Bug 710779 - SELinux is preventing /usr/libexec/colord from 'read' accesses on the katalog /.
Summary: SELinux is preventing /usr/libexec/colord from 'read' accesses on the katalog /.
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: rawhide
Hardware: i386
OS: Linux
unspecified
medium
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: setroubleshoot_trace_hash:686c46d928c...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-06-04 17:50 UTC by Tom
Modified: 2012-02-10 08:47 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2012-02-10 08:47:14 UTC
Type: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Tom 2011-06-04 17:50:07 UTC 
SELinux is preventing /usr/libexec/colord from 'read' accesses on the katalog /.

*****  Plugin catchall (100. confidence) suggests  ***************************

If aby colord powinno mieć domyślnie read dostęp do  directory.
Then proszę to zgłosić jako błąd.
Można utworzyć lokalny moduł polityki, aby umożliwić ten dostęp.
Do
można tymczasowo zezwolić na ten dostęp wykonując polecenia:
# grep colord /var/log/audit/audit.log | audit2allow -M moja_polityka
# semodule -i moja_polityka.pp

Additional Information:
Source Context                system_u:system_r:colord_t:s0-s0:c0.c1023
Target Context                system_u:object_r:dosfs_t:s0
Target Objects                / [ dir ]
Source                        colord
Source Path                   /usr/libexec/colord
Port                          <Nieznane>
Host                          (removed)
Source RPM Packages           colord-0.1.7-1.fc15
Target RPM Packages           filesystem-2.4.41-1.fc15
Policy RPM                    selinux-policy-3.9.16-24.fc15
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 2.6.38.6-27.fc15.i686 #1 SMP Sun May
                              15 17:57:13 UTC 2011 i686 i686
Alert Count                   1
First Seen                    śro, 1 cze 2011, 19:56:46
Last Seen                     śro, 1 cze 2011, 19:56:46
Local ID                      c48b6041-0ea1-47b1-99cb-88c46a3cc39e

Raw Audit Messages
type=AVC msg=audit(1306951006.900:114): avc:  denied  { read } for  pid=7898 comm="colord" name="/" dev=sdd1 ino=1 scontext=system_u:system_r:colord_t:s0-s0:c0.c1023 tcontext=system_u:object_r:dosfs_t:s0 tclass=dir


type=SYSCALL msg=audit(1306951006.900:114): arch=i386 syscall=access success=yes exit=0 a0=978f160 a1=5 a2=44e9b328 a3=978f148 items=0 ppid=1 pid=7898 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=colord exe=/usr/libexec/colord subj=system_u:system_r:colord_t:s0-s0:c0.c1023 key=(null)

Hash: colord,colord_t,dosfs_t,dir,read

audit2allow

#============= colord_t ==============
allow colord_t dosfs_t:dir read;

audit2allow -R

#============= colord_t ==============
allow colord_t dosfs_t:dir read;
Comment 1 Dominick Grift 2011-06-04 17:56:45 UTC 
this should be fixed in selinux-policy-3.9.16-26.fc15 or selinux-policy-3.9.16-27.fc15
Comment 2 Miroslav Grepl 2011-06-05 07:44:49 UTC 
Fixed in selinux-policy-3.9.16-27.fc15
Note You need to log in before you can comment on or make changes to this bug.