Bug 673106 - SELinux is preventing /usr/libexec/polkit-1/polkit-agent-helper-1 from using the 'sys_resource' capabilities.
Summary: SELinux is preventing /usr/libexec/polkit-1/polkit-agent-helper-1 from using ...
Keywords:
Status: CLOSED INSUFFICIENT_DATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: rawhide
Hardware: i386
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: setroubleshoot_trace_hash:f96a8d80677...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-01-27 13:13 UTC by Hicham HAOUARI
Modified: 2011-05-26 20:39 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2011-05-26 20:39:22 UTC
Type: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Hicham HAOUARI 2011-01-27 13:13:55 UTC 
SELinux is preventing /usr/libexec/polkit-1/polkit-agent-helper-1 from using the 'sys_resource' capabilities.

*****  Plugin sys_resource (91.4 confidence) suggests  ***********************

If you do not want to get this AVC any longer. These AVC's are caused by running out of resources, usually disk space on your / partition.
Then you must cleanup diskspace or make sure you are not running too many processes.
Do
clear up your disk.

*****  Plugin catchall (9.59 confidence) suggests  ***************************

If you believe that polkit-agent-helper-1 should have the sys_resource capability by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep polkit-agent-he /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                unconfined_u:unconfined_r:policykit_auth_t:s0-s0:c
                              0.c1023
Target Context                unconfined_u:unconfined_r:policykit_auth_t:s0-s0:c
                              0.c1023
Target Objects                Unknown [ capability ]
Source                        polkit-agent-he
Source Path                   /usr/libexec/polkit-1/polkit-agent-helper-1
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           polkit-0.98-5.fc15
Target RPM Packages           
Policy RPM                    selinux-policy-3.9.13-5.fc15
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 2.6.38-0.rc2.git3.2.fc15.i686
                              #1 SMP Wed Jan 26 01:25:35 UTC 2011 i686 i686
Alert Count                   3
First Seen                    Thu 27 Jan 2011 01:08:21 PM WET
Last Seen                     Thu 27 Jan 2011 01:08:24 PM WET
Local ID                      3c50c83c-4f60-4ab8-ac25-d488989c463e

Raw Audit Messages
type=AVC msg=audit(1296133704.915:75): avc:  denied  { sys_resource } for  pid=3040 comm="polkit-agent-he" capability=24  scontext=unconfined_u:unconfined_r:policykit_auth_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:policykit_auth_t:s0-s0:c0.c1023 tclass=capability


type=SYSCALL msg=audit(1296133704.915:75): arch=i386 syscall=None success=no exit=EPERM a0=0 a1=7 a2=0 a3=bfa3cb50 items=0 ppid=3031 pid=3040 auid=500 uid=500 gid=500 euid=0 suid=0 fsuid=0 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm=polkit-agent-he exe=/usr/libexec/polkit-1/polkit-agent-helper-1 subj=unconfined_u:unconfined_r:policykit_auth_t:s0-s0:c0.c1023 key=(null)

Hash: polkit-agent-he,policykit_auth_t,policykit_auth_t,capability,sys_resource

audit2allow

#============= policykit_auth_t ==============
allow policykit_auth_t self:capability sys_resource;

audit2allow -R

#============= policykit_auth_t ==============
allow policykit_auth_t self:capability sys_resource;
Comment 1 Daniel Walsh 2011-01-27 15:19:19 UTC 
Did you read the alert?  sys_resource, means your system is running out of resources.  Usually disks are filling up.
Comment 2 Hicham HAOUARI 2011-01-27 15:44:07 UTC 
root partition have 4GB free
Comment 3 Daniel Walsh 2011-01-27 16:11:49 UTC 
/* Override resource limits. Set resource limits. */
/* Override quota limits. */
/* Override reserved space on ext2 filesystem */
/* Modify data journaling mode on ext3 filesystem (uses journaling
   resources) */
/* NOTE: ext2 honors fsuid when checking for resource overrides, so
   you can override using fsuid too */
/* Override size restrictions on IPC message queues */
/* Allow more than 64hz interrupts from the real-time clock */
/* Override max number of consoles on console allocation */
/* Override max number of keymaps */

#define CAP_SYS_RESOURCE     24

Well it would be caused by one of these.
Comment 4 Eric Paris 2011-01-27 16:55:28 UTC 
Steve, the SYSCALL record from this denial shows syscall=None.  I'm not sure what mechanism Dan is using to interpret the records, but what the heck does 'None' mean?
Comment 5 Daniel Walsh 2011-01-27 17:26:14 UTC 
audit.audit_syscall_to_name(int(value),audit.audit_detect_machine())
Comment 6 Steve Grubb 2011-01-27 17:26:42 UTC 
Libauparse uses this, "unknown syscall(%d)", to write out the name of the
syscall when its not known. I can't find the word, "None" is any of the audit
source code except the python bindings - which are auto generated. I don't know
if python is the source of the problem or if setroubleshoot fills in None in
some circumstances.
Comment 7 Daniel Walsh 2011-01-27 18:00:08 UTC 
Hicham could you grab the AVC out of /var/log/audit/audit.log to see the
original.

ausearch -m avc 

Thanks.
Comment 8 Daniel Walsh 2011-01-27 18:01:23 UTC 
Steve None probably means failure.

I just changed my code to:

                if key == "syscall":
                    syscall_name = audit.audit_syscall_to_name(int(value),audit.audit_detect_machine())
                    if syscall_name:
                        value = syscall_name
Note You need to log in before you can comment on or make changes to this bug.