811560 – SELinux is preventing /lib64/dbus-1/dbus-daemon-launch-helper from 'execute' accesses on the file /usr/share/jockey/jockey-backend.

Bug 811560 - SELinux is preventing /lib64/dbus-1/dbus-daemon-launch-helper from 'execute' accesses on the file /usr/share/jockey/jockey-backend.

Summary: SELinux is preventing /lib64/dbus-1/dbus-daemon-launch-helper from 'execute' ...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	16
Hardware:	x86_64
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Miroslav Grepl
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:	abrt_hash:53c73bdc07193c776ef226d870b...
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2012-04-11 12:36 UTC by info
Modified:	2012-07-02 06:58 UTC (History)
CC List:	4 users (show)
Fixed In Version:	selinux-policy-3.10.0-84.fc16
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2012-07-02 06:58:21 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description info 2012-04-11 12:36:09 UTC

libreport version: 2.0.8
executable:     /usr/bin/python
hashmarkername: setroubleshoot
kernel:         3.3.1-3.fc16.x86_64
reason:         SELinux is preventing /lib64/dbus-1/dbus-daemon-launch-helper from 'execute' accesses on the file /usr/share/jockey/jockey-backend.
time:           Wed 11 Apr 2012 03:35:25 PM EEST

description:
:SELinux is preventing /lib64/dbus-1/dbus-daemon-launch-helper from 'execute' accesses on the file /usr/share/jockey/jockey-backend.
:
:*****  Plugin catchall_labels (83.8 confidence) suggests  ********************
:
:If you want to allow dbus-daemon-launch-helper to have execute access on the jockey-backend file
:Then you need to change the label on /usr/share/jockey/jockey-backend
:Do
:# semanage fcontext -a -t FILE_TYPE '/usr/share/jockey/jockey-backend'
:where FILE_TYPE is one of the following: bin_t, setroubleshootd_exec_t, sambagui_exec_t, kdumpgui_exec_t, firewallgui_exec_t, NetworkManager_exec_t, devicekit_disk_exec_t, dbusd_exec_t, gnomesystemmm_exec_t, cupsd_config_exec_t, accountsd_exec_t, devicekit_power_exec_t, shell_exec_t, dhcpc_exec_t, abrt_exec_t, rpm_exec_t, pulseaudio_exec_t, systemd_systemctl_exec_t, init_script_file_type, cpufreqselector_exec_t, pppd_exec_t, NetworkManager_initrc_exec_t, semanage_exec_t, avahi_exec_t, lib_t, debuginfo_exec_t, gconfd_exec_t, colord_exec_t, ld_so_t, abrt_helper_exec_t, modemmanager_exec_t, fprintd_exec_t, setroubleshoot_fixit_exec_t, sectoolm_exec_t, rtkit_daemon_exec_t, firewalld_exec_t, named_exec_t, consolekit_exec_t, textrel_shlib_t, gconfdefaultsm_exec_t, devicekit_exec_t, policykit_exec_t, policykit_auth_exec_t, kerneloops_exec_t, gnomeclock_exec_t. 
:Then execute: 
:restorecon -v '/usr/share/jockey/jockey-backend'
:
:
:*****  Plugin catchall (17.1 confidence) suggests  ***************************
:
:If you believe that dbus-daemon-launch-helper should be allowed execute access on the jockey-backend file by default.
:Then you should report this as a bug.
:You can generate a local policy module to allow this access.
:Do
:allow this access for now by executing:
:# grep dbus-daemon-lau /var/log/audit/audit.log | audit2allow -M mypol
:# semodule -i mypol.pp
:
:Additional Information:
:Source Context                system_u:system_r:system_dbusd_t:s0-s0:c0.c1023
:Target Context                system_u:object_r:usr_t:s0
:Target Objects                /usr/share/jockey/jockey-backend [ file ]
:Source                        dbus-daemon-lau
:Source Path                   /lib64/dbus-1/dbus-daemon-launch-helper
:Port                          <Unknown>
:Host                          (removed)
:Source RPM Packages           dbus-1.4.10-3.fc16.x86_64
:Target RPM Packages           jockey-0.9.6-2.fc16.noarch
:Policy RPM                    selinux-policy-3.10.0-80.fc16.noarch
:Selinux Enabled               True
:Policy Type                   targeted
:Enforcing Mode                Enforcing
:Host Name                     (removed)
:Platform                      Linux (removed) 3.3.1-3.fc16.x86_64 #1
:                              SMP Wed Apr 4 18:08:51 UTC 2012 x86_64 x86_64
:Alert Count                   3
:First Seen                    Wed 11 Apr 2012 01:29:59 PM EEST
:Last Seen                     Wed 11 Apr 2012 03:34:22 PM EEST
:Local ID                      edf228e2-21f5-4183-bb49-415e69dc8272
:
:Raw Audit Messages
:type=AVC msg=audit(1334147662.531:63): avc:  denied  { execute } for  pid=1741 comm="dbus-daemon-lau" name="jockey-backend" dev="dm-1" ino=266470 scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:usr_t:s0 tclass=file
:
:
:type=SYSCALL msg=audit(1334147662.531:63): arch=x86_64 syscall=execve success=no exit=EACCES a0=7ab8b0 a1=7ab850 a2=7aa010 a3=14 items=0 ppid=1740 pid=1741 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=dbus-daemon-lau exe=/lib64/dbus-1/dbus-daemon-launch-helper subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 key=(null)
:
:Hash: dbus-daemon-lau,system_dbusd_t,usr_t,file,execute
:
:audit2allow
:
:#============= system_dbusd_t ==============
:allow system_dbusd_t usr_t:file execute;
:
:audit2allow -R
:
:#============= system_dbusd_t ==============
:allow system_dbusd_t usr_t:file execute;
:

Comment 1 Miroslav Grepl 2012-04-12 08:13:27 UTC

This is fixed in -81.fc16 release.

You can download this release from

http://koji.fedoraproject.org/koji/buildinfo?buildID=307648

Comment 2 Fedora Update System 2012-04-18 12:56:13 UTC

selinux-policy-3.10.0-84.fc16 has been submitted as an update for Fedora 16.
https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-84.fc16

Comment 3 Fedora Update System 2012-04-22 03:38:36 UTC

selinux-policy-3.10.0-84.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 4 Dan Mashal 2012-07-01 00:42:18 UTC

I am receiving this error in Fedora 17:


SELinux is preventing /usr/lib64/dbus-1/dbus-daemon-launch-helper from execute access on the file /usr/local/libexec/msd-datetime-mechanism.

*****  Plugin leaks (86.2 confidence) suggests  ******************************

If you want to ignore dbus-daemon-launch-helper trying to execute access the msd-datetime-mechanism file, because you believe it should not need this access.
Then you should report this as a bug.  
You can generate a local policy module to dontaudit this access.
Do
# grep /usr/lib64/dbus-1/dbus-daemon-launch-helper /var/log/audit/audit.log | audit2allow -D -M mypol
# semodule -i mypol.pp

*****  Plugin catchall (14.7 confidence) suggests  ***************************

If you believe that dbus-daemon-launch-helper should be allowed execute access on the msd-datetime-mechanism file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep dbus-daemon-lau /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:system_dbusd_t:s0-s0:c0.c1023
Target Context                system_u:object_r:usr_t:s0
Target Objects                /usr/local/libexec/msd-datetime-mechanism [ file ]
Source                        dbus-daemon-lau
Source Path                   /usr/lib64/dbus-1/dbus-daemon-launch-helper
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           dbus-1.4.10-4.fc17.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.10.0-132.fc17.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux Fedora17 3.4.3-1.fc17.x86_64 #1 SMP Mon Jun
                              18 19:53:17 UTC 2012 x86_64 x86_64
Alert Count                   3
First Seen                    Sat 30 Jun 2012 05:04:18 PM PDT
Last Seen                     Sat 30 Jun 2012 05:39:42 PM PDT
Local ID                      c44ec7d4-dd86-49f1-9d32-d86c9f2ec29a

Raw Audit Messages
type=AVC msg=audit(1341103182.271:86): avc:  denied  { execute } for  pid=2115 comm="dbus-daemon-lau" name="msd-datetime-mechanism" dev="sda3" ino=2885176 scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:usr_t:s0 tclass=file


type=SYSCALL msg=audit(1341103182.271:86): arch=x86_64 syscall=execve success=no exit=EACCES a0=19717b0 a1=1970660 a2=1970010 a3=2d656d6974657461 items=0 ppid=2114 pid=2115 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=dbus-daemon-lau exe=/usr/lib64/dbus-1/dbus-daemon-launch-helper subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 key=(null)

Hash: dbus-daemon-lau,system_dbusd_t,usr_t,file,execute

audit2allowunable to open /sys/fs/selinux/policy:  Permission denied


audit2allow -Runable to open /sys/fs/selinux/policy:  Permission denied

Comment 5 Miroslav Grepl 2012-07-02 06:58:21 UTC

This is a new issue. Could you open a new bug please. Thank you.

Note You need to log in before you can comment on or make changes to this bug.