Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 639857

Summary: USER_AVC: denied { send_msg } for msgtype=method_call interface=org.fedoraproject.SetroubleshootdIface member=... dest=org.fedoraproject.Setroubleshootd
Product: Red Hat Enterprise Linux 6 Reporter: Milos Malik <mmalik>
Component: xguestAssignee: Daniel Walsh <dwalsh>
Status: CLOSED CURRENTRELEASE QA Contact: Milos Malik <mmalik>
Severity: medium Docs Contact:
Priority: urgent    
Version: 6.0CC: jrieden, jwest, snagar, syeghiay
Target Milestone: rcKeywords: ZStream
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: xguest-1.0.9-1.el6 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-10-09 12:42:50 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 641811    
Attachments:
Description Flags
Can you replace /etc/sababyon/xguest.zip with this file
none
full output of sabayon-apply
none
full output of sabayon-apply after applying new xguest.zip none

Description Milos Malik 2010-10-04 08:51:03 UTC 
Description of problem:


Version-Release number of selected component (if applicable):
dbus-1.2.24-3.el6.i686
dbus-glib-0.86-5.el6.i686
dbus-libs-1.2.24-3.el6.i686
dbus-python-0.83.0-6.1.el6.i686
dbus-x11-1.2.24-3.el6.i686
eggdbus-0.6-3.el6.i686
python-slip-dbus-0.2.11-1.el6.noarch
selinux-policy-3.7.19-55.el6.noarch
selinux-policy-doc-3.7.19-55.el6.noarch
selinux-policy-minimum-3.7.19-55.el6.noarch
selinux-policy-mls-3.7.19-55.el6.noarch
selinux-policy-targeted-3.7.19-55.el6.noarch
setroubleshoot-2.2.94-1.el6.i686
setroubleshoot-doc-2.2.94-1.el6.i686
setroubleshoot-plugins-2.1.60-1.el6.noarch
setroubleshoot-server-2.2.94-1.el6.i686

How reproducible:
always

Steps to Reproduce:
1. install xguest package
2. switch SELinux to enforcing mode
3. log in as kiosk user via GDM
4. wait a couple of minutes
  
Actual results:
type=USER_AVC msg=audit(1286179389.450:513): user pid=1315 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_call interface=org.fedoraproject.SetroubleshootdIface member=check_for_new dest=org.fedoraproject.Setroubleshootd spid=5528 tpid=4211 scontext=xguest_u:xguest_r:xguest_t:s0 tcontext=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 tclass=dbus : exe="/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'

Expected results:
no USER_AVCs of this kind
Comment 2 Daniel Walsh 2010-10-04 15:31:03 UTC 
Similarly seapplet should not be running within an xguest account.
Comment 3 Milos Malik 2010-10-05 07:24:18 UTC 
Yes, we should do something about it. Otherwise someone else will complain
about the amount of CPU consumed by dbus-daemon. Here is what I accidentally
found out:

If there are no rules allowing/dontauditing the USER_AVC actions, dbus-daemon
is consuming 99% of CPU. I did some tests with following module created by
audit2allow:

module mypol 1.0;

require {
        type xguest_t;
        type setroubleshootd_t;
        type rpm_t;
        class dbus send_msg;
}

#============= xguest_t ==============
allow xguest_t rpm_t:dbus send_msg;
allow xguest_t setroubleshootd_t:dbus send_msg;

Few seconds after I loaded the module dbus-daemon stopped consuming 99% of CPU.
To be sure that behaviour of dbus-daemon is related to the existence of those 2
rules I decided to unload the module. Few seconds after that dbus-daemon
started consuming 99% CPU again.
Comment 4 Daniel Walsh 2010-10-05 14:06:53 UTC 
Created attachment 451676 [details]
Can you replace /etc/sababyon/xguest.zip with this file

Then check if xguest starts seapplet and the package kit?
Comment 5 Milos Malik 2010-10-06 07:24:26 UTC 
# rpm -V xguest
S.5....T.  c /etc/sabayon/xguest.zip
# ps aux | grep -i -e pk -e sea
xguest    2998  0.0  0.8  87464  3088 ?        S<sl 09:14   0:00 /usr/bin/pulseaudio --start --log-target=syslog
xguest    3021  0.0  2.1  24712  8000 ?        S    09:14   0:00 gpk-update-icon
xguest    3023  0.0  1.6  20412  6228 ?        S    09:14   0:00 /usr/bin/seapplet
root      3130  0.0  0.2   4316   764 pts/0    S+   09:18   0:00 grep -i -e pk -e sea

I replaced /etc/sabayon/xguest.zip with the file you attached. Unfortunately seapplet and gnome package kit are still running when I log in as kiosk user. USER_AVCs are still appearing and dbus-daemon is still consuming 99% of CPU.
Comment 6 Daniel Walsh 2010-10-06 12:55:36 UTC 
Could you look in the ~/.config/autostart/  And see if the files are there to shut off these services?
Comment 7 Milos Malik 2010-10-06 13:23:07 UTC 
When I log in as kiosk user I see ~/.config directory, but ~/.config directory does not contain any subdirectory called autostart.
Comment 8 Milos Malik 2010-10-06 14:36:05 UTC 
Created attachment 451906 [details]
full output of sabayon-apply
Comment 9 Milos Malik 2010-10-06 14:57:06 UTC 
Created attachment 451910 [details]
full output of sabayon-apply after applying new xguest.zip
Comment 10 Milos Malik 2010-10-07 07:28:17 UTC 
The old version of xguest (1.0.8-6.el6) works for me as soon as the symbolic link (between /etc/sabayon/xguest.zip and /etc/sabayon/profiles/xguest.zip) is set up.
Comment 11 Milos Malik 2010-10-07 07:34:59 UTC 
xguest.zip (MD5 sum: 81dc0ffa280116e927d9ad928da93395) you sent me yesterday works for me too.
Comment 12 Milos Malik 2010-10-07 07:41:21 UTC 
xguest-1.0.9-1.fc13.noarch works perfectly on my RHEL-6 machine. No AVCs, no CPU consumption by dbus-daemon, no extra symlinks needed.
Comment 13 Daniel Walsh 2010-10-07 12:26:32 UTC 
Fixed in xguest-1.0.9-1.el6.noarch


Lets get this into zero day.
Comment 18 Daniel Walsh 2010-10-13 15:47:40 UTC 
*** Bug 639862 has been marked as a duplicate of this bug. ***
Comment 22 Jiri Pallich 2012-10-09 12:42:50 UTC 
Since this is a parent bug of an issue that has already been released via Z-Stream (e.g. rhel-6.3.z), this bug is going to be CLOSED as CURRENTRELEASE.