Bug 757405 - SELinux is preventing /usr/libexec/gsd-datetime-mechanism from 'read' accesses on the plik /proc/<pid>/cmdline.
Summary: SELinux is preventing /usr/libexec/gsd-datetime-mechanism from 'read' accesse...
Keywords:
Status: CLOSED INSUFFICIENT_DATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 15
Hardware: x86_64
OS: Linux
unspecified
medium
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: setroubleshoot_trace_hash:a8ac3199845...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-11-26 20:51 UTC by Maciej Kaczmarek
Modified: 2012-02-18 03:41 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2011-12-02 13:19:07 UTC
Type: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Maciej Kaczmarek 2011-11-26 20:51:08 UTC 
SELinux is preventing /usr/libexec/gsd-datetime-mechanism from 'read' accesses on the plik /proc/<pid>/cmdline.

*****  Plugin catchall (100. confidence) suggests  ***************************

If aby gsd-datetime-mechanism powinno mieć domyślnie read dostęp do cmdline file.
Then proszę to zgłosić jako błąd.
Można utworzyć lokalny moduł polityki, aby umożliwić ten dostęp.
Do
można tymczasowo zezwolić na ten dostęp wykonując polecenia:
# grep gsd-datetime-me /var/log/audit/audit.log | audit2allow -M moja_polityka
# semodule -i moja_polityka.pp

Additional Information:
Source Context                system_u:system_r:gnomeclock_t:s0-s0:c0.c1023
Target Context                system_u:system_r:xdm_t:s0-s0:c0.c1023
Target Objects                /proc/<pid>/cmdline [ file ]
Source                        gsd-datetime-me
Source Path                   /usr/libexec/gsd-datetime-mechanism
Port                          <Nieznane>
Host                          (removed)
Source RPM Packages           gnome-settings-daemon-3.0.1-8.fc15
Target RPM Packages           
Policy RPM                    selinux-policy-3.9.16-35.fc15
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 2.6.40.3-0.fc15.x86_64 #1 SMP Tue Aug
                              16 04:10:59 UTC 2011 x86_64 x86_64
Alert Count                   1
First Seen                    czw, 25 sie 2011, 22:38:09
Last Seen                     czw, 25 sie 2011, 22:38:09
Local ID                      e74efc7f-0f0c-4263-9f3b-746d94eb6378

Raw Audit Messages
type=AVC msg=audit(1314304689.649:316): avc:  denied  { read } for  pid=10492 comm="gsd-datetime-me" path="/proc/28713/cmdline" dev=proc ino=87801 scontext=system_u:system_r:gnomeclock_t:s0-s0:c0.c1023 tcontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tclass=file


type=AVC msg=audit(1314304689.649:316): avc:  denied  { read } for  pid=10492 comm="gsd-datetime-me" path="/proc/2860/cmdline" dev=proc ino=101987 scontext=system_u:system_r:gnomeclock_t:s0-s0:c0.c1023 tcontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tclass=file


type=SYSCALL msg=audit(1314304689.649:316): arch=x86_64 syscall=execve success=yes exit=0 a0=15cc760 a1=15cc710 a2=15cb010 a3=6473672f63657865 items=0 ppid=10491 pid=10492 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=gsd-datetime-me exe=/usr/libexec/gsd-datetime-mechanism subj=system_u:system_r:gnomeclock_t:s0-s0:c0.c1023 key=(null)

Hash: gsd-datetime-me,gnomeclock_t,xdm_t,file,read

audit2allow

#============= gnomeclock_t ==============
allow gnomeclock_t xdm_t:file read;

audit2allow -R

#============= gnomeclock_t ==============
allow gnomeclock_t xdm_t:file read;
Comment 1 Daniel Walsh 2011-11-29 02:38:41 UTC 
What were you doing when this happened?
Comment 2 Maciej Kaczmarek 2011-12-01 19:07:00 UTC 
(In reply to comment #1)
> What were you doing when this happened?

Hello

I don't remember what I did when that error occured. SELinux Alert browser says that it happened 25.08.2011 at 22:38 CEST.

If I remember well I played Pegnum Online (game).
Comment 3 Daniel Walsh 2011-12-02 13:19:07 UTC 
Don't worry about it.  This looks like gdm sending a dbus message to gnomeclock and gnomeclock checking out the cmdline of the app that send the dbus message.  The strange thing is, I don't see why gdm would be communicating with gnomeclock.  I will close this for now since it has not happened since august, please reopen if it happens again.
Comment 4 Tony Browning 2012-02-18 03:38:48 UTC 
Happened to me recently but i'm going to try updating, all i know to do. because now i have lost my clock, if this is connected.
Comment 5 Tony Browning 2012-02-18 03:41:12 UTC 
Happened to me recently but i'm going to try updating, all i know to do. because now i have lost my clock, if this is connected.
Note You need to log in before you can comment on or make changes to this bug.