Bug 708474 - SELinux is preventing /usr/libexec/colord from 'getattr' accesses on the filesystem /.
Summary: SELinux is preventing /usr/libexec/colord from 'getattr' accesses on the file...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 15
Hardware: x86_64
OS: Linux
unspecified
medium
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: setroubleshoot_trace_hash:a1c9921f652...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-05-27 18:40 UTC by Jonathan Gazeley
Modified: 2011-06-24 03:53 UTC (History)
4 users (show)

Fixed In Version: selinux-policy-3.9.16-30.fc15
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2011-06-24 03:53:52 UTC


Attachments (Terms of Use)

Description Jonathan Gazeley 2011-05-27 18:40:12 UTC
SELinux is preventing /usr/libexec/colord from 'getattr' accesses on the filesystem /.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that colord should be allowed getattr access on the  filesystem by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep colord /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:colord_t:s0-s0:c0.c1023
Target Context                system_u:object_r:nfs_t:s0
Target Objects                / [ filesystem ]
Source                        colord
Source Path                   /usr/libexec/colord
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           colord-0.1.7-1.fc15
Target RPM Packages           filesystem-2.4.41-1.fc15
Policy RPM                    selinux-policy-3.9.16-24.fc15
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed)
                              2.6.38.6-27.fc15.x86_64 #1 SMP Sun May 15 17:23:28
                              UTC 2011 x86_64 x86_64
Alert Count                   1
First Seen                    Fri 27 May 2011 07:30:04 PM BST
Last Seen                     Fri 27 May 2011 07:30:04 PM BST
Local ID                      117cc2e6-f1ef-497f-bc62-80c650bb5c1d

Raw Audit Messages
type=AVC msg=audit(1306521004.84:120): avc:  denied  { getattr } for  pid=5002 comm="colord" name="/" dev=0:27 ino=2 scontext=system_u:system_r:colord_t:s0-s0:c0.c1023 tcontext=system_u:object_r:nfs_t:s0 tclass=filesystem


type=SYSCALL msg=audit(1306521004.84:120): arch=x86_64 syscall=statfs success=yes exit=0 a0=1a6f190 a1=7fff590765c0 a2=0 a3=1 items=0 ppid=1 pid=5002 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=colord exe=/usr/libexec/colord subj=system_u:system_r:colord_t:s0-s0:c0.c1023 key=(null)

Hash: colord,colord_t,nfs_t,filesystem,getattr

audit2allow

#============= colord_t ==============
allow colord_t nfs_t:filesystem getattr;

audit2allow -R

#============= colord_t ==============
allow colord_t nfs_t:filesystem getattr;

Comment 1 Dominick Grift 2011-05-27 18:50:57 UTC
Are you using NFS home directories?

Comment 2 Jonathan Gazeley 2011-05-27 18:57:18 UTC
No, the home directories are on a local disk. Although, this is a clean install of Fedora 15 where I have simply mounted home directories from a Fedora 14 installation. Could this have an effect?

Comment 3 Dominick Grift 2011-05-27 19:04:15 UTC
Where have you mounted an nfs filesystem? Colord wants to get attributes of an nfs file system (dev=0:27)

Comment 4 Jonathan Gazeley 2011-05-27 19:16:47 UTC
Oh, I have an NFS file server mounted as /media/public. I guess this means the content on the server is not properly labelled?

Comment 5 Dominick Grift 2011-05-27 19:28:43 UTC
I am referring to inode number 2 on device "0:27" so that could be the case here yes. Colord lists /media i believe and so this might be why it wants to get attributes of nfs_t filesystems.

I am not sure what business colord has in /media but i guess it does not hurt to support nfs/cifs.

I will add nfs/cifs support via a boolean. Colord should probably also be able to get attributes of, or read removable devices (i guess that is what one usually mounts on /media)

Comment 7 Miroslav Grepl 2011-05-30 08:21:05 UTC
I am fine with some changes, but I think

+tunable_policy(`colord_use_cifs',`
+       fs_manage_cifs_dirs(colord_t)
+       fs_manage_cifs_files(colord_t)
+')
+
+tunable_policy(`colord_use_nfs',`
+       fs_manage_nfs_dirs(colord_t)
+       fs_manage_nfs_files(colord_t)
+')

is not necessary.

Fixed in selinux-policy-3.9.16-27.fc15

Comment 8 Dominick Grift 2011-05-30 08:39:12 UTC
alright i actually made another commit after that , that would make it even worse i guess in that regard.

The reporter has a nfs share mounted on /media. To add a fs_getattr_all_fs() just for that seemed overkill to me.

So i appended fs_getattr_nfs/cifs to colord_use_nfs/cifs respectively.

I also think it would be a little exotic setup to have nfs share mounted on /media but i guess it is possible so from that perspective i though i would add it.

Anyways, i assume you will make the needed changes in the master branch for this?

Comment 9 Fedora Update System 2011-06-10 10:49:27 UTC
selinux-policy-3.9.16-29.fc15 has been submitted as an update for Fedora 15.
https://admin.fedoraproject.org/updates/selinux-policy-3.9.16-29.fc15

Comment 10 Fedora Update System 2011-06-11 04:28:47 UTC
Package selinux-policy-3.9.16-29.fc15:
* should fix your issue,
* was pushed to the Fedora 15 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.9.16-29.fc15'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/selinux-policy-3.9.16-29.fc15
then log in and leave karma (feedback).

Comment 11 Fedora Update System 2011-06-21 17:30:22 UTC
Package selinux-policy-3.9.16-30.fc15:
* should fix your issue,
* was pushed to the Fedora 15 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.9.16-30.fc15'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/selinux-policy-3.9.16-30.fc15
then log in and leave karma (feedback).

Comment 12 Fedora Update System 2011-06-24 03:52:13 UTC
selinux-policy-3.9.16-30.fc15 has been pushed to the Fedora 15 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.