libreport version: 2.0.8 executable: /usr/bin/python hashmarkername: setroubleshoot kernel: 3.2.6-3.fc16.i686 reason: SELinux is preventing /usr/libexec/colord from 'execstack' accesses on the None . time: Sun 19 Feb 2012 07:37:34 PM CET description: :SELinux is preventing /usr/libexec/colord from 'execstack' accesses on the None . : :***** Plugin catchall (100. confidence) suggests *************************** : :If you believe that colord should be allowed execstack access on the <Unknown> by default. :Then you should report this as a bug. :You can generate a local policy module to allow this access. :Do :allow this access for now by executing: :# grep colord /var/log/audit/audit.log | audit2allow -M mypol :# semodule -i mypol.pp : :Additional Information: :Source Context system_u:system_r:colord_t:s0-s0:c0.c1023 :Target Context system_u:system_r:colord_t:s0-s0:c0.c1023 :Target Objects [ None ] :Source colord :Source Path /usr/libexec/colord :Port <Unknown> :Host (removed) :Source RPM Packages colord-0.1.15-2.fc16.i686 :Target RPM Packages :Policy RPM selinux-policy-3.10.0-75.fc16.noarch :Selinux Enabled True :Policy Type targeted :Enforcing Mode Enforcing :Host Name (removed) :Platform Linux (removed) 3.2.6-3.fc16.i686 #1 : SMP Mon Feb 13 20:52:22 UTC 2012 i686 i686 :Alert Count 1 :First Seen Sun 19 Feb 2012 07:33:05 PM CET :Last Seen Sun 19 Feb 2012 07:33:05 PM CET :Local ID 1056b283-1001-4142-b079-4120fee62f45 : :Raw Audit Messages :type=AVC msg=audit(1329676385.366:54): avc: denied { execstack } for pid=1449 comm="colord" scontext=system_u:system_r:colord_t:s0-s0:c0.c1023 tcontext=system_u:system_r:colord_t:s0-s0:c0.c1023 tclass=processnode=(removed) type=SYSCALL msg=audit(1329676385.366:54): arch=40000003 syscall=125 success=no exit=-13 a0=bf9a9000 a1=1000 a2=1000007 a3=bf9a85a8 items=0 ppid=1 pid=1449 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="colord" exe="/usr/libexec/colord" subj=system_u:system_r:colord_t:s0-s0:c0.c1023 key=(null) : : :Hash: colord,colord_t,colord_t,None,execstack : :audit2allow : : :audit2allow -R : :
colord should not need this access.
Could be a library that is causing this access. Raphael could you run this program on your system. http://people.redhat.com/sgrubb/security/find-execstack
[raphael@localhost ~]$ sudo ./find-execstack.sh [sudo] password for raphael: /sbin/grub2-probe grub2-1.99-13.fc16.src.rpm /sbin/grub2-setup grub2-1.99-13.fc16.src.rpm /sbin/grub2-mkdevicemap grub2-1.99-13.fc16.src.rpm /usr/bin/grub2-script-check grub2-1.99-13.fc16.src.rpm /usr/bin/grub2-mklayout grub2-1.99-13.fc16.src.rpm /usr/bin/grub2-mkimage grub2-1.99-13.fc16.src.rpm /usr/bin/grub2-mkrelpath grub2-1.99-13.fc16.src.rpm /usr/bin/grub2-fstest grub2-1.99-13.fc16.src.rpm /usr/bin/grub2-mkpasswd-pbkdf2 grub2-1.99-13.fc16.src.rpm /usr/bin/grub2-mkfont grub2-1.99-13.fc16.src.rpm /usr/bin/grub2-editenv grub2-1.99-13.fc16.src.rpm /usr/bin/grub2-menulst2cfg grub2-1.99-13.fc16.src.rpm
Have you seen this happen again or just once?
It happens every time I boot my system: The SELinux alert always pops up just after logging into GNOME.
Does colord have some built in java or jre stuff?
(In reply to comment #6) > Does colord have some built in java or jre stuff? Sorry, I've no idea ... In fact I never used that programme - it's just installed on my system because it's included in standard Gnome/F16 installation. I'm not quite sure but I think that this problem didn't occur just after fresh installation of F16. Could it be that installing the proprietary Brother printer and scanner drivers (I've got a DCP-7030 multifunction printer) caused the problem (cos 'Brother - DCP7030' is listed therein)?
Yes I would figure this is the problem. Could you look to see if any of the libraries in the package are marked with the execstack flag. http://danwalsh.livejournal.com/38736.html
[raphael@localhost ~]$ sudo find /usr/lib -exec execstack -q {} \; -print 2> /dev/null | grep ^X X /usr/lib/sane/libsane-brother3.so X /usr/lib/sane/libsane-brother3.so.1.0.7 X /usr/lib/sane/libsane-brother3.so.1 X /usr/lib/grub2/i386-pc/kernel.img [raphael@localhost ~]$ sudo yum whatprovides *libsane-brother3.so* Loaded plugins: langpacks, presto, refresh-packagekit, remove-with-leaves updates/filelists_db | 7.4 MB 00:28 brscan3-0.2.11-4.i386 : Brother Scanner Driver Repo : @/brscan3-0.2.11-4.i386 Matched from: Filename : /usr/lib/sane/libsane-brother3.so.1.0.7 Filename : /usr/lib/sane/libsane-brother3.so.1 Filename : /usr/lib/sane/libsane-brother3.so [raphael@localhost ~]$ sudo execstack -c /usr/lib/sane/libsane-brother3.so.1.0.7 [raphael@localhost ~]$ sudo execstack -c /usr/lib/sane/libsane-brother3.so.1 [raphael@localhost ~]$ sudo execstack -c /usr/lib/sane/libsane-brother3.so [raphael@localhost ~]$ sudo find /usr/lib -exec execstack -q {} \; -print 2> /dev/null | grep ^X X /usr/lib/grub2/i386-pc/kernel.img Indeed it is ... Sorry for posting this bug here which in fact is a bug in the proprietary Brother scanner driver. Next time I'll consider buying a HP multifunction printer with no need of proprietary drivers. =) Thanks a lot for your help!
PS: I've sent a message to Brother explaining this bug. Let's see if they'll fix it ...