Bug 726180 - SELinux is preventing /usr/libexec/gdm-crash-logger from 'append' accesses on the file /var/log/gdm/:0-slave.log.
Summary: SELinux is preventing /usr/libexec/gdm-crash-logger from 'append' accesses on...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 15
Hardware: x86_64
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: setroubleshoot_trace_hash:57f374a6622...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-07-27 18:33 UTC by Eric Paris
Modified: 2011-09-07 00:18 UTC (History)
3 users (show)

Fixed In Version: selinux-policy-3.9.16-38.fc15
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2011-09-07 00:18:57 UTC


Attachments (Terms of Use)

Description Eric Paris 2011-07-27 18:33:51 UTC
SELinux is preventing /usr/libexec/gdm-crash-logger from 'append' accesses on the file /var/log/gdm/:0-slave.log.

*****  Plugin catchall (50.5 confidence) suggests  ***************************

If you believe that gdm-crash-logger should be allowed append access on the :0-slave.log file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep gdm-crash-logge /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

*****  Plugin leaks (50.5 confidence) suggests  ******************************

If you want to ignore gdm-crash-logger trying to append access the :0-slave.log file, because you believe it should not need this access.
Then you should report this as a bug.  
You can generate a local policy module to dontaudit this access.
Do
# grep /usr/libexec/gdm-crash-logger /var/log/audit/audit.log | audit2allow -D -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                staff_u:staff_r:staff_t:s0-s0:c0.c1023
Target Context                system_u:object_r:xdm_log_t:s0
Target Objects                /var/log/gdm/:0-slave.log [ file ]
Source                        gdm-crash-logge
Source Path                   /usr/libexec/gdm-crash-logger
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           gdm-3.0.4-1.fc15
Target RPM Packages           
Policy RPM                    selinux-policy-3.9.16-35.fc15
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed)
                              2.6.38.8-35.fc15.x86_64 #1 SMP Wed Jul 6 13:58:54
                              UTC 2011 x86_64 x86_64
Alert Count                   1
First Seen                    Wed 27 Jul 2011 02:20:24 PM EDT
Last Seen                     Wed 27 Jul 2011 02:20:24 PM EDT
Local ID                      801f39cd-ebae-4bbe-b962-a6824017711f

Raw Audit Messages
type=AVC msg=audit(1311790824.455:305): avc:  denied  { append } for  pid=13804 comm="gdm-crash-logge" path="/var/log/gdm/:0-slave.log" dev=dm-0 ino=1562475 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xdm_log_t:s0 tclass=file


type=AVC msg=audit(1311790824.455:305): avc:  denied  { append } for  pid=13804 comm="gdm-crash-logge" path="/var/log/gdm/:0-slave.log" dev=dm-0 ino=1562475 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xdm_log_t:s0 tclass=file


type=SYSCALL msg=audit(1311790824.455:305): arch=x86_64 syscall=execve success=yes exit=0 a0=412940 a1=7fff7f4137d0 a2=7fff7f416848 a3=7fbaa25e17f8 items=3 ppid=1661 pid=13804 auid=4166 uid=0 gid=4166 euid=0 suid=0 fsuid=0 egid=4166 sgid=4166 fsgid=4166 tty=(none) ses=1 comm=gdm-crash-logge exe=/usr/libexec/gdm-crash-logger subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key=(null)

type=CWD msg=audit(1311790824.455:305): cwd=/var/gdm

type=PATH msg=audit(1311790824.455:305): item=0 name=/usr/libexec/gdm-crash-logger inode=1459908 dev=00:13 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:bin_t:s0

type=PATH msg=audit(1311790824.455:305): item=1 name=(null) inode=1457211 dev=00:13 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:ld_so_t:s0

type=PATH msg=audit(1311790824.455:305): item=2 name=(null) inode=1457211 dev=00:13 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:ld_so_t:s0

Hash: gdm-crash-logge,staff_t,xdm_log_t,file,append

audit2allow

#============= staff_t ==============
allow staff_t xdm_log_t:file append;

audit2allow -R

#============= staff_t ==============
allow staff_t xdm_log_t:file append;

Comment 1 Daniel Walsh 2011-08-02 18:23:57 UTC
I allowed this in F16.

Comment 2 Miroslav Grepl 2011-08-04 09:14:13 UTC
Fixed in selinux-policy-3.9.16-37.fc15

Comment 3 Fedora Update System 2011-08-05 14:00:18 UTC
selinux-policy-3.9.16-37.fc15 has been submitted as an update for Fedora 15.
https://admin.fedoraproject.org/updates/selinux-policy-3.9.16-37.fc15

Comment 4 Fedora Update System 2011-08-05 23:56:21 UTC
Package selinux-policy-3.9.16-37.fc15:
* should fix your issue,
* was pushed to the Fedora 15 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.9.16-37.fc15'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/selinux-policy-3.9.16-37.fc15
then log in and leave karma (feedback).

Comment 5 Fedora Update System 2011-08-12 18:20:25 UTC
Package selinux-policy-3.9.16-38.fc15:
* should fix your issue,
* was pushed to the Fedora 15 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.9.16-38.fc15'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/selinux-policy-3.9.16-38.fc15
then log in and leave karma (feedback).

Comment 6 Fedora Update System 2011-09-07 00:17:36 UTC
selinux-policy-3.9.16-38.fc15 has been pushed to the Fedora 15 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.