804436 – AVC from colord loading user ICC profile

Bug 804436 - AVC from colord loading user ICC profile

Summary: AVC from colord loading user ICC profile

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy-targeted
Sub Component:
Version:	16
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Miroslav Grepl
QA Contact:	Ben Levenson
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2012-03-18 19:20 UTC by Tom Hughes
Modified:	2012-03-19 20:31 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2012-03-19 14:43:47 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Tom Hughes 2012-03-18 19:20:06 UTC

Since calibrating my screen I get AVCs at login which cause gnome-shell to abort and present the error screen. The AVCs are:

time->Sun Mar 18 18:06:35 2012
type=AVC msg=audit(1332093995.735:99): avc:  denied  { read } for  pid=676 comm="dbus-daemon" path=2F686F6D652F746F6D2F2E6C6F63616C2F73686172652F6963632F47434D202D204153555354654B20436F6D707574657220494E435F202D20393030202D20756E6B6E6F776E2028323031322D30332D313629205B31392D34372D35365D2E696363 dev=sda1 ino=60022 scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:gconf_home_t:s0 tclass=file
----
time->Sun Mar 18 18:06:35 2012
type=SYSCALL msg=audit(1332093995.755:100): arch=40000003 syscall=102 success=yes exit=16 a0=11 a1=b6dfe7d0 a2=44694ff4 a3=0 items=0 ppid=1 pid=1410 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="colord" exe="/usr/libexec/colord" subj=system_u:system_r:colord_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1332093995.755:100): avc:  denied  { read } for  pid=1410 comm="colord" path=2F686F6D652F746F6D2F2E6C6F63616C2F73686172652F6963632F47434D202D204153555354654B20436F6D707574657220494E435F202D20393030202D20756E6B6E6F776E2028323031322D30332D313629205B31392D34372D35365D2E696363 dev=sda1 ino=60022 scontext=system_u:system_r:colord_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:gconf_home_t:s0 tclass=file
----
time->Sun Mar 18 18:06:35 2012
type=SYSCALL msg=audit(1332093995.993:101): arch=40000003 syscall=197 success=yes exit=0 a0=f a1=bf8ce2d0 a2=442c6ff4 a3=8bd1030 items=0 ppid=1 pid=1408 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="colord" exe="/usr/libexec/colord" subj=system_u:system_r:colord_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1332093995.993:101): avc:  denied  { getattr } for  pid=1408 comm="colord" path=2F686F6D652F746F6D2F2E6C6F63616C2F73686172652F6963632F47434D202D204153555354654B20436F6D707574657220494E435F202D20393030202D20756E6B6E6F776E2028323031322D30332D313629205B31392D34372D35365D2E696363 dev=sda1 ino=60022 scontext=system_u:system_r:colord_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:gconf_home_t:s0 tclass=file

The file being accessed is the ICC profile in ~/.local/share/icc.

Comment 1 Miroslav Grepl 2012-03-19 14:43:47 UTC

Pleaes execute

$ restorecon -R -v ~/.local/share/icc

Comment 2 Tom Hughes 2012-03-19 18:03:11 UTC

That has changed the label, while will presumably fix the problem, but shouldn't something have set it correctly when the file was created?

Comment 3 Daniel Walsh 2012-03-19 20:31:17 UTC

This is a problem with upgrading from older versions of SELinux.  If you remove the directory altogether it will get created with the correct label.

Note You need to log in before you can comment on or make changes to this bug.