Bug 753187 - SELinux is preventing /usr/bin/gnome-shell from 'execute' accesses on the file /usr/share/tucan-0.3.10/tucan.py.
Summary: SELinux is preventing /usr/bin/gnome-shell from 'execute' accesses on the fil...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 16
Hardware: x86_64
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: abrt_hash:f6661773e27e79a8098cb7aefc0...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-11-11 14:50 UTC by Peque
Modified: 2011-11-21 00:00 UTC (History)
3 users (show)

Fixed In Version: selinux-policy-3.10.0-56.fc16
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2011-11-21 00:00:33 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)

Description Peque 2011-11-11 14:50:28 UTC 
libreport version: 2.0.6
executable:     /usr/bin/python
hashmarkername: setroubleshoot
kernel:         3.1.0-7.fc16.x86_64
reason:         SELinux is preventing /usr/bin/gnome-shell from 'execute' accesses on the file /usr/share/tucan-0.3.10/tucan.py.
time:           Fri Nov 11 15:50:18 2011

description:
:SELinux is preventing /usr/bin/gnome-shell from 'execute' accesses on the file /usr/share/tucan-0.3.10/tucan.py.
:
:*****  Plugin catchall_labels (83.8 confidence) suggests  ********************
:
:If you want to allow gnome-shell to have execute access on the tucan.py file
:Then you need to change the label on /usr/share/tucan-0.3.10/tucan.py
:Do
:# semanage fcontext -a -t FILE_TYPE '/usr/share/tucan-0.3.10/tucan.py'
:where FILE_TYPE is one of the following: updpwd_exec_t, xdm_tmp_t, chkpwd_exec_t, hostname_exec_t, gkeyringd_exec_t, lib_t, init_exec_t, ld_so_t, shutdown_exec_t, abrt_helper_exec_t, alsa_exec_t, consoletype_exec_t, textrel_shlib_t, xdm_exec_t, policykit_auth_exec_t, pam_console_exec_t, bin_t, lib_t, etc_t, xserver_exec_t, dbusd_exec_t, loadkeys_exec_t, plymouth_exec_t, xauth_exec_t, ssh_agent_exec_t, mount_exec_t, shell_exec_t, rpm_exec_t, pulseaudio_exec_t, oddjob_mkhomedir_exec_t, pam_exec_t, systemd_systemctl_exec_t, fusermount_exec_t, xsession_exec_t, systemd_systemctl_exec_t. 
:Then execute: 
:restorecon -v '/usr/share/tucan-0.3.10/tucan.py'
:
:
:*****  Plugin catchall (17.1 confidence) suggests  ***************************
:
:If you believe that gnome-shell should be allowed execute access on the tucan.py file by default.
:Then you should report this as a bug.
:You can generate a local policy module to allow this access.
:Do
:allow this access for now by executing:
:# grep gnome-shell /var/log/audit/audit.log | audit2allow -M mypol
:# semodule -i mypol.pp
:
:Additional Information:
:Source Context                system_u:system_r:xdm_t:s0-s0:c0.c1023
:Target Context                system_u:object_r:usr_t:s0
:Target Objects                /usr/share/tucan-0.3.10/tucan.py [ file ]
:Source                        gnome-shell
:Source Path                   /usr/bin/gnome-shell
:Port                          <Unknown>
:Host                          (removed)
:Source RPM Packages           gnome-shell-3.2.1-2.fc16
:Target RPM Packages           tucan-0.3.10-0.2.alpha.fc15
:Policy RPM                    selinux-policy-3.10.0-55.fc16
:Selinux Enabled               True
:Policy Type                   targeted
:Enforcing Mode                Enforcing
:Host Name                     (removed)
:Platform                      Linux (removed) 3.1.0-7.fc16.x86_64 #1 SMP
:                              Tue Nov 1 21:10:48 UTC 2011 x86_64 x86_64
:Alert Count                   2
:First Seen                    Fri 11 Nov 2011 03:11:38 PM CET
:Last Seen                     Fri 11 Nov 2011 03:46:30 PM CET
:Local ID                      cb2cae7b-ae61-40e3-8bec-17fa24230cb1
:
:Raw Audit Messages
:type=AVC msg=audit(1321022790.796:53): avc:  denied  { execute } for  pid=1292 comm="gnome-shell" name="tucan.py" dev=dm-0 ino=532105 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:usr_t:s0 tclass=file
:
:
:type=SYSCALL msg=audit(1321022790.796:53): arch=x86_64 syscall=access success=no exit=EACCES a0=1064774 a1=1 a2=6e69622f7273752f a3=32e40879a0 items=0 ppid=1211 pid=1292 auid=42 uid=42 gid=42 euid=42 suid=42 fsuid=42 egid=42 sgid=42 fsgid=42 tty=(none) ses=1 comm=gnome-shell exe=/usr/bin/gnome-shell subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)
:
:Hash: gnome-shell,xdm_t,usr_t,file,execute
:
:audit2allow
:
:#============= xdm_t ==============
:allow xdm_t usr_t:file execute;
:
:audit2allow -R
:
:#============= xdm_t ==============
:allow xdm_t usr_t:file execute;
:
Comment 1 Daniel Walsh 2011-11-11 15:53:33 UTC 
Miroslav 998e4fa419e916aa099ae8932435ae9366c8eec4 Fixes this.
Comment 2 Miroslav Grepl 2011-11-14 14:06:15 UTC 
Fixed in selinux-policy-3.10.0-56.fc16
Comment 3 Fedora Update System 2011-11-16 15:22:44 UTC 
selinux-policy-3.10.0-56.fc16 has been submitted as an update for Fedora 16.
https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-56.fc16
Comment 4 Fedora Update System 2011-11-17 23:30:26 UTC 
Package selinux-policy-3.10.0-56.fc16:
* should fix your issue,
* was pushed to the Fedora 16 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-56.fc16'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2011-16003/selinux-policy-3.10.0-56.fc16
then log in and leave karma (feedback).
Comment 5 Fedora Update System 2011-11-21 00:00:33 UTC 
selinux-policy-3.10.0-56.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.