Hide Forgot
Description of problem: When unlocking printer configuration to add a printer in gnome3 received the above SELinux AVC Denial SELinux is preventing /bin/systemd-tty-ask-password-agent from using the dac_override capability. ***** Plugin dac_override (91.4 confidence) suggests *********************** If you want to help identify if domain needs this access or you have a file with the wrong permissions on your system Then turn on full auditing to get path information about the offending file and generate the error again. Do Turn on full auditing # auditctl -w /etc/shadow -p w Try to recreate AVC. Then execute # ausearch -m avc -ts recent If you see PATH record check ownership/permissions on file, and fix it, otherwise report as a bugzilla. ***** Plugin catchall (9.59 confidence) suggests *************************** If you believe that systemd-tty-ask-password-agent should have the dac_override capability by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep systemd-tty-ask /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:systemd_passwd_agent_t:s0 Target Context system_u:system_r:systemd_passwd_agent_t:s0 Target Objects Unknown [ capability ] Source systemd-tty-ask Source Path /bin/systemd-tty-ask-password-agent Port <Unknown> Host raykj Source RPM Packages systemd-36-3.fc16 Target RPM Packages Policy RPM selinux-policy-3.10.0-40.fc16 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name raykj Platform Linux raykj 3.1.0-0.rc10.git0.1.fc16.x86_64 #1 SMP Wed Oct 19 05:02:17 UTC 2011 x86_64 x86_64 Alert Count 1 First Seen Tue 25 Oct 2011 09:40:52 AM EDT Last Seen Tue 25 Oct 2011 09:40:52 AM EDT Local ID 76538dbc-1db3-48fb-a89a-0698a41d3997 Raw Audit Messages type=AVC msg=audit(1319550052.178:188): avc: denied { dac_override } for pid=1295 comm="systemd-tty-ask" capability=1 scontext=system_u:system_r:systemd_passwd_agent_t:s0 tcontext=system_u:system_r:systemd_passwd_agent_t:s0 tclass=capability type=SYSCALL msg=audit(1319550052.178:188): arch=x86_64 syscall=open success=no exit=EACCES a0=125f370 a1=80901 a2=0 a3=2f6b636f6c622d64 items=0 ppid=1 pid=1295 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=systemd-tty-ask exe=/bin/systemd-tty-ask-password-agent subj=system_u:system_r:systemd_passwd_agent_t:s0 key=(null) Hash: systemd-tty-ask,systemd_passwd_agent_t,systemd_passwd_agent_t,capability,dac_override Version-Release number of selected component (if applicable): Fedora 16 Beta How reproducible: Steps to Reproduce: 1. From gnome3 login, click on your name in upper right hand corner and select System Settings 2. Under hardware select Printers 3. Select the Unlock button in the upper right hand corner. 4. Input password and check for AVC denial Actual results: Expected results: Additional info: [root@raykj ~]# uname -r 3.1.0-0.rc10.git0.1.fc16.x86_64 [root@raykj ~]# rpm -qi kernel Name : kernel Version : 3.1.0 Release : 0.rc10.git0.1.fc16 Architecture: x86_64 Install Date: Mon 24 Oct 2011 08:00:39 AM EDT Group : System Environment/Kernel Size : 116066972 License : GPLv2 Signature : RSA/SHA256, Wed 19 Oct 2011 02:52:21 PM EDT, Key ID 067f00b6a82ba4b7 Source RPM : kernel-3.1.0-0.rc10.git0.1.fc16.src.rpm Build Date : Wed 19 Oct 2011 01:38:47 AM EDT Build Host : x86-14.phx2.fedoraproject.org Relocations : (not relocatable) Packager : Fedora Project Vendor : Fedora Project URL : http://www.kernel.org/ Summary : The Linux kernel Description : The kernel package contains the Linux kernel (vmlinuz), the core of any Linux operating system. The kernel handles the basic functions of the operating system: memory allocation, process allocation, device input and output, etc. [root@raykj ~]# rpm -qi gnome-shell Name : gnome-shell Version : 3.2.1 Release : 1.fc16 Architecture: x86_64 Install Date: Mon 24 Oct 2011 08:06:08 AM EDT Group : User Interface/Desktops Size : 4001285 License : GPLv2+ Signature : RSA/SHA256, Wed 19 Oct 2011 06:13:29 PM EDT, Key ID 067f00b6a82ba4b7 Source RPM : gnome-shell-3.2.1-1.fc16.src.rpm Build Date : Wed 19 Oct 2011 01:48:23 AM EDT Build Host : x86-06.phx2.fedoraproject.org Relocations : (not relocatable) Packager : Fedora Project Vendor : Fedora Project URL : http://live.gnome.org/GnomeShell Summary : Window management and application launching for GNOME Description : GNOME Shell provides core user interface functions for the GNOME 3 desktop, like switching to windows and launching applications. GNOME Shell takes advantage of the capabilities of modern graphics hardware and introduces innovative user interface concepts to provide a visually attractive and easy to use experience.
And could you reproduce it with these steps Turn on full auditing # auditctl -w /etc/shadow -p w Try to recreate and then execute # ausearch -m avc -ts recent
Here is the output: [kevinj@raykj ~]$ sudo ausearch -m avc -ts recent ---- time->Wed Oct 26 08:14:09 2011 type=PATH msg=audit(1319631249.377:116): item=0 name="/dev/pts/0" inode=3 dev=00:0a mode=020620 ouid=1000 ogid=5 rdev=88:00 obj=unconfined_u:object_r:user_devpts_t:s0 type=CWD msg=audit(1319631249.377:116): cwd="/" type=SYSCALL msg=audit(1319631249.377:116): arch=c000003e syscall=2 success=no exit=-13 a0=1f55370 a1=80901 a2=0 a3=2f6b636f6c622d64 items=1 ppid=1 pid=1343 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-tty-ask" exe="/bin/systemd-tty-ask-password-agent" subj=system_u:system_r:systemd_passwd_agent_t:s0 key=(null) type=AVC msg=audit(1319631249.377:116): avc: denied { dac_override } for pid=1343 comm="systemd-tty-ask" capability=1 scontext=system_u:system_r:systemd_passwd_agent_t:s0 tcontext=system_u:system_r:systemd_passwd_agent_t:s0 tclass=capability
This looks like systemd_passwd_agent needs dac_override in order to talk to the users terminal I guess we need to add this. ls -l `tty` crw--w----. 1 dwalsh tty 136, 1 Oct 26 09:21 /dev/pts/1 Fixed in selinux-policy-3.10.0-51.fc16
Yes, it needs.
selinux-policy-3.10.0-51.fc16 has been submitted as an update for Fedora 16. https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-51.fc16
Package selinux-policy-3.10.0-51.fc16: * should fix your issue, * was pushed to the Fedora 16 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-51.fc16' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2011-15029 then log in and leave karma (feedback).
That seemed to work! Thanks!
selinux-policy-3.10.0-51.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report.