abrt 1.0.8 detected a crash. architecture: x86_64 cmdline: /usr/bin/python /usr/bin/system-config-services component: system-config-services executable: /usr/bin/system-config-services kernel: 2.6.32.11-99.fc12.x86_64 package: system-config-services-0.99.43-1.fc12 reason: polkit.py:143:_enable_proxy:DBusException: org.freedesktop.DBus.Error.AccessDenied: An SELinux policy prevents this sender from sending this message to this recipient (rejected message had sender ":1.80" interface "org.fedoraproject.Config.Services.ChkconfigService" member "get_enabled" error name "(unset)" destination ":1.81") release: Fedora release 12 (Constantine) backtrace ----- polkit.py:143:_enable_proxy:DBusException: org.freedesktop.DBus.Error.AccessDenied: An SELinux policy prevents this sender from sending this message to this recipient (rejected message had sender ":1.80" interface "org.fedoraproject.Config.Services.ChkconfigService" member "get_enabled" error name "(unset)" destination ":1.81") Traceback (most recent call last): File "/usr/bin/system-config-services", line 538, in on_service_selected GUIServicesDetailsPainter(self, service).paint_details() File "/usr/bin/system-config-services", line 305, in paint_details enabled = self.service.get_enabled() File "<string>", line 2, in get_enabled File "/usr/lib/python2.6/site-packages/slip/dbus/polkit.py", line 143, in _enable_proxy raise e DBusException: org.freedesktop.DBus.Error.AccessDenied: An SELinux policy prevents this sender from sending this message to this recipient (rejected message had sender ":1.80" interface "org.fedoraproject.Config.Services.ChkconfigService" member "get_enabled" error name "(unset)" destination ":1.81") Local variables in innermost frame: e: DBusException('An SELinux policy prevents this sender from sending this message to this recipient (rejected message had sender ":1.80" interface "org.fedoraproject.Config.Services.ChkconfigService" member "get_enabled" error name "(unset)" destination ":1.81")',) authfail_exception: None pkver: '1' k: {} handle_authfail: <function handle_authfail at 0x23290c8> p: (<scservices.dbus.proxy.services.DBusSysVServiceProxy object at 1f479d0: udev-post>,) func: <function get_enabled at 0x1f3c1b8> exc_name: 'org.freedesktop.DBus.Error.AccessDenied' authfail_result: <class 'slip.dbus.polkit.AUTHFAIL_DONTCATCH'> authfail_callback: None
Created attachment 406390 [details] File: backtrace
s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_call interface=org.freedesktop.DBus.Introspectable member=Introspect dest=:1.218 spid=11946 tpid=11948 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:system_r:initrc_t:s0 tclass=dbus : exe="/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?' type=USER_AVC msg=audit(1271208320.442:764): user pid=1464 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_call interface=org.freedesktop.DBus.Introspectable member=Introspect dest=:1.218 spid=11946 tpid=11948 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:system_r:initrc_t:s0 tclass=dbus : exe="/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?' type=USER_AVC msg=audit(1271208320.444:765): user pid=1464 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_call interface=org.fedoraproject.Config.Services.ServiceHerder member=list_services dest=:1.218 spid=11946 tpid=11948 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:system_r:initrc_t:s0 tclass=dbus : exe="/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
Er, just to clarify something, when selinux is in enforcing mode, the services control utility will fail to start.
This is a weird situation, since running system-config-services from staff_t is probably not something we want to encourage. Especially where you need to know the root password to make it work. And staff_t should not know the root password. But I can see some people wanting this. Miroslav add init_dbus_chat_script(staff_t)
Mhm, can i disable the root account in Fedora without running on any issues ? (privilege escalation via sudo). I launched the config-services from the gnome menu so the root pswd was asked :|
By that i mean, passwd -l root
No. Someone has to have root. The way staff_t is designed is to me a limited priv admin. A full priv admin has to be still around to setup sudo and dbus to allow the confined admin to do his jobs. In this case a fully priv admin would setup policykit to allow the confined admin to use system-config-services using his password to confirm instead of root password.
(In reply to comment #7) > No. Someone has to have root. The way staff_t is designed is to me a limited > priv admin. A full priv admin has to be still around to setup sudo and dbus to > allow the confined admin to do his jobs. > > In this case a fully priv admin would setup policykit to allow the confined > admin to use system-config-services using his password to confirm instead of > root password. Very informative, thanks. Could you point me out to any resource that could help me accomplish that Daniel ? (i replied here since i removed a CC)
Fixed in selinux-policy-3.6.32-112.fc12
selinux-policy-3.6.32-113.fc12 has been submitted as an update for Fedora 12. http://admin.fedoraproject.org/updates/selinux-policy-3.6.32-113.fc12
selinux-policy-3.6.32-113.fc12 has been pushed to the Fedora 12 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update selinux-policy'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/selinux-policy-3.6.32-113.fc12
selinux-policy-3.6.32-113.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report.