Bug 741086 - SELinux is preventing /usr/libexec/colord from using the 'execmem' accesses on a process.
Summary: SELinux is preventing /usr/libexec/colord from using the 'execmem' accesses o...
Keywords:
Status: CLOSED INSUFFICIENT_DATA
Alias: None
Product: Fedora
Classification: Fedora
Component: colord
Version: 19
Hardware: x86_64
OS: Linux
unspecified
medium
Target Milestone: ---
Assignee: Richard Hughes
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: setroubleshoot_trace_hash:203325be915...
: 728731 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-09-25 07:38 UTC by Lari Tanase
Modified: 2013-04-24 10:29 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2013-04-24 10:29:00 UTC


Attachments (Terms of Use)

Description Lari Tanase 2011-09-25 07:38:52 UTC
SELinux is preventing /usr/libexec/colord from using the 'execmem' accesses on a process.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that colord should be allowed execmem access on processes labeled colord_t by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep colord /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:colord_t:s0-s0:c0.c1023
Target Context                system_u:system_r:colord_t:s0-s0:c0.c1023
Target Objects                Unknown [ process ]
Source                        colord
Source Path                   /usr/libexec/colord
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           colord-0.1.7-1.fc15
Target RPM Packages           
Policy RPM                    selinux-policy-3.9.16-38.fc15
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     (removed)
Platform                      Linux (removed) 2.6.40.4-5.fc15.x86_64 #1
                              SMP Tue Aug 30 14:38:32 UTC 2011 x86_64 x86_64
Alert Count                   1
First Seen                    Sun 25 Sep 2011 09:34:31 AM CEST
Last Seen                     Sun 25 Sep 2011 09:34:31 AM CEST
Local ID                      0c0ceaed-0dea-487d-8608-e6f34be1b32c

Raw Audit Messages
type=AVC msg=audit(1316936071.361:103): avc:  denied  { execmem } for  pid=1297 comm="colord" scontext=system_u:system_r:colord_t:s0-s0:c0.c1023 tcontext=system_u:system_r:colord_t:s0-s0:c0.c1023 tclass=process


type=SYSCALL msg=audit(1316936071.361:103): arch=x86_64 syscall=mmap success=yes exit=140508849758208 a0=0 a1=801000 a2=7 a3=20022 items=0 ppid=1 pid=1297 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=colord exe=/usr/libexec/colord subj=system_u:system_r:colord_t:s0-s0:c0.c1023 key=(null)

Hash: colord,colord_t,colord_t,process,execmem

audit2allow

#============= colord_t ==============
allow colord_t self:process execmem;

audit2allow -R

#============= colord_t ==============
allow colord_t self:process execmem;

Comment 1 Miroslav Grepl 2011-09-26 07:34:02 UTC
colord should not required this access.

http://www.akkadia.org/drepper/selinux-mem.html

Comment 2 Richard Hughes 2011-09-26 08:02:29 UTC
If you change /etc/colord.conf to say UseSANE=false and reboot, does the execmem go away?

Comment 3 Richard Hughes 2011-11-15 12:11:41 UTC
*** Bug 728731 has been marked as a duplicate of this bug. ***

Comment 4 Fedora End Of Life 2013-04-03 15:01:16 UTC
This bug appears to have been reported against 'rawhide' during the Fedora 19 development cycle.
Changing version to '19'.

(As we did not run this process for some time, it could affect also pre-Fedora 19 development
cycle bugs. We are very sorry. It will help us with cleanup during Fedora 19 End Of Life. Thank you.)

More information and reason for this action is here:
https://fedoraproject.org/wiki/BugZappers/HouseKeeping/Fedora19


Note You need to log in before you can comment on or make changes to this bug.