Bug 748085 - SELinux is preventing /usr/bin/gnome-keyring-daemon from 'write' accesses on the directory /home/james.cape/.gnome2/keyrings.
Summary: SELinux is preventing /usr/bin/gnome-keyring-daemon from 'write' accesses on ...
Keywords:
Status: CLOSED WORKSFORME
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 16
Hardware: x86_64
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: abrt_hash:a745998b4d8f2fb063f9328fb43...
: 748086 748088 748089 748090 748091 748092 748093 748094 748095 748096 748097 748098 748099 748100 748101 748102 748103 748104 748105 748106 748107 748108 748109 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-10-22 01:21 UTC by James Cape
Modified: 2011-10-26 17:35 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2011-10-26 17:35:36 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)

Description James Cape 2011-10-22 01:21:12 UTC 
libreport version: 2.0.6
executable:     /usr/bin/python
hashmarkername: setroubleshoot
kernel:         3.1.0-0.rc10.git0.1.fc16.x86_64
reason:         SELinux is preventing /usr/bin/gnome-keyring-daemon from 'write' accesses on the directory /home/james.cape/.gnome2/keyrings.
time:           Fri Oct 21 20:21:02 2011

description:
:SELinux is preventing /usr/bin/gnome-keyring-daemon from 'write' accesses on the directory /home/james.cape/.gnome2/keyrings.
:
:*****  Plugin catchall (100. confidence) suggests  ***************************
:
:If you believe that gnome-keyring-daemon should be allowed write access on the keyrings directory by default.
:Then you should report this as a bug.
:You can generate a local policy module to allow this access.
:Do
:allow this access for now by executing:
:# grep gnome-keyring-d /var/log/audit/audit.log | audit2allow -M mypol
:# semodule -i mypol.pp
:
:Additional Information:
:Source Context                system_u:system_r:xdm_t:s0-s0:c0.c1023
:Target Context                unconfined_u:object_r:gkeyringd_gnome_home_t:s0
:Target Objects                /home/james.cape/.gnome2/keyrings [ dir ]
:Source                        gnome-keyring-d
:Source Path                   /usr/bin/gnome-keyring-daemon
:Port                          <Unknown>
:Host                          (removed)
:Source RPM Packages           gnome-keyring-3.2.1-1.fc16
:Target RPM Packages           
:Policy RPM                    selinux-policy-3.10.0-40.fc16
:Selinux Enabled               True
:Policy Type                   targeted
:Enforcing Mode                Permissive
:Host Name                     (removed)
:Platform                      Linux orwell.ignore-your.tv
:                              3.1.0-0.rc10.git0.1.fc16.x86_64 #1 SMP Wed Oct 19
:                              05:02:17 UTC 2011 x86_64 x86_64
:Alert Count                   1
:First Seen                    Fri 21 Oct 2011 08:20:46 PM CDT
:Last Seen                     Fri 21 Oct 2011 08:20:46 PM CDT
:Local ID                      2113ce51-3814-4729-8b03-49a2455a02a1
:
:Raw Audit Messages
:type=AVC msg=audit(1319246446.788:340): avc:  denied  { write } for  pid=4300 comm="gnome-keyring-d" name="keyrings" dev=dm-1 ino=125667 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:gkeyringd_gnome_home_t:s0 tclass=dir
:
:
:type=AVC msg=audit(1319246446.788:340): avc:  denied  { add_name } for  pid=4300 comm="gnome-keyring-d" name="login.keyring" dev=dm-1 ino=2056589 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:gkeyringd_gnome_home_t:s0 tclass=dir
:
:
:type=AVC msg=audit(1319246446.788:340): avc:  denied  { link } for  pid=4300 comm="gnome-keyring-d" name="login.keyring" dev=dm-1 ino=2056589 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:gkeyringd_gnome_home_t:s0 tclass=file
:
:
:type=SYSCALL msg=audit(1319246446.788:340): arch=x86_64 syscall=link success=yes exit=0 a0=21365e0 a1=7f8c4002eff0 a2=0 a3=7f8c49fe07d0 items=0 ppid=1 pid=4300 auid=4294967295 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=4294967295 comm=gnome-keyring-d exe=/usr/bin/gnome-keyring-daemon subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)
:
:Hash: gnome-keyring-d,xdm_t,gkeyringd_gnome_home_t,dir,write
:
:audit2allow
:
:#============= xdm_t ==============
:#!!!! The source type 'xdm_t' can write to a 'dir' of the following types:
:# cgroup_t, user_home_dir_t, var_lock_t, root_t, tmp_t, var_t, locale_t, var_auth_t, tmpfs_t, user_fonts_t, xdm_spool_t, user_tmp_t, fonts_cache_t, auth_cache_t, xdm_tmpfs_t, xserver_log_t, var_spool_t, user_home_t, faillog_t, var_lib_t, var_run_t, data_home_t, xdm_tmp_t, var_log_t, xdm_log_t, gnome_home_type, pam_var_run_t, xdm_var_lib_t, xdm_var_run_t, pcscd_var_run_t, gconf_home_t, xkb_var_lib_t, xdm_rw_etc_t, gnome_home_t, admin_home_t, xdm_home_t, pam_var_console_t, user_tmpfs_type, tmp_t, krb5_host_rcache_t
:
:allow xdm_t gkeyringd_gnome_home_t:dir { write add_name };
:allow xdm_t gkeyringd_gnome_home_t:file link;
:
:audit2allow -R
:
:#============= xdm_t ==============
:#!!!! The source type 'xdm_t' can write to a 'dir' of the following types:
:# cgroup_t, user_home_dir_t, var_lock_t, root_t, tmp_t, var_t, locale_t, var_auth_t, tmpfs_t, user_fonts_t, xdm_spool_t, user_tmp_t, fonts_cache_t, auth_cache_t, xdm_tmpfs_t, xserver_log_t, var_spool_t, user_home_t, faillog_t, var_lib_t, var_run_t, data_home_t, xdm_tmp_t, var_log_t, xdm_log_t, gnome_home_type, pam_var_run_t, xdm_var_lib_t, xdm_var_run_t, pcscd_var_run_t, gconf_home_t, xkb_var_lib_t, xdm_rw_etc_t, gnome_home_t, admin_home_t, xdm_home_t, pam_var_console_t, user_tmpfs_type, tmp_t, krb5_host_rcache_t
:
:allow xdm_t gkeyringd_gnome_home_t:dir { write add_name };
:allow xdm_t gkeyringd_gnome_home_t:file link;
:
Comment 1 Miroslav Grepl 2011-10-24 05:39:45 UTC 
I am looking at your bugs and something is wrong with your system,

Could you try to reinstall the policy

# yum reinstall selinux-policy-targeted

and make sure nothing blows up on reinstall.

Also what is your output of

# id -Z

# semanage login -l


Is this a fresh install or did you do an upgrade?
Comment 2 Miroslav Grepl 2011-10-24 05:39:54 UTC 
*** Bug 748086 has been marked as a duplicate of this bug. ***
Comment 3 Miroslav Grepl 2011-10-24 05:40:04 UTC 
*** Bug 748088 has been marked as a duplicate of this bug. ***
Comment 4 Miroslav Grepl 2011-10-24 05:40:13 UTC 
*** Bug 748089 has been marked as a duplicate of this bug. ***
Comment 5 Miroslav Grepl 2011-10-24 05:40:26 UTC 
*** Bug 748090 has been marked as a duplicate of this bug. ***
Comment 6 Miroslav Grepl 2011-10-24 05:40:36 UTC 
*** Bug 748091 has been marked as a duplicate of this bug. ***
Comment 7 Miroslav Grepl 2011-10-24 05:40:52 UTC 
*** Bug 748092 has been marked as a duplicate of this bug. ***
Comment 8 Miroslav Grepl 2011-10-24 05:41:01 UTC 
*** Bug 748093 has been marked as a duplicate of this bug. ***
Comment 9 Miroslav Grepl 2011-10-24 05:41:11 UTC 
*** Bug 748094 has been marked as a duplicate of this bug. ***
Comment 10 Miroslav Grepl 2011-10-24 05:42:26 UTC 
*** Bug 748095 has been marked as a duplicate of this bug. ***
Comment 11 Miroslav Grepl 2011-10-24 05:42:34 UTC 
*** Bug 748096 has been marked as a duplicate of this bug. ***
Comment 12 Miroslav Grepl 2011-10-24 05:42:40 UTC 
*** Bug 748097 has been marked as a duplicate of this bug. ***
Comment 13 Miroslav Grepl 2011-10-24 05:42:47 UTC 
*** Bug 748098 has been marked as a duplicate of this bug. ***
Comment 14 Miroslav Grepl 2011-10-24 05:42:55 UTC 
*** Bug 748099 has been marked as a duplicate of this bug. ***
Comment 15 Miroslav Grepl 2011-10-24 05:43:03 UTC 
*** Bug 748100 has been marked as a duplicate of this bug. ***
Comment 16 Miroslav Grepl 2011-10-24 05:43:10 UTC 
*** Bug 748101 has been marked as a duplicate of this bug. ***
Comment 17 Miroslav Grepl 2011-10-24 05:43:18 UTC 
*** Bug 748102 has been marked as a duplicate of this bug. ***
Comment 18 Miroslav Grepl 2011-10-24 05:43:26 UTC 
*** Bug 748103 has been marked as a duplicate of this bug. ***
Comment 19 Miroslav Grepl 2011-10-24 05:43:36 UTC 
*** Bug 748104 has been marked as a duplicate of this bug. ***
Comment 20 Miroslav Grepl 2011-10-24 05:43:45 UTC 
*** Bug 748105 has been marked as a duplicate of this bug. ***
Comment 21 Miroslav Grepl 2011-10-24 05:46:05 UTC 
*** Bug 748106 has been marked as a duplicate of this bug. ***
Comment 22 Miroslav Grepl 2011-10-24 05:46:55 UTC 
*** Bug 748108 has been marked as a duplicate of this bug. ***
Comment 23 Miroslav Grepl 2011-10-24 05:47:04 UTC 
*** Bug 748109 has been marked as a duplicate of this bug. ***
Comment 24 Miroslav Grepl 2011-10-24 05:47:44 UTC 
*** Bug 748107 has been marked as a duplicate of this bug. ***
Comment 25 Daniel Walsh 2011-10-24 13:11:37 UTC 
This looks like you logged into the system as xdm_t, which should not happen.  Did you modify some of the pam modules?

Also when you see an explosion of AVC's like this, please do not report each individually,  attempt to look at them and see if they seem to be similar, as in everyone of them refers to xdm_t, then just add a comment that you have several others that are similar.  Reporting this many bugs just wastes our time and yours, since we have to close them all as dups.
Comment 26 James Cape 2011-10-26 15:30:41 UTC 
This started happening after the last relabel.

I've since updated selinux-policy to the latest version, and forced another relabel of the FS, and it appears as though things are working now.
Comment 27 Daniel Walsh 2011-10-26 17:35:36 UTC 
Ok then I am closing the bug.
Note You need to log in before you can comment on or make changes to this bug.