Summary: SELinux is preventing /usr/bin/gnome-screensaver "execute" access on /usr/bin/octave-3.2.4. Detailed Description: [SELinux is in permissive mode. This access was not denied.] SELinux denied access requested by gnome-screensav. It is not expected that this access is required by gnome-screensav and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug report. Additional Information: Source Context system_u:system_r:xdm_t:s0-s0:c0.c1023 Target Context system_u:object_r:java_exec_t:s0 Target Objects /usr/bin/octave-3.2.4 [ file ] Source gnome-screensav Source Path /usr/bin/gnome-screensaver Port <Unknown> Host (removed) Source RPM Packages gnome-screensaver-2.30.2-1.fc14 Target RPM Packages octave-3.2.4-3.fc14 Policy RPM selinux-policy-3.9.5-10.fc14 Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Plugin Name catchall Host Name (removed) Platform Linux (removed) 2.6.35.6-39.fc14.i686 #1 SMP Fri Oct 8 16:20:30 UTC 2010 i686 i686 Alert Count 1 First Seen Sat 16 Oct 2010 07:06:58 AM PDT Last Seen Sat 16 Oct 2010 07:06:58 AM PDT Local ID c3bdd68a-6b4f-4cc3-ab97-c3914218bf1f Line Numbers Raw Audit Messages node=(removed) type=AVC msg=audit(1287238018.946:58): avc: denied { execute } for pid=1509 comm="gnome-screensav" name="octave-3.2.4" dev=dm-0 ino=72770 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:java_exec_t:s0 tclass=file node=(removed) type=SYSCALL msg=audit(1287238018.946:58): arch=40000003 syscall=33 success=yes exit=0 a0=82ed548 a1=1 a2=d6327c a3=8 items=0 ppid=1 pid=1509 auid=4294967295 uid=42 gid=42 euid=42 suid=42 fsuid=42 egid=42 sgid=42 fsgid=42 tty=(none) ses=4294967295 comm="gnome-screensav" exe="/usr/bin/gnome-screensaver" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null) Hash String generated from catchall,gnome-screensav,xdm_t,java_exec_t,file,execute audit2allow suggests: #============= xdm_t ============== allow xdm_t java_exec_t:file execute;
Why is gnome-screensaver executing octave? You can easily add this with You can add these rules for now using # grep avc /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp But it might bring on additional avc's
*** Bug 648308 has been marked as a duplicate of this bug. ***
(In reply to comment #1) > Why is gnome-screensaver executing octave? You can easily add this with > I have no idea. I just saw a SELINUX warning and reported it. I can't imaging what the sreensaver is doing with octave... maybe generating some pretty plots?
*** Bug 649329 has been marked as a duplicate of this bug. ***
What is strange is gnome-screensaver is running as xdm_t. Which does not make much sense. What does ps -eZ |grep screensaver output
(In reply to comment #5) > What does > ps -eZ |grep screensaver > > output ps -eZ | grep screensaver outputs nothing. ps -Zaux |grep screensaver outputs this: unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 idht4n 10165 0.0 0.4 30972 5028 ? Ss Oct30 0:32 gnome-screensaver
Which is correct and would not cause the problem you saw. Lets close this and reopen if it happens again.
it happens here too. I suggest reopening it.
Which login manager are you using kde? gdm? The login program should not be execing the screensaver?
gdm, and I agree it shouldn't start the screensaver which in turn should leave octave alone
Do you have any idea what was going on when this happened? Switch user? Machine logged out?
*** Bug 655378 has been marked as a duplicate of this bug. ***
I have been auto-cc'd on a duplicate of this one (bug #649329). My gnome-screensaver apparently tried to access /usr/bin/consolehelper. What I did was to log in from GDM. I got a pop-up/tool-tip indicating a new security update, so I tried to double-click the status bar icon. The session was so fresh that the screensaver shouldn't even kicked in yet... This is a relatively fresh F14 install from scratch. $ rpm -qf /usr/bin/gnome-screensaver /usr/bin/consolehelper gnome-screensaver-2.30.2-2.fc14.i686 usermode-1.106.1-1.fc14.i686 $ ps Zaux |grep screensaver unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 barsnick 2286 0.0 0.2 30220 2660 ? Ss 07:56 0:00 gnome-screensaver Moritz
Created attachment 463431 [details] SELinux security alert from /usr/bin/gnome-screensaver executing /usr/bin/consolehelper
I wrote: > I got a pop-up/tool-tip indicating a new security update, so I tried to double-click the status bar icon. The session was so fresh that the screensaver shouldn't even kicked in yet... Totally wrong, that was the SELinux alert tool-tip, d'uh. So in conclusion, I didn't do anything but log on to get the error, unless it occurred in a previous session.
Any chance gnome-screensaver is being started before pam_selinux is being called? Although gnome-screensaver seems to be running with the correct context, unconfined_t.
*** Bug 658679 has been marked as a duplicate of this bug. ***
This package has changed ownership in the Fedora Package Database. Reassigning to the new owner of this component.
This message is a notice that Fedora 14 is now at end of life. Fedora has stopped maintaining and issuing updates for Fedora 14. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At this time, all open bugs with a Fedora 'version' of '14' have been closed as WONTFIX. (Please note: Our normal process is to give advanced warning of this occurring, but we forgot to do that. A thousand apologies.) Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, feel free to reopen this bug and simply change the 'version' to a later Fedora version. Bug Reporter: Thank you for reporting this issue and we are sorry that we were unable to fix it before Fedora 14 reached end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged to click on "Clone This Bug" (top right of this page) and open it against that version of Fedora. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete. The process we are following is described here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping