Bug 647588 - SELinux is preventing /usr/bin/gnome-screensaver "execute" access on /usr/bin/octave-3.2.4.
SELinux is preventing /usr/bin/gnome-screensaver "execute" access on /us...
Status: CLOSED WONTFIX
Product: Fedora
Classification: Fedora
Component: gdm (Show other bugs)
14
All Linux
low Severity medium
: ---
: ---
Assigned To: Ray Strode [halfline]
Fedora Extras Quality Assurance
setroubleshoot_trace_hash:375cdcffdcb...
: Reopened
: 648308 649329 655378 658679 (view as bug list)
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2010-10-28 16:33 EDT by David
Modified: 2012-08-16 18:18 EDT (History)
22 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-08-16 18:17:59 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
SELinux security alert from /usr/bin/gnome-screensaver executing /usr/bin/consolehelper (2.47 KB, text/plain)
2010-11-29 02:14 EST, Moritz Barsnick
no flags Details

  None (edit)
Description David 2010-10-28 16:33:15 EDT
Summary:

SELinux is preventing /usr/bin/gnome-screensaver "execute" access on
/usr/bin/octave-3.2.4.

Detailed Description:

[SELinux is in permissive mode. This access was not denied.]

SELinux denied access requested by gnome-screensav. It is not expected that this
access is required by gnome-screensav and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug
report.

Additional Information:

Source Context                system_u:system_r:xdm_t:s0-s0:c0.c1023
Target Context                system_u:object_r:java_exec_t:s0
Target Objects                /usr/bin/octave-3.2.4 [ file ]
Source                        gnome-screensav
Source Path                   /usr/bin/gnome-screensaver
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           gnome-screensaver-2.30.2-1.fc14
Target RPM Packages           octave-3.2.4-3.fc14
Policy RPM                    selinux-policy-3.9.5-10.fc14
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Plugin Name                   catchall
Host Name                     (removed)
Platform                      Linux (removed) 2.6.35.6-39.fc14.i686
                              #1 SMP Fri Oct 8 16:20:30 UTC 2010 i686 i686
Alert Count                   1
First Seen                    Sat 16 Oct 2010 07:06:58 AM PDT
Last Seen                     Sat 16 Oct 2010 07:06:58 AM PDT
Local ID                      c3bdd68a-6b4f-4cc3-ab97-c3914218bf1f
Line Numbers                  

Raw Audit Messages            

node=(removed) type=AVC msg=audit(1287238018.946:58): avc:  denied  { execute } for  pid=1509 comm="gnome-screensav" name="octave-3.2.4" dev=dm-0 ino=72770 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:java_exec_t:s0 tclass=file

node=(removed) type=SYSCALL msg=audit(1287238018.946:58): arch=40000003 syscall=33 success=yes exit=0 a0=82ed548 a1=1 a2=d6327c a3=8 items=0 ppid=1 pid=1509 auid=4294967295 uid=42 gid=42 euid=42 suid=42 fsuid=42 egid=42 sgid=42 fsgid=42 tty=(none) ses=4294967295 comm="gnome-screensav" exe="/usr/bin/gnome-screensaver" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)



Hash String generated from  catchall,gnome-screensav,xdm_t,java_exec_t,file,execute
audit2allow suggests:

#============= xdm_t ==============
allow xdm_t java_exec_t:file execute;
Comment 1 Daniel Walsh 2010-10-29 08:24:26 EDT
Why is gnome-screensaver executing octave?  You can easily add this with 

You can add these rules for now using

# grep avc /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

But it might bring on additional avc's
Comment 2 Miroslav Grepl 2010-11-01 05:02:46 EDT
*** Bug 648308 has been marked as a duplicate of this bug. ***
Comment 3 David 2010-11-01 08:58:13 EDT
(In reply to comment #1)
> Why is gnome-screensaver executing octave?  You can easily add this with 
> 

I have no idea.  I just saw a SELINUX warning and reported it.  I can't imaging what the sreensaver is doing with octave... maybe generating some pretty plots?
Comment 4 Nicola Soranzo 2010-11-04 05:39:07 EDT
*** Bug 649329 has been marked as a duplicate of this bug. ***
Comment 5 Daniel Walsh 2010-11-04 13:22:39 EDT
What is strange is gnome-screensaver is running as xdm_t.  Which does not make much sense.

What does 
ps -eZ |grep screensaver

output
Comment 6 David 2010-11-04 17:01:03 EDT
(In reply to comment #5)
> What does 
> ps -eZ |grep screensaver
> 
> output

ps -eZ | grep screensaver
outputs nothing.

ps -Zaux |grep screensaver
outputs this:
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 idht4n 10165 0.0  0.4 30972 5028 ? Ss Oct30   0:32 gnome-screensaver
Comment 7 Daniel Walsh 2010-11-05 15:00:50 EDT
Which is correct and would not cause the problem you saw.  Lets close this and reopen if it happens again.
Comment 8 Gregor Hlawacek 2010-11-11 02:36:04 EST
it happens here too. I suggest reopening it.
Comment 9 Daniel Walsh 2010-11-11 09:20:40 EST
Which login manager are you using kde?  gdm?

The login program should not be execing the screensaver?
Comment 10 Gregor Hlawacek 2010-11-11 10:37:44 EST
gdm, and I agree it shouldn't start the screensaver which in turn should leave octave alone
Comment 11 Daniel Walsh 2010-11-12 09:46:52 EST
Do you have any idea what was going on when this happened?

Switch user?  Machine logged out?
Comment 12 Miroslav Grepl 2010-11-22 05:07:24 EST
*** Bug 655378 has been marked as a duplicate of this bug. ***
Comment 13 Moritz Barsnick 2010-11-29 02:13:22 EST
I have been auto-cc'd on a duplicate of this one (bug #649329). My gnome-screensaver apparently tried to access /usr/bin/consolehelper.

What I did was to log in from GDM. I got a pop-up/tool-tip indicating a new security update, so I tried to double-click the status bar icon. The session was so fresh that the screensaver shouldn't even kicked in yet...

This is a relatively fresh F14 install from scratch.

$ rpm -qf /usr/bin/gnome-screensaver /usr/bin/consolehelper
gnome-screensaver-2.30.2-2.fc14.i686
usermode-1.106.1-1.fc14.i686

$ ps Zaux |grep screensaver
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 barsnick 2286 0.0  0.2 30220 2660 ? Ss 07:56   0:00 gnome-screensaver

Moritz
Comment 14 Moritz Barsnick 2010-11-29 02:14:18 EST
Created attachment 463431 [details]
SELinux security alert from /usr/bin/gnome-screensaver executing /usr/bin/consolehelper
Comment 15 Moritz Barsnick 2010-11-29 04:16:02 EST
I wrote:
> I got a pop-up/tool-tip indicating a new security update, so I tried to double-click the status bar icon. The session was so fresh that the screensaver shouldn't even kicked in yet...

Totally wrong, that was the SELinux alert tool-tip, d'uh. So in conclusion, I didn't do anything but log on to get the error, unless it occurred in a previous session.
Comment 16 Daniel Walsh 2010-11-29 11:09:32 EST
Any chance gnome-screensaver is being started before pam_selinux is being called?  Although gnome-screensaver seems to be running with the correct context, unconfined_t.
Comment 17 Miroslav Grepl 2010-12-01 05:09:09 EST
*** Bug 658679 has been marked as a duplicate of this bug. ***
Comment 18 Fedora Admin XMLRPC Client 2011-06-21 11:35:52 EDT
This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.
Comment 19 Fedora Admin XMLRPC Client 2011-06-21 11:37:16 EDT
This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.
Comment 20 Fedora Admin XMLRPC Client 2011-06-21 11:40:02 EDT
This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.
Comment 21 Fedora Admin XMLRPC Client 2011-06-21 11:42:52 EDT
This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.
Comment 22 Fedora Admin XMLRPC Client 2011-06-21 11:52:33 EDT
This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.
Comment 23 Fedora Admin XMLRPC Client 2011-06-21 11:55:21 EDT
This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.
Comment 24 Fedora Admin XMLRPC Client 2011-06-21 11:57:54 EDT
This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.
Comment 25 Fedora Admin XMLRPC Client 2011-06-21 11:59:01 EDT
This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.
Comment 26 Fedora End Of Life 2012-08-16 18:18:02 EDT
This message is a notice that Fedora 14 is now at end of life. Fedora 
has stopped maintaining and issuing updates for Fedora 14. It is 
Fedora's policy to close all bug reports from releases that are no 
longer maintained.  At this time, all open bugs with a Fedora 'version'
of '14' have been closed as WONTFIX.

(Please note: Our normal process is to give advanced warning of this 
occurring, but we forgot to do that. A thousand apologies.)

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, feel free to reopen 
this bug and simply change the 'version' to a later Fedora version.

Bug Reporter: Thank you for reporting this issue and we are sorry that 
we were unable to fix it before Fedora 14 reached end of life. If you 
would still like to see this bug fixed and are able to reproduce it 
against a later version of Fedora, you are encouraged to click on 
"Clone This Bug" (top right of this page) and open it against that 
version of Fedora.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events.  Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

The process we are following is described here: 
http://fedoraproject.org/wiki/BugZappers/HouseKeeping

Note You need to log in before you can comment on or make changes to this bug.