Bug 684606 - SELinux is preventing xfce4-notifyd from 'open' accesses on the file /var/cache/fontconfig/3830d5c3ddfd5cd38a049b759396e72e-le64.cache-3.
SELinux is preventing xfce4-notifyd from 'open' accesses on the file /var/cac...
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
14
x86_64 Linux
medium Severity medium
: ---
: ---
Assigned To: Miroslav Grepl
Fedora Extras Quality Assurance
setroubleshoot_trace_hash:6476a9e6c1c...
:
Depends On:
Blocks: F15Blocker-xfce
  Show dependency treegraph
 
Reported: 2011-03-13 15:37 EDT by Christoph Wickert
Modified: 2011-03-22 14:52 EDT (History)
2 users (show)

See Also:
Fixed In Version: selinux-policy-3.9.7-37.fc14
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2011-03-22 14:52:58 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Christoph Wickert 2011-03-13 15:37:54 EDT
SELinux is preventing xfce4-notifyd from 'open' accesses on the file /var/cache/fontconfig/3830d5c3ddfd5cd38a049b759396e72e-le64.cache-3.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that xfce4-notifyd should be allowed open access on the 3830d5c3ddfd5cd38a049b759396e72e-le64.cache-3 file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep xfce4-notifyd /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:xdm_dbusd_t:s0-s0:c0.c1023
Target Context                unconfined_u:object_r:fonts_cache_t:s0
Target Objects                /var/cache/fontconfig
                              /3830d5c3ddfd5cd38a049b759396e72e-le64.cache-3 [
                              file ]
Source                        xfce4-notifyd
Source Path                   xfce4-notifyd
Port                          <Unbekannt>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.9.7-29.fc14
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     (removed)
Platform                      Linux (removed)
                              2.6.35.11-83.fc14.x86_64 #1 SMP Mon Feb 7 07:06:44
                              UTC 2011 x86_64 x86_64
Alert Count                   1
First Seen                    Sa 12 Feb 2011 17:58:11 CET
Last Seen                     Sa 12 Feb 2011 17:58:11 CET
Local ID                      c9aac662-c4d7-49f5-a00d-df75af139443

Raw Audit Messages
type=AVC msg=audit(1297529891.571:437): avc:  denied  { open } for  pid=14029 comm="xfce4-notifyd" name="3830d5c3ddfd5cd38a049b759396e72e-le64.cache-3" dev=dm-0 ino=49911 scontext=system_u:system_r:xdm_dbusd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:fonts_cache_t:s0 tclass=file


Hash: xfce4-notifyd,xdm_dbusd_t,fonts_cache_t,file,open

audit2allow

#============= xdm_dbusd_t ==============
allow xdm_dbusd_t fonts_cache_t:file open;

audit2allow -R

#============= xdm_dbusd_t ==============
allow xdm_dbusd_t fonts_cache_t:file open;
Comment 1 Christoph Wickert 2011-03-13 16:15:46 EDT
There is a few more errors from the new xfce4-notifyd:


SELinux is preventing /usr/lib64/xfce4/notifyd/xfce4-notifyd from 'getattr' accesses on the file /var/cache/fontconfig/3830d5c3ddfd5cd38a049b759396e72e-le64.cache-3.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that xfce4-notifyd should be allowed getattr access on the 3830d5c3ddfd5cd38a049b759396e72e-le64.cache-3 file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep xfce4-notifyd /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:xdm_dbusd_t:s0-s0:c0.c1023
Target Context                unconfined_u:object_r:fonts_cache_t:s0
Target Objects                /var/cache/fontconfig
                              /3830d5c3ddfd5cd38a049b759396e72e-le64.cache-3 [
                              file ]
Source                        xfce4-notifyd
Source Path                   /usr/lib64/xfce4/notifyd/xfce4-notifyd
Port                          <Unbekannt>
Host                          (removed)
Source RPM Packages           xfce4-notifyd-0.2.1-1.fc14
Target RPM Packages           
Policy RPM                    selinux-policy-3.9.7-31.fc14
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     (removed)
Platform                      Linux (removed)
                              2.6.35.11-83.fc14.x86_64 #1 SMP Mon Feb 7 07:06:44
                              UTC 2011 x86_64 x86_64
Alert Count                   5
First Seen                    Sa 12 Feb 2011 08:57:51 CET
Last Seen                     Mi 02 Mär 2011 10:53:26 CET
Local ID                      d7b7c1d8-f62b-4b25-91b9-0b25e3df6c57

Raw Audit Messages
type=AVC msg=audit(1299059606.413:8979): avc:  denied  { getattr } for  pid=4467 comm="xfce4-notifyd" path="/var/cache/fontconfig/3830d5c3ddfd5cd38a049b759396e72e-le64.cache-3" dev=dm-0 ino=87622 scontext=system_u:system_r:xdm_dbusd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:fonts_cache_t:s0 tclass=file


type=SYSCALL msg=audit(1299059606.413:8979): arch=x86_64 syscall=fstat success=yes exit=0 a0=8 a1=7fffd98c8d00 a2=7fffd98c8d00 a3=fffffffffffffff0 items=0 ppid=1 pid=4467 auid=4294967295 uid=42 gid=42 euid=42 suid=42 fsuid=42 egid=42 sgid=42 fsgid=42 tty=(none) ses=4294967295 comm=xfce4-notifyd exe=/usr/lib64/xfce4/notifyd/xfce4-notifyd subj=system_u:system_r:xdm_dbusd_t:s0-s0:c0.c1023 key=(null)

Hash: xfce4-notifyd,xdm_dbusd_t,fonts_cache_t,file,getattr

audit2allow

#============= xdm_dbusd_t ==============
allow xdm_dbusd_t fonts_cache_t:file getattr;

audit2allow -R

#============= xdm_dbusd_t ==============
allow xdm_dbusd_t fonts_cache_t:file getattr;



SELinux is preventing /usr/lib64/xfce4/notifyd/xfce4-notifyd from 'read' accesses on the file /var/cache/fontconfig/3830d5c3ddfd5cd38a049b759396e72e-le64.cache-3.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that xfce4-notifyd should be allowed read access on the 3830d5c3ddfd5cd38a049b759396e72e-le64.cache-3 file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep xfce4-notifyd /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:xdm_dbusd_t:s0-s0:c0.c1023
Target Context                unconfined_u:object_r:fonts_cache_t:s0
Target Objects                /var/cache/fontconfig
                              /3830d5c3ddfd5cd38a049b759396e72e-le64.cache-3 [
                              file ]
Source                        xfce4-notifyd
Source Path                   /usr/lib64/xfce4/notifyd/xfce4-notifyd
Port                          <Unbekannt>
Host                          (removed)
Source RPM Packages           xfce4-notifyd-0.2.1-1.fc14
Target RPM Packages           
Policy RPM                    selinux-policy-3.9.7-31.fc14
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     (removed)
Platform                      Linux denkermatic.localdomain
                              2.6.35.11-83.fc14.x86_64 #1 SMP Mon Feb 7 07:06:44
                              UTC 2011 x86_64 x86_64
Alert Count                   5
First Seen                    Sa 12 Feb 2011 08:57:51 CET
Last Seen                     Mi 02 Mär 2011 10:53:26 CET
Local ID                      3d61b6f7-b1dc-48c2-8ba8-8f1be3580735

Raw Audit Messages
type=AVC msg=audit(1299059606.413:8978): avc:  denied  { read } for  pid=4467 comm="xfce4-notifyd" name="3830d5c3ddfd5cd38a049b759396e72e-le64.cache-3" dev=dm-0 ino=87622 scontext=system_u:system_r:xdm_dbusd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:fonts_cache_t:s0 tclass=file


type=AVC msg=audit(1299059606.413:8978): avc:  denied  { open } for  pid=4467 comm="xfce4-notifyd" name="3830d5c3ddfd5cd38a049b759396e72e-le64.cache-3" dev=dm-0 ino=87622 scontext=system_u:system_r:xdm_dbusd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:fonts_cache_t:s0 tclass=file


type=SYSCALL msg=audit(1299059606.413:8978): arch=x86_64 syscall=open success=yes exit=ENOEXEC a0=155ee30 a1=0 a2=155ee73 a3=fffffffffffffff0 items=0 ppid=1 pid=4467 auid=4294967295 uid=42 gid=42 euid=42 suid=42 fsuid=42 egid=42 sgid=42 fsgid=42 tty=(none) ses=4294967295 comm=xfce4-notifyd exe=/usr/lib64/xfce4/notifyd/xfce4-notifyd subj=system_u:system_r:xdm_dbusd_t:s0-s0:c0.c1023 key=(null)

Hash: xfce4-notifyd,xdm_dbusd_t,fonts_cache_t,file,read

audit2allow

#============= xdm_dbusd_t ==============
allow xdm_dbusd_t fonts_cache_t:file { read open };

audit2allow -R

#============= xdm_dbusd_t ==============
allow xdm_dbusd_t fonts_cache_t:file { read open };



SELinux is preventing xfce4-notifyd from 'open' accesses on the file /usr/share/fonts/dejavu/DejaVuSans.ttf.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that xfce4-notifyd should be allowed open access on the DejaVuSans.ttf file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep xfce4-notifyd /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:xdm_dbusd_t:s0-s0:c0.c1023
Target Context                system_u:object_r:fonts_t:s0
Target Objects                /usr/share/fonts/dejavu/DejaVuSans.ttf [ file ]
Source                        xfce4-notifyd
Source Path                   xfce4-notifyd
Port                          <Unbekannt>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           dejavu-sans-fonts-2.32-1.fc14
Policy RPM                    selinux-policy-3.9.7-29.fc14
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     (removed)
Platform                      Linux denkermatic.localdomain
                              2.6.35.11-83.fc14.x86_64 #1 SMP Mon Feb 7 07:06:44
                              UTC 2011 x86_64 x86_64
Alert Count                   1
First Seen                    Sa 12 Feb 2011 17:58:11 CET
Last Seen                     Sa 12 Feb 2011 17:58:11 CET
Local ID                      2e52f00a-ccac-42ce-af7c-3a2facc6f753

Raw Audit Messages
type=AVC msg=audit(1297529891.576:444): avc:  denied  { open } for  pid=14029 comm="xfce4-notifyd" name="DejaVuSans.ttf" dev=dm-0 ino=39679 scontext=system_u:system_r:xdm_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:fonts_t:s0 tclass=file


Hash: xfce4-notifyd,xdm_dbusd_t,fonts_t,file,open

audit2allow

#============= xdm_dbusd_t ==============
allow xdm_dbusd_t fonts_t:file open;

audit2allow -R

#============= xdm_dbusd_t ==============
allow xdm_dbusd_t fonts_t:file open;



SELinux is preventing /usr/lib64/xfce4/notifyd/xfce4-notifyd from 'read' accesses on the file /usr/share/fonts/dejavu/DejaVuSans.ttf.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that xfce4-notifyd should be allowed read access on the DejaVuSans.ttf file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep xfce4-notifyd /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:xdm_dbusd_t:s0-s0:c0.c1023
Target Context                system_u:object_r:fonts_t:s0
Target Objects                /usr/share/fonts/dejavu/DejaVuSans.ttf [ file ]
Source                        xfce4-notifyd
Source Path                   /usr/lib64/xfce4/notifyd/xfce4-notifyd
Port                          <Unbekannt>
Host                          (removed)
Source RPM Packages           xfce4-notifyd-0.2.1-1.fc14
Target RPM Packages           dejavu-sans-fonts-2.32-1.fc14
Policy RPM                    selinux-policy-3.9.7-31.fc14
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     (removed)
Platform                      Linux (removed)
                              2.6.35.11-83.fc14.x86_64 #1 SMP Mon Feb 7 07:06:44
                              UTC 2011 x86_64 x86_64
Alert Count                   5
First Seen                    Sa 12 Feb 2011 08:57:51 CET
Last Seen                     Mi 02 Mär 2011 10:53:26 CET
Local ID                      a69c2275-b906-4324-8846-ae234c29e59b

Raw Audit Messages
type=AVC msg=audit(1299059606.416:8982): avc:  denied  { read } for  pid=4467 comm="xfce4-notifyd" name="DejaVuSans.ttf" dev=dm-0 ino=39679 scontext=system_u:system_r:xdm_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:fonts_t:s0 tclass=file


type=AVC msg=audit(1299059606.416:8982): avc:  denied  { open } for  pid=4467 comm="xfce4-notifyd" name="DejaVuSans.ttf" dev=dm-0 ino=39679 scontext=system_u:system_r:xdm_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:fonts_t:s0 tclass=file


type=SYSCALL msg=audit(1299059606.416:8982): arch=x86_64 syscall=open success=yes exit=ENOEXEC a0=151b9a0 a1=0 a2=0 a3=1 items=0 ppid=1 pid=4467 auid=4294967295 uid=42 gid=42 euid=42 suid=42 fsuid=42 egid=42 sgid=42 fsgid=42 tty=(none) ses=4294967295 comm=xfce4-notifyd exe=/usr/lib64/xfce4/notifyd/xfce4-notifyd subj=system_u:system_r:xdm_dbusd_t:s0-s0:c0.c1023 key=(null)

Hash: xfce4-notifyd,xdm_dbusd_t,fonts_t,file,read

audit2allow

#============= xdm_dbusd_t ==============
allow xdm_dbusd_t fonts_t:file { read open };

audit2allow -R

#============= xdm_dbusd_t ==============
allow xdm_dbusd_t fonts_t:file { read open };



SELinux is preventing /usr/lib64/xfce4/notifyd/xfce4-notifyd from 'getattr' accesses on the file /usr/share/fonts/dejavu/DejaVuSans.ttf.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that xfce4-notifyd should be allowed getattr access on the DejaVuSans.ttf file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep xfce4-notifyd /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:xdm_dbusd_t:s0-s0:c0.c1023
Target Context                system_u:object_r:fonts_t:s0
Target Objects                /usr/share/fonts/dejavu/DejaVuSans.ttf [ file ]
Source                        xfce4-notifyd
Source Path                   /usr/lib64/xfce4/notifyd/xfce4-notifyd
Port                          <Unbekannt>
Host                          (removed)
Source RPM Packages           xfce4-notifyd-0.2.1-1.fc14
Target RPM Packages           dejavu-sans-fonts-2.32-1.fc14
Policy RPM                    selinux-policy-3.9.7-31.fc14
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     (removed)
Platform                      Linux (removed)
                              2.6.35.11-83.fc14.x86_64 #1 SMP Mon Feb 7 07:06:44
                              UTC 2011 x86_64 x86_64
Alert Count                   5
First Seen                    Sa 12 Feb 2011 08:57:51 CET
Last Seen                     Mi 02 Mär 2011 10:53:26 CET
Local ID                      7f46ef73-91b7-443f-b2f9-462f6386b7ff

Raw Audit Messages
type=AVC msg=audit(1299059606.416:8983): avc:  denied  { getattr } for  pid=4467 comm="xfce4-notifyd" path="/usr/share/fonts/dejavu/DejaVuSans.ttf" dev=dm-0 ino=39679 scontext=system_u:system_r:xdm_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:fonts_t:s0 tclass=file


type=SYSCALL msg=audit(1299059606.416:8983): arch=x86_64 syscall=fstat success=yes exit=0 a0=8 a1=7fffd98c8df0 a2=7fffd98c8df0 a3=1 items=0 ppid=1 pid=4467 auid=4294967295 uid=42 gid=42 euid=42 suid=42 fsuid=42 egid=42 sgid=42 fsgid=42 tty=(none) ses=4294967295 comm=xfce4-notifyd exe=/usr/lib64/xfce4/notifyd/xfce4-notifyd subj=system_u:system_r:xdm_dbusd_t:s0-s0:c0.c1023 key=(null)

Hash: xfce4-notifyd,xdm_dbusd_t,fonts_t,file,getattr

audit2allow

#============= xdm_dbusd_t ==============
allow xdm_dbusd_t fonts_t:file getattr;

audit2allow -R

#============= xdm_dbusd_t ==============
allow xdm_dbusd_t fonts_t:file getattr;



SELinux is preventing /usr/lib64/xfce4/notifyd/xfce4-notifyd from 'execute_no_trans' accesses on the file /usr/lib64/xfce4/notifyd/xfce4-notifyd.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that xfce4-notifyd should be allowed execute_no_trans access on the xfce4-notifyd file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep xfce4-notifyd /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:xdm_dbusd_t:s0-s0:c0.c1023
Target Context                system_u:object_r:lib_t:s0
Target Objects                /usr/lib64/xfce4/notifyd/xfce4-notifyd [ file ]
Source                        xfce4-notifyd
Source Path                   /usr/lib64/xfce4/notifyd/xfce4-notifyd
Port                          <Unbekannt>
Host                          (removed)
Source RPM Packages           xfce4-notifyd-0.2.1-1.fc14
Target RPM Packages           xfce4-notifyd-0.2.1-1.fc14
Policy RPM                    selinux-policy-3.9.7-31.fc14
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     (removed)
Platform                      Linux denkermatic.localdomain
                              2.6.35.11-83.fc14.x86_64 #1 SMP Mon Feb 7 07:06:44
                              UTC 2011 x86_64 x86_64
Alert Count                   5
First Seen                    Sa 12 Feb 2011 08:57:50 CET
Last Seen                     Mi 02 Mär 2011 10:53:25 CET
Local ID                      04cc81e6-a711-48b1-bc9d-4914fbc11d8b

Raw Audit Messages
type=AVC msg=audit(1299059605.936:8975): avc:  denied  { execute_no_trans } for  pid=4467 comm="dbus-daemon" path="/usr/lib64/xfce4/notifyd/xfce4-notifyd" dev=dm-0 ino=269085 scontext=system_u:system_r:xdm_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lib_t:s0 tclass=file


type=SYSCALL msg=audit(1299059605.936:8975): arch=x86_64 syscall=execve success=yes exit=0 a0=7f517ff94680 a1=7f517ff9c3f0 a2=7f517ff94710 a3=7fff3bad38a0 items=0 ppid=4466 pid=4467 auid=4294967295 uid=42 gid=42 euid=42 suid=42 fsuid=42 egid=42 sgid=42 fsgid=42 tty=(none) ses=4294967295 comm=xfce4-notifyd exe=/usr/lib64/xfce4/notifyd/xfce4-notifyd subj=system_u:system_r:xdm_dbusd_t:s0-s0:c0.c1023 key=(null)

Hash: xfce4-notifyd,xdm_dbusd_t,lib_t,file,execute_no_trans

audit2allow

#============= xdm_dbusd_t ==============
allow xdm_dbusd_t lib_t:file execute_no_trans;

audit2allow -R

#============= xdm_dbusd_t ==============
allow xdm_dbusd_t lib_t:file execute_no_trans;



SELinux is preventing /usr/lib64/xfce4/notifyd/xfce4-notifyd from 'connectto' accesses on the unix_stream_socket @/tmp/dbus-aYIsZh6srU.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that xfce4-notifyd should be allowed connectto access on the dbus-aYIsZh6srU unix_stream_socket by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep xfce4-notifyd /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:xdm_dbusd_t:s0-s0:c0.c1023
Target Context                system_u:system_r:xdm_dbusd_t:s0-s0:c0.c1023
Target Objects                @/tmp/dbus-aYIsZh6srU [ unix_stream_socket ]
Source                        xfce4-notifyd
Source Path                   /usr/lib64/xfce4/notifyd/xfce4-notifyd
Port                          <Unbekannt>
Host                          (removed)
Source RPM Packages           xfce4-notifyd-0.2.1-1.fc14
Target RPM Packages           
Policy RPM                    selinux-policy-3.9.7-31.fc14
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     (removed)
Platform                      Linux denkermatic.localdomain
                              2.6.35.11-83.fc14.x86_64 #1 SMP Mon Feb 7 07:06:44
                              UTC 2011 x86_64 x86_64
Alert Count                   5
First Seen                    Sa 12 Feb 2011 08:57:50 CET
Last Seen                     Mi 02 Mär 2011 10:53:26 CET
Local ID                      afd9d9b1-b5d5-47b5-a15e-49b30a24f635

Raw Audit Messages
type=AVC msg=audit(1299059606.78:8976): avc:  denied  { connectto } for  pid=4467 comm="xfce4-notifyd" path=002F746D702F646275732D615949735A6836737255 scontext=system_u:system_r:xdm_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:xdm_dbusd_t:s0-s0:c0.c1023 tclass=unix_stream_socket


type=SYSCALL msg=audit(1299059606.78:8976): arch=x86_64 syscall=connect success=yes exit=0 a0=3 a1=7fffd98cbae0 a2=17 a3=0 items=0 ppid=4466 pid=4467 auid=4294967295 uid=42 gid=42 euid=42 suid=42 fsuid=42 egid=42 sgid=42 fsgid=42 tty=(none) ses=4294967295 comm=xfce4-notifyd exe=/usr/lib64/xfce4/notifyd/xfce4-notifyd subj=system_u:system_r:xdm_dbusd_t:s0-s0:c0.c1023 key=(null)

Hash: xfce4-notifyd,xdm_dbusd_t,xdm_dbusd_t,unix_stream_socket,connectto

audit2allow

#============= xdm_dbusd_t ==============
allow xdm_dbusd_t self:unix_stream_socket connectto;

audit2allow -R

#============= xdm_dbusd_t ==============
allow xdm_dbusd_t self:unix_stream_socket connectto;



SELinux is preventing /usr/lib64/xfce4/notifyd/xfce4-notifyd from 'connectto' accesses on the unix_stream_socket @/tmp/.X11-unix/X0.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that xfce4-notifyd should be allowed connectto access on the X0 unix_stream_socket by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep xfce4-notifyd /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:xdm_dbusd_t:s0-s0:c0.c1023
Target Context                system_u:system_r:xserver_t:s0-s0:c0.c1023
Target Objects                @/tmp/.X11-unix/X0 [ unix_stream_socket ]
Source                        xfce4-notifyd
Source Path                   /usr/lib64/xfce4/notifyd/xfce4-notifyd
Port                          <Unbekannt>
Host                          (removed)
Source RPM Packages           xfce4-notifyd-0.2.1-1.fc14
Target RPM Packages           
Policy RPM                    selinux-policy-3.9.7-31.fc14
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     (removed)
Platform                      Linux denkermatic.localdomain
                              2.6.35.11-83.fc14.x86_64 #1 SMP Mon Feb 7 07:06:44
                              UTC 2011 x86_64 x86_64
Alert Count                   5
First Seen                    Sa 12 Feb 2011 08:57:50 CET
Last Seen                     Mi 02 Mär 2011 10:53:26 CET
Local ID                      cb654d66-e138-4331-9252-c942562bd1ca

Raw Audit Messages
type=AVC msg=audit(1299059606.85:8977): avc:  denied  { connectto } for  pid=4467 comm="xfce4-notifyd" path=002F746D702F2E5831312D756E69782F5830 scontext=system_u:system_r:xdm_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:xserver_t:s0-s0:c0.c1023 tclass=unix_stream_socket


type=SYSCALL msg=audit(1299059606.85:8977): arch=x86_64 syscall=connect success=yes exit=0 a0=7 a1=7fffd98cba90 a2=14 a3=7fffd98cba93 items=0 ppid=4466 pid=4467 auid=4294967295 uid=42 gid=42 euid=42 suid=42 fsuid=42 egid=42 sgid=42 fsgid=42 tty=(none) ses=4294967295 comm=xfce4-notifyd exe=/usr/lib64/xfce4/notifyd/xfce4-notifyd subj=system_u:system_r:xdm_dbusd_t:s0-s0:c0.c1023 key=(null)

Hash: xfce4-notifyd,xdm_dbusd_t,xserver_t,unix_stream_socket,connectto

audit2allow

#============= xdm_dbusd_t ==============
allow xdm_dbusd_t xserver_t:unix_stream_socket connectto;

audit2allow -R

#============= xdm_dbusd_t ==============
allow xdm_dbusd_t xserver_t:unix_stream_socket connectto;



SELinux is preventing /usr/lib64/xfce4/notifyd/xfce4-notifyd from 'read' accesses on the file /var/cache/fontconfig/3830d5c3ddfd5cd38a049b759396e72e-le64.cache-3.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that xfce4-notifyd should be allowed read access on the 3830d5c3ddfd5cd38a049b759396e72e-le64.cache-3 file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep xfce4-notifyd /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:xdm_dbusd_t:s0-s0:c0.c1023
Target Context                unconfined_u:object_r:fonts_cache_t:s0
Target Objects                /var/cache/fontconfig
                              /3830d5c3ddfd5cd38a049b759396e72e-le64.cache-3 [
                              file ]
Source                        xfce4-notifyd
Source Path                   /usr/lib64/xfce4/notifyd/xfce4-notifyd
Port                          <Unbekannt>
Host                          (removed)
Source RPM Packages           xfce4-notifyd-0.2.1-1.fc14
Target RPM Packages           
Policy RPM                    selinux-policy-3.9.7-31.fc14
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     (removed)
Platform                      Linux denkermatic.localdomain
                              2.6.35.11-83.fc14.x86_64 #1 SMP Mon Feb 7 07:06:44
                              UTC 2011 x86_64 x86_64
Alert Count                   5
First Seen                    Sa 12 Feb 2011 08:57:51 CET
Last Seen                     Mi 02 Mär 2011 10:53:26 CET
Local ID                      3d61b6f7-b1dc-48c2-8ba8-8f1be3580735

Raw Audit Messages
type=AVC msg=audit(1299059606.413:8978): avc:  denied  { read } for  pid=4467 comm="xfce4-notifyd" name="3830d5c3ddfd5cd38a049b759396e72e-le64.cache-3" dev=dm-0 ino=87622 scontext=system_u:system_r:xdm_dbusd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:fonts_cache_t:s0 tclass=file


type=AVC msg=audit(1299059606.413:8978): avc:  denied  { open } for  pid=4467 comm="xfce4-notifyd" name="3830d5c3ddfd5cd38a049b759396e72e-le64.cache-3" dev=dm-0 ino=87622 scontext=system_u:system_r:xdm_dbusd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:fonts_cache_t:s0 tclass=file


type=SYSCALL msg=audit(1299059606.413:8978): arch=x86_64 syscall=open success=yes exit=ENOEXEC a0=155ee30 a1=0 a2=155ee73 a3=fffffffffffffff0 items=0 ppid=1 pid=4467 auid=4294967295 uid=42 gid=42 euid=42 suid=42 fsuid=42 egid=42 sgid=42 fsgid=42 tty=(none) ses=4294967295 comm=xfce4-notifyd exe=/usr/lib64/xfce4/notifyd/xfce4-notifyd subj=system_u:system_r:xdm_dbusd_t:s0-s0:c0.c1023 key=(null)

Hash: xfce4-notifyd,xdm_dbusd_t,fonts_cache_t,file,read

audit2allow

#============= xdm_dbusd_t ==============
allow xdm_dbusd_t fonts_cache_t:file { read open };

audit2allow -R

#============= xdm_dbusd_t ==============
allow xdm_dbusd_t fonts_cache_t:file { read open };



AFAICS we need
- open, getattr and read for /var/cache/fontconfig/*
- open, getattr and read for /usr/share/fonts/*/*.ttf
- connect_to for @/tmp/dbus-* and @/tmp/.X11-unix/X0.

Or is there an easier way? I wonder why xfce4-notifyd is executed with xdm_dbusd_t context.
Comment 2 Christoph Wickert 2011-03-13 16:18:40 EDT
I forgot to mention that the problem only seems to appear when waking up from standby.
Comment 3 Miroslav Grepl 2011-03-14 12:40:07 EDT
We have in policy

dbus_role_template(xdm, system_r, xdm_t)

to use dbus to start other processes as xdm_t.
Comment 4 Miroslav Grepl 2011-03-14 12:41:45 EDT
#============= xdm_dbusd_t ==============
allow xdm_dbusd_t lib_t:file execute_no_trans;


Looks like we should add label bin_t for

/usr/lib64/xfce4/notifyd/xfce4-notifyd
Comment 5 Daniel Walsh 2011-03-14 14:31:10 EDT
Yes
Comment 6 Miroslav Grepl 2011-03-18 10:11:47 EDT
Fixed in selinux-policy-3.9.7-34.fc14 and also in F15 policy.
Comment 7 Fedora Update System 2011-03-18 11:07:59 EDT
selinux-policy-3.9.7-34.fc14 has been submitted as an update for Fedora 14.
https://admin.fedoraproject.org/updates/selinux-policy-3.9.7-34.fc14
Comment 8 Fedora Update System 2011-03-21 04:45:55 EDT
selinux-policy-3.9.7-37.fc14 has been submitted as an update for Fedora 14.
https://admin.fedoraproject.org/updates/selinux-policy-3.9.7-37.fc14
Comment 9 Fedora Update System 2011-03-22 14:51:32 EDT
selinux-policy-3.9.7-37.fc14 has been pushed to the Fedora 14 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.