SELinux is preventing /usr/bin/gpk-dbus-service from 'read' accesses on the fichier /var/lib/PackageKit/desktop-files.db. ***** Plugin catchall_labels (83.8 confidence) suggests ******************** If vous souhaitez autoriser gpk-dbus-service à accéder à read sur desktop-files.db file Then you need to change the label on /var/lib/PackageKit/desktop-files.db Do # semanage fcontext -a -t FILE_TYPE '/var/lib/PackageKit/desktop-files.db' where FILE_TYPE is one of the following: udev_var_run_t, chkpwd_t, gconfd_t, pulseaudio_t, textrel_shlib_t, restorecond_exec_t, xguest_t, bin_t, cert_t, openoffice_exec_t, chroot_exec_t, rpm_script_tmp_t, usr_t, application_exec_type, xauth_t, default_context_t, xserver_exec_t, public_content_rw_t, noxattrfs, hwdata_t, locale_t, nsplugin_exec_t, system_dbusd_var_lib_t, fonts_t, proc_t, user_fonts_t, usbfs_t, policykit_auth_exec_t, chrome_sandbox_exec_t, selinux_config_t, loadkeys_exec_t, bin_t, cert_t, httpd_user_ra_content_t, httpd_user_rw_content_t, fonts_cache_t, lib_t, man_t, mnt_t, user_fonts_cache_t, xguest_gkeyringd_t, nsplugin_config_exec_t, ld_so_cache_t, usr_t, user_fonts_config_t, xserver_tmpfs_t, iceauth_exec_t, iceauth_home_t, xauth_exec_t, xauth_home_t, abrt_helper_exec_t, auth_cache_t, sysctl_type, locale_t, cupsd_rw_etc_t, sssd_public_t, etc_t, ld_so_t, telepathy_domain, dbusd_exec_t, security_t, src_t, sysfs_t, user_tmpfs_t, shell_exec_t, gconf_etc_t, passwd_exec_t, policykit_grant_exec_t, system_cronjob_var_lib_t, iceauth_t, chrome_sandbox_tmpfs_t, policykit_var_lib_t, oddjob_mkhomedir_exec_t, user_tmp_t, cupsd_etc_t, tetex_data_t, krb5_conf_t, xguest_dbusd_t, readable_t, xdm_tmp_t, alsa_etc_rw_t, gconf_tmp_t, abrt_var_run_t, java_exec_t, pulseaudio_exec_t, shell_exec_t, chkpwd_exec_t, xdm_etc_t, hplip_etc_t, sysctl_crypto_t, dbusd_etc_t, gkeyringd_exec_t, gconfd_exec_t, user_home_type, xdm_var_run_t, net_conf_t, rpm_var_cache_t, file_context_t, mono_exec_t, abrt_t, httpd_modules_t, lib_t, policykit_reload_t, httpd_user_content_t, samba_var_t, afs_cache_t, abrt_helper_exec_t, httpd_user_htaccess_t, rpm_var_lib_t, net_conf_t, chrome_sandbox_t, mozilla_plugin_exec_t, ld_so_t, chfn_exec_t, cert_type, etc_runtime_t, public_content_t, nsplugin_rw_t, anon_inodefs_t, config_usr_t, sysctl_kernel_t, httpd_user_script_exec_t, pcscd_var_run_t, gkeyringd_gnome_home_t, xsession_exec_t, sysctl_fs_t, noxattrfs, noxattrfs, usbfs_t, cert_t, noxattrfs, dosfs_t, user_tmp_t, NetworkManager_var_lib_t, user_home_type, proc_net_t, net_conf_t, httpd_user_script_exec_t. Then execute: restorecon -v '/var/lib/PackageKit/desktop-files.db' ***** Plugin catchall (17.1 confidence) suggests *************************** If you believe that gpk-dbus-service should be allowed read access on the desktop-files.db file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep gpk-dbus-servic /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context xguest_u:xguest_r:xguest_t:s0 Target Context system_u:object_r:var_lib_t:s0 Target Objects /var/lib/PackageKit/desktop-files.db [ file ] Source gpk-dbus-servic Source Path /usr/bin/gpk-dbus-service Port <Inconnu> Host (removed) Source RPM Packages gnome-packagekit-3.0.0-5.fc15 Target RPM Packages Policy RPM selinux-policy-3.9.16-38.fc15 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 2.6.40.4-5.fc15.x86_64 #1 SMP Tue Aug 30 14:38:32 UTC 2011 x86_64 x86_64 Alert Count 1 First Seen lun. 19 sept. 2011 23:19:24 CEST Last Seen lun. 19 sept. 2011 23:19:24 CEST Local ID d2107799-710b-4090-9197-952beb322aff Raw Audit Messages type=AVC msg=audit(1316467164.95:707): avc: denied { read } for pid=14030 comm="gpk-dbus-servic" name="desktop-files.db" dev=dm-2 ino=1973414 scontext=xguest_u:xguest_r:xguest_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file type=SYSCALL msg=audit(1316467164.95:707): arch=x86_64 syscall=open success=no exit=EACCES a0=2679a60 a1=0 a2=1a4 a3=2679a60 items=0 ppid=1 pid=14030 auid=501 uid=501 gid=501 euid=501 suid=501 fsuid=501 egid=501 sgid=501 fsgid=501 tty=(none) ses=51 comm=gpk-dbus-servic exe=/usr/bin/gpk-dbus-service subj=xguest_u:xguest_r:xguest_t:s0 key=(null) Hash: gpk-dbus-servic,xguest_t,var_lib_t,file,read audit2allow #============= xguest_t ============== allow xguest_t var_lib_t:file read; audit2allow -R #============= xguest_t ============== allow xguest_t var_lib_t:file read;
That package should not be running on an xguest account. Fixed in xguest-1.0.10-1.fc15
xguest-1.0.10-1.fc15 has been submitted as an update for Fedora 15. https://admin.fedoraproject.org/updates/xguest-1.0.10-1.fc15
Package xguest-1.0.10-1.fc15: * should fix your issue, * was pushed to the Fedora 15 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing xguest-1.0.10-1.fc15' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/xguest-1.0.10-1.fc15 then log in and leave karma (feedback).
xguest-1.0.10-1.fc15 has been pushed to the Fedora 15 stable repository. If problems still persist, please make note of it in this bug report.