Description of problem: Running F-13 with updates-testing. I played with accounts-dialog and received some AVC denials. I'm filing this report manually because setroubleshoot does not work for me today (bug 579045). $ sudo ausearch -m avc -ts today ---- time->Fri Apr 2 12:15:57 2010 type=SYSCALL msg=audit(1270203357.672:20220): arch=c000003e syscall=2 success=yes exit=9 a0=7fa6ed18a5ca a1=80000 a2=1b6 a3=0 items=0 ppid=1 pid=1931 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="accounts-daemon" exe="/usr/libexec/accounts-daemon" subj=system_u:system_r:accountsd_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1270203357.672:20220): avc: denied { open } for pid=1931 comm="accounts-daemon" name="shadow" dev=dm-8 ino=1096 scontext=system_u:system_r:accountsd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:shadow_t:s0 tclass=file type=AVC msg=audit(1270203357.672:20220): avc: denied { read } for pid=1931 comm="accounts-daemon" name="shadow" dev=dm-8 ino=1096 scontext=system_u:system_r:accountsd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:shadow_t:s0 tclass=file ---- time->Fri Apr 2 12:15:57 2010 type=SYSCALL msg=audit(1270203357.676:20221): arch=c000003e syscall=5 success=yes exit=0 a0=9 a1=7ffff2bfa710 a2=7ffff2bfa710 a3=0 items=0 ppid=1 pid=1931 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="accounts-daemon" exe="/usr/libexec/accounts-daemon" subj=system_u:system_r:accountsd_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1270203357.676:20221): avc: denied { getattr } for pid=1931 comm="accounts-daemon" path="/etc/shadow" dev=dm-8 ino=1096 scontext=system_u:system_r:accountsd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:shadow_t:s0 tclass=file $ sudo ausearch -m avc -ts today | audit2allow #============= accountsd_t ============== allow accountsd_t shadow_t:file { read getattr open }; Version-Release number of selected component (if applicable): accountsservice-0.6-1.fc13.x86_64 selinux-policy-3.7.16-2.fc13.noarch selinux-policy-targeted-3.7.16-2.fc13.noarch How reproducible: Not sure yet. I'll reboot and see if it happens again.
I rebooted, waited for gdm to appear. I switched to tty2 and checked there were no AVC denials yet using "ausearch -m avc -ts recent". I switched back and logged into Gnome. I was greeted with a setroubleshoot notification about these denials. So it is not necessary to run accounts-dialog at all to reproduce this.
Fixed in selinux-policy-3.7.17-6.fc13.noarch
selinux-policy-3.7.17-6.fc13 has been submitted as an update for Fedora 13. http://admin.fedoraproject.org/updates/selinux-policy-3.7.17-6.fc13
*** Bug 579636 has been marked as a duplicate of this bug. ***
selinux-policy-3.7.19-2.fc13 has been submitted as an update for Fedora 13. http://admin.fedoraproject.org/updates/selinux-policy-3.7.19-2.fc13
selinux-policy-3.7.19-2.fc13 has been pushed to the Fedora 13 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update selinux-policy'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/selinux-policy-3.7.19-2.fc13
selinux-policy-3.7.19-2.fc13 has been pushed to the Fedora 13 stable repository. If problems still persist, please make note of it in this bug report.