009 i686 i686
Alert Count                   1
First Seen                    Wed 07 Oct 2009 10:48:40 AM EDT
Last Seen                     Wed 07 Oct 2009 10:48:40 AM EDT
Local ID                      3e571314-a318-48e2-9a76-54d130143231
Line Numbers                  

Raw Audit Messages            

node=(removed) type=AVC msg=audit(1254926920.456:256): avc:  denied  { read } for  pid=1542 comm="polkitd" name="meminfo" dev=proc ino=4026531992 scontext=system_u:system_r:policykit_t:s0-s0:c0.c1023 tcontext=system_u:object_r:proc_t:s0 tclass=file

node=(removed) type=SYSCALL msg=audit(1254926920.456:256): arch=40000003 syscall=5 success=no exit=-13 a0=271b66 a1=0 a2=1b6 a3=26f4ae items=0 ppid=1 pid=1542 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="polkitd" exe="/usr/libexec/polkit-1/polkitd" subj=system_u:system_r:policykit_t:s0-s0:c0.c1023 key=(null)



Hash String generated from  selinux-policy-3.6.32-12.fc12,catchall,polkitd,policykit_t,proc_t,file,read
audit2allow suggests:

#============= policykit_t ==============
allow policykit_t proc_t:file read;

Comment 1 Daniel Walsh 2009-10-07 21:54:54 UTC
		Fixed in selinux-policy-3.6.32-22.fc12.noarch

Comment 2 Robert Laverick 2009-10-09 19:37:43 UTC
(In reply to comment #1)
>   Fixed in selinux-policy-3.6.32-22.fc12.noarch  

I've got that rpm installed, and I still get this error, or at least the bug report calls it a duplicate of this when logging in.

Comment 3 Daniel Walsh 2009-10-09 21:09:04 UTC
Well -23 and 24 are in koji right now and should be released before beta, probably tomorrow.

Or you can grab them

http://koji.fedoraproject.org/koji/buildinfo?buildID=135962

I am running 24 and the tools tell me this is fixed there.

Comment 4 Guy Streeter 2009-10-12 19:06:13 UTC
I have selinux-policy-3.6.32-24.fc12.noarch installed and got this bug today.


Summary:

SELinux is preventing /usr/libexec/polkit-1/polkitd "read" access on meminfo.

Detailed Description:

SELinux denied access requested by polkitd. It is not expected that this access
is required by polkitd and this access may signal an intrusion attempt. It is
also possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Please file a bug
report.

Additional Information:

Source Context                system_u:system_r:policykit_t:s0-s0:c0.c1023
Target Context                system_u:object_r:proc_t:s0
Target Objects                meminfo [ file ]
Source                        polkitd
Source Path                   /usr/libexec/polkit-1/polkitd
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           polkit-0.95-0.git20090913.2.fc12
Target RPM Packages           
Policy RPM                    selinux-policy-3.6.32-12.fc12
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     (removed)
Platform                      Linux localhost.localdomain
                              2.6.31.1-56.fc12.i686.PAE #1 SMP Tue Sep 29
                              16:16:16 EDT 2009 i686 i686
Alert Count                   3
First Seen                    Thu 08 Oct 2009 02:20:29 PM CDT
Last Seen                     Mon 12 Oct 2009 08:50:17 AM CDT
Local ID                      33ab92b3-a1a0-4ef3-a5f8-d919e8997ce7
Line Numbers                  

Raw Audit Messages            

node=localhost.localdomain type=AVC msg=audit(1255355417.694:7): avc:  denied  { read } for  pid=1592 comm="polkitd" name="meminfo" dev=proc ino=4026531992 scontext=system_u:system_r:policykit_t:s0-s0:c0.c1023 tcontext=system_u:object_r:proc_t:s0 tclass=file

node=localhost.localdomain type=SYSCALL msg=audit(1255355417.694:7): arch=40000003 syscall=5 success=no exit=-13 a0=708b66 a1=0 a2=1b6 a3=7064ae items=0 ppid=1591 pid=1592 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="polkitd" exe="/usr/libexec/polkit-1/polkitd" subj=system_u:system_r:policykit_t:s0-s0:c0.c1023 key=(null)

Comment 5 Daniel Walsh 2009-10-13 13:29:32 UTC
Well either you are mistaken or the tool is broken, since the tool is reporing the policy as  selinux-policy-3.6.32-12.fc12


Could you execute 

yum reinstall selinux-policy-targeted 

And make sure it works successfully?

Comment 6 Guy Streeter 2009-10-13 13:59:21 UTC
Here's one from this morning:


Summary:

SELinux is preventing /usr/lib/thunderbird-3.0b4/thunderbird-bin "execmem"
access on <Unknown>.

Detailed Description:

[SELinux is in permissive mode. This access was not denied.]

SELinux denied access requested by thunderbird-bin. The current boolean settings
do not allow this access. If you have not setup thunderbird-bin to require this
access this may signal an intrusion attempt. If you do intend this access you
need to change the booleans on this system to allow the access.

Allowing Access:

One of the following booleans is set incorrectly: allow_execstack, allow_execmem

Fix Command:

Choose one of the following to allow access:
Allow unconfined executables to make their stack executable. This should never,
ever be necessary. Probably indicates a badly coded executable, but could
indicate an attack. This executable should be reported in bugzilla")
# setsebool -P allow_execstack 1
Allow unconfined executables to map a memory region as both executable and
writable, this is dangerous and the executable should be reported in bugzilla")
# setsebool -P allow_execmem 1


Additional Information:

Source Context                unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
                              023
Target Context                unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
                              023
Target Objects                None [ process ]
Source                        thunderbird-bin
Source Path                   /usr/lib/thunderbird-3.0b4/thunderbird-bin
Port                          <Unknown>
Host                          localhost.localdomain
Source RPM Packages           thunderbird-3.0-3.9.b4.fc12
Target RPM Packages           
Policy RPM                    selinux-policy-3.6.32-24.fc12
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Permissive
Plugin Name                   catchall_boolean
Host Name                     localhost.localdomain
Platform                      Linux localhost.localdomain
                              2.6.31.1-56.fc12.i686.PAE #1 SMP Tue Sep 29
                              16:16:16 EDT 2009 i686 i686
Alert Count                   36
First Seen                    Mon 12 Oct 2009 01:51:43 PM CDT
Last Seen                     Tue 13 Oct 2009 08:50:38 AM CDT
Local ID                      c86a8bf0-9814-4d16-83a1-6ede7d6d4a00
Line Numbers                  

Raw Audit Messages            

node=localhost.localdomain type=AVC msg=audit(1255441838.276:25317): avc:  denied  { execmem } for  pid=2233 comm="thunderbird-bin" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process

node=localhost.localdomain type=SYSCALL msg=audit(1255441838.276:25317): arch=40000003 syscall=192 success=yes exit=4689920 a0=0 a1=1000 a2=7 a3=22 items=0 ppid=2229 pid=2233 auid=5160 uid=5160 gid=5161 euid=5160 suid=5160 fsuid=5160 egid=5161 sgid=5161 fsgid=5161 tty=(none) ses=1 comm="thunderbird-bin" exe="/usr/lib/thunderbird-3.0b4/thunderbird-bin" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)

Comment 7 Guy Streeter 2009-10-13 14:29:41 UTC
I didn't notice that the other reports referred to polkitd. This alert always comes up when I start thunderbird.

Comment 8 Mads Kiilerich 2009-10-13 14:42:43 UTC
dwalsh haven't chimed in yet, so I will make a try

Guy Streeter: Your latest alert seems to be unrelated to what this issue is tracking, so try to let setroubleshoot handle it - it will probably file another bug. It seems like it could be related to bug 512845


Note You need to log in before you can comment on or make changes to this bug.