Bug 829850 - SELinux is preventing /usr/bin/updatedb from search access on the directory .kde
SELinux is preventing /usr/bin/updatedb from search access on the directory .kde
Status: CLOSED CANTFIX
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
17
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Miroslav Grepl
Fedora Extras Quality Assurance
: Reopened
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-06-07 12:44 EDT by GoinEasy9
Modified: 2012-06-22 22:56 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-06-22 04:50:17 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
messages-20120610 (1.65 MB, text/plain)
2012-06-10 14:42 EDT, GoinEasy9
no flags Details

  None (edit)
Description GoinEasy9 2012-06-07 12:44:51 EDT
Description of problem: SELinux alert F17 KDE x86-64 UEFI install


Version-Release number of selected component (if applicable):
selinux-policy-3.10.0-128.fc17.noarch

How reproducible:


Steps to Reproduce:
1. AVC notification appears on panel at random times
2.
3.
  
Actual results:


Expected results:


Additional info:

SELinux is preventing /usr/bin/updatedb from search access on the directory .kde.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that updatedb should be allowed search access on the .kde directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep updatedb /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:locate_t:s0-s0:c0.c1023
Target Context                system_u:object_r:gnomeclock_t:s0
Target Objects                .kde [ dir ]
Source                        updatedb
Source Path                   /usr/bin/updatedb
Port                          <Unknown>
Host                          fedora17kde64
Source RPM Packages           mlocate-0.25-1.fc17.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.10.0-128.fc17.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     fedora17kde64
Platform                      Linux fedora17kde64 3.4.0-1.fc17.x86_64 #1 SMP Sun
                              Jun 3 06:35:17 UTC 2012 x86_64 x86_64
Alert Count                   1
First Seen                    Thu 07 Jun 2012 12:30:07 PM EDT
Last Seen                     Thu 07 Jun 2012 12:30:07 PM EDT
Local ID                      876e91fc-0673-46f8-99e7-4225f7994888

Raw Audit Messages
type=AVC msg=audit(1339086607.244:70): avc:  denied  { search } for  pid=3378 comm="updatedb" name=".kde" dev="sda3" ino=1700610 scontext=system_u:system_r:locate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:gnomeclock_t:s0 tclass=dir


type=SYSCALL msg=audit(1339086607.244:70): arch=x86_64 syscall=chdir success=no exit=EACCES a0=b627a9 a1=0 a2=7fffbd207250 a3=0 items=0 ppid=3372 pid=3378 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=2 comm=updatedb exe=/usr/bin/updatedb subj=system_u:system_r:locate_t:s0-s0:c0.c1023 key=(null)

Hash: updatedb,locate_t,gnomeclock_t,dir,search

audit2allowunable to open /sys/fs/selinux/policy:  Permission denied


audit2allow -Runable to open /sys/fs/selinux/policy:  Permission denied
Comment 1 Daniel Walsh 2012-06-07 14:53:05 EDT
This looks like someone put a label of gnomeclock_t on a directory.  This is a process label and should never be on a file.

touch /.autorelabel; reboot

Your machine is badly mislabeled.  If you put this label on the machine your self, did you use the semanage command?
Comment 2 GoinEasy9 2012-06-07 21:35:42 EDT
Thanks Dan.

I usually just follow the fixes in the "Details" when I get an AVC noticiation.  Although, an semanage command may have been in one of the fixes, I may have copy/pasted it incorrectly.  I did however, use the touch ./autorelabel; reboot fix before this, but the AVC errors returned.

I did just run touch ./autorelabel; reboot again, so, instead of waiting till I get frustrated, I'll report the problem first before trying the next fix myself.  Hopefully, after this autorelabel, it will be fixed.

FYI - This install was done using UEFI mode on an ASUS Sabertooth motherboard.  I had to turn SELinux off to do the install because an error came up complaining that is couldn't label a file in the FAT16 partition used for the ESP.  When I noticed SELinux was not enabled, I changed the line in /etc/selinux/config to enforcing and rebooted.  It seemed to complete the labeling without a problem.

Thanks again
Comment 3 Daniel Walsh 2012-06-08 06:40:25 EDT
Ok very strange that you would get a process label on a directory.
Comment 4 GoinEasy9 2012-06-09 19:51:43 EDT
So, 24 hours without an AVC notification, then, after using the computer for about a half an hour, I get the notification icon, and, I see gnomeclock_t in the Hash within the details.

SELinux is preventing /usr/bin/updatedb from search access on the directory .kde.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that updatedb should be allowed search access on the .kde directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep updatedb /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:locate_t:s0-s0:c0.c1023
Target Context                system_u:object_r:gnomeclock_t:s0
Target Objects                .kde [ dir ]
Source                        updatedb
Source Path                   /usr/bin/updatedb
Port                          <Unknown>
Host                          fedora17kde64
Source RPM Packages           mlocate-0.25-1.fc17.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.10.0-128.fc17.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     fedora17kde64
Platform                      Linux fedora17kde64 3.4.0-1.fc17.x86_64 #1 SMP Sun
                              Jun 3 06:35:17 UTC 2012 x86_64 x86_64
Alert Count                   2
First Seen                    Thu 07 Jun 2012 12:30:07 PM EDT
Last Seen                     Sat 09 Jun 2012 07:24:08 PM EDT
Local ID                      876e91fc-0673-46f8-99e7-4225f7994888

Raw Audit Messages
type=AVC msg=audit(1339284248.978:70): avc:  denied  { search } for  pid=3606 comm="updatedb" name=".kde" dev="sda3" ino=1700610 scontext=system_u:system_r:locate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:gnomeclock_t:s0 tclass=dir


type=SYSCALL msg=audit(1339284248.978:70): arch=x86_64 syscall=chdir success=no exit=EACCES a0=8ce7a9 a1=0 a2=7fffbd456470 a3=0 items=0 ppid=3600 pid=3606 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=2 comm=updatedb exe=/usr/bin/updatedb subj=system_u:system_r:locate_t:s0-s0:c0.c1023 key=(null)

Hash: updatedb,locate_t,gnomeclock_t,dir,search

audit2allowunable to open /sys/fs/selinux/policy:  Permission denied


audit2allow -Runable to open /sys/fs/selinux/policy:  Permission denied


I did notice the Hard Disk light working, I guess it was looking for updates, just before the notification appeared.  I did do an update and a reboot before shutting down last night.  No notification at that time.

I opened up Krusader to see what updates came in last night and got another AVC error:

SELinux is preventing /usr/bin/krusader from write access on the directory .kde.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that krusader should be allowed write access on the .kde directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep krusader /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
                              023
Target Context                system_u:object_r:gnomeclock_t:s0
Target Objects                .kde [ dir ]
Source                        krusader
Source Path                   /usr/bin/krusader
Port                          <Unknown>
Host                          fedora17kde64
Source RPM Packages           krusader-2.4.0-0.4.beta1.fc17.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.10.0-128.fc17.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     fedora17kde64
Platform                      Linux fedora17kde64 3.4.0-1.fc17.x86_64 #1 SMP Sun
                              Jun 3 06:35:17 UTC 2012 x86_64 x86_64
Alert Count                   19
First Seen                    Thu 07 Jun 2012 02:07:40 PM EDT
Last Seen                     Sat 09 Jun 2012 07:35:43 PM EDT
Local ID                      f5f2f0f1-a567-4b9f-8614-660f28a1a868

Raw Audit Messages
type=AVC msg=audit(1339284943.186:91): avc:  denied  { write } for  pid=4489 comm="krusader" name=".kde" dev="sda3" ino=1700610 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:gnomeclock_t:s0 tclass=dir


type=SYSCALL msg=audit(1339284943.186:91): arch=x86_64 syscall=access success=no exit=EACCES a0=2733758 a1=2 a2=200 a3=2f items=0 ppid=4486 pid=4489 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm=krusader exe=/usr/bin/krusader subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)

Hash: krusader,unconfined_t,gnomeclock_t,dir,write

audit2allowunable to open /sys/fs/selinux/policy:  Permission denied


audit2allow -Runable to open /sys/fs/selinux/policy:  Permission denied


I also noticed when opening up mypol.pp that gnomeclock_t is visible in that file.  Is it safe to remove mypol.pp and mypole.te before doing another relabel?  It probably is, but, I'd like an affirmation from you.  This is what's written in the mypol.te file:

module mypol 1.0;

require {
	type gnomeclock_t;
	type locate_t;
	class dir getattr;
}

#============= locate_t ==============
allow locate_t gnomeclock_t:dir getattr;

I only just starting to understand the labeling, but, this doesn't look right to me.
Comment 5 GoinEasy9 2012-06-10 14:31:08 EDT
OK, I couldn't wait, so, I moved the mypol* files out of the way, downloaded the most recent selinux-policy, selinux-policy-targeted and selinux-policy-devel from koji.  Did a touch ./autorelabel and a reboot.

Went into krusader, had no AVC errors.  Worked on gmail with Firefox, browsed reddit, looked at some videos linked to on Google+, then first AVC error.

-----------------------------------------------------------------------------------------------

SELinux is preventing /usr/libexec/totem-plugin-viewer from execute access on the file /home/GoinEasy9/.orc/orcexec.VuogEQ (deleted).

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that totem-plugin-viewer should be allowed execute access on the orcexec.VuogEQ (deleted) file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep multiqueue0:src /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                unconfined_u:unconfined_r:mozilla_plugin_t:s0
Target Context                unconfined_u:object_r:gstreamer_home_t:s0
Target Objects                /home/GoinEasy9/.orc/orcexec.VuogEQ (deleted) [
                              file ]
Source                        multiqueue0:src
Source Path                   /usr/libexec/totem-plugin-viewer
Port                          <Unknown>
Host                          fedora17kde64
Source RPM Packages           totem-mozplugin-3.4.2-1.fc17.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.10.0-129.fc17.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     fedora17kde64
Platform                      Linux fedora17kde64 3.4.0-1.fc17.x86_64 #1 SMP Sun
                              Jun 3 06:35:17 UTC 2012 x86_64 x86_64
Alert Count                   2
First Seen                    Sun 10 Jun 2012 01:03:57 AM EDT
Last Seen                     Sun 10 Jun 2012 01:03:57 AM EDT
Local ID                      3947a156-4cd0-412a-938c-cc4028b1644a

Raw Audit Messages
type=AVC msg=audit(1339304637.932:105): avc:  denied  { execute } for  pid=3900 comm="multiqueue0:src" path=2F686F6D652F476F696E45617379392F2E6F72632F6F7263657865632E56756F674551202864656C6574656429 dev="sda4" ino=9044557 scontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0 tcontext=unconfined_u:object_r:gstreamer_home_t:s0 tclass=file


type=SYSCALL msg=audit(1339304637.932:105): arch=x86_64 syscall=mmap success=no exit=EACCES a0=0 a1=10000 a2=5 a3=1 items=0 ppid=1 pid=3900 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=1 comm=multiqueue0:src exe=/usr/libexec/totem-plugin-viewer subj=unconfined_u:unconfined_r:mozilla_plugin_t:s0 key=(null)

Hash: multiqueue0:src,mozilla_plugin_t,gstreamer_home_t,file,execute

audit2allowunable to open /sys/fs/selinux/policy:  Permission denied


audit2allow -Runable to open /sys/fs/selinux/policy:  Permission denied

-------------------------------------------------------------------------------------------------

I expect mozilla addons to give me a problem occasionally with selinux, so, I didn't use the fix and shut down for the night.

Upon booting up in the morning.  Entering my password in the KDE login screen there is a noticable 20 to 30 second pause before the login procedes.  I am met with a systemd-logind AVC error.  I've noticed the lag the last few times I've rebooted.

-------------------------------------------------------------------------------------------------

SELinux is preventing /usr/lib/systemd/systemd-logind from using the signal access on a process.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that systemd-logind should be allowed signal access on processes labeled initrc_t by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep systemd-logind /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:systemd_logind_t:s0
Target Context                system_u:system_r:initrc_t:s0
Target Objects                 [ process ]
Source                        systemd-logind
Source Path                   /usr/lib/systemd/systemd-logind
Port                          <Unknown>
Host                          fedora17kde64
Source RPM Packages           systemd-44-12.fc17.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.10.0-129.fc17.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     fedora17kde64
Platform                      Linux fedora17kde64 3.4.0-1.fc17.x86_64 #1 SMP Sun
                              Jun 3 06:35:17 UTC 2012 x86_64 x86_64
Alert Count                   1
First Seen                    Sun 10 Jun 2012 01:30:20 AM EDT
Last Seen                     Sun 10 Jun 2012 01:30:20 AM EDT
Local ID                      9637738a-5b71-445d-b282-567a9604ed65

Raw Audit Messages
type=AVC msg=audit(1339306220.651:112): avc:  denied  { signal } for  pid=630 comm="systemd-logind" scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=process


type=SYSCALL msg=audit(1339306220.651:112): arch=x86_64 syscall=kill success=no exit=EACCES a0=2fa a1=12 a2=d a3=12 items=0 ppid=1 pid=630 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=systemd-logind exe=/usr/lib/systemd/systemd-logind subj=system_u:system_r:systemd_logind_t:s0 key=(null)

Hash: systemd-logind,systemd_logind_t,initrc_t,process,signal

audit2allowunable to open /sys/fs/selinux/policy:  Permission denied


audit2allow -Runable to open /sys/fs/selinux/policy:  Permission denied

-----------------------------------------------------------------------------------------------

Once logged in, everything appears to be running smoothly, until updatedb is accessed.

-----------------------------------------------------------------------------------------------


SELinux is preventing /usr/bin/updatedb from search access on the directory .kde.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that updatedb should be allowed search access on the .kde directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep updatedb /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:locate_t:s0-s0:c0.c1023
Target Context                system_u:object_r:gnomeclock_t:s0
Target Objects                .kde [ dir ]
Source                        updatedb
Source Path                   /usr/bin/updatedb
Port                          <Unknown>
Host                          fedora17kde64
Source RPM Packages           mlocate-0.25-1.fc17.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.10.0-129.fc17.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     fedora17kde64
Platform                      Linux fedora17kde64 3.4.0-1.fc17.x86_64 #1 SMP Sun
                              Jun 3 06:35:17 UTC 2012 x86_64 x86_64
Alert Count                   3
First Seen                    Thu 07 Jun 2012 12:30:07 PM EDT
Last Seen                     Sun 10 Jun 2012 12:47:10 PM EDT
Local ID                      876e91fc-0673-46f8-99e7-4225f7994888

Raw Audit Messages
type=AVC msg=audit(1339346830.812:112): avc:  denied  { search } for  pid=5378 comm="updatedb" name=".kde" dev="sda3" ino=1700610 scontext=system_u:system_r:locate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:gnomeclock_t:s0 tclass=dir


type=SYSCALL msg=audit(1339346830.812:112): arch=x86_64 syscall=chdir success=no exit=EACCES a0=127b7a9 a1=0 a2=7fff5b40a670 a3=0 items=0 ppid=5372 pid=5378 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=2 comm=updatedb exe=/usr/bin/updatedb subj=system_u:system_r:locate_t:s0-s0:c0.c1023 key=(null)

Hash: updatedb,locate_t,gnomeclock_t,dir,search

audit2allowunable to open /sys/fs/selinux/policy:  Permission denied


audit2allow -Runable to open /sys/fs/selinux/policy:  Permission denied

---------------------------------------------------------------------------------------------

Then, running krusader to look at logs, another AVC error, and the cycle continues.

---------------------------------------------------------------------------------------------


SELinux is preventing /usr/bin/krusader from write access on the directory .kde.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that krusader should be allowed write access on the .kde directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep krusader /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                unconfined_u:unconfined_r:unconfined_t:s0
Target Context                system_u:object_r:gnomeclock_t:s0
Target Objects                .kde [ dir ]
Source                        krusader
Source Path                   /usr/bin/krusader
Port                          <Unknown>
Host                          fedora17kde64
Source RPM Packages           krusader-2.4.0-0.4.beta1.fc17.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.10.0-129.fc17.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     fedora17kde64
Platform                      Linux fedora17kde64 3.4.0-1.fc17.x86_64 #1 SMP Sun
                              Jun 3 06:35:17 UTC 2012 x86_64 x86_64
Alert Count                   52
First Seen                    Sun 10 Jun 2012 12:17:37 AM EDT
Last Seen                     Sun 10 Jun 2012 12:53:36 PM EDT
Local ID                      4bf7ebc0-846c-4760-afd1-be75e5417a4b

Raw Audit Messages
type=AVC msg=audit(1339347216.624:133): avc:  denied  { write } for  pid=6260 comm="krusader" name=".kde" dev="sda3" ino=1700610 scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=system_u:object_r:gnomeclock_t:s0 tclass=dir


type=SYSCALL msg=audit(1339347216.624:133): arch=x86_64 syscall=access success=no exit=EACCES a0=1f1c228 a1=2 a2=200 a3=2f items=0 ppid=6257 pid=6260 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm=krusader exe=/usr/bin/krusader subj=unconfined_u:unconfined_r:unconfined_t:s0 key=(null)

Hash: krusader,unconfined_t,gnomeclock_t,dir,write

audit2allowunable to open /sys/fs/selinux/policy:  Permission denied


audit2allow -Runable to open /sys/fs/selinux/policy:  Permission denied

----------------------------------------------------------------------------------------------

Whole messages file after discovering updatedb AVC error and openinging krusader-root to look at logs:

----------------------------------------------------------------------------------------------

Jun 10 12:47:02 fedora17kde64 rsyslogd: [origin software="rsyslogd" swVersion="5.8.10" x-pid="703" x-info="http://www.rsyslog.com"] rsyslogd was HUPed
Jun 10 12:47:11 fedora17kde64 setroubleshoot: SELinux is preventing /usr/bin/updatedb from search access on the directory .kde. For complete SELinux messages. run sealert -l 876e91fc-0673-46f8-99e7-4225f7994888
Jun 10 12:49:34 fedora17kde64 dbus-daemon[672]: dbus[672]: [system] Activating service name='org.kde.powerdevil.backlighthelper' (using servicehelper)
Jun 10 12:49:34 fedora17kde64 dbus[672]: [system] Activating service name='org.kde.powerdevil.backlighthelper' (using servicehelper)
Jun 10 12:49:34 fedora17kde64 dbus-daemon[672]: dbus[672]: [system] Successfully activated service 'org.kde.powerdevil.backlighthelper'
Jun 10 12:49:34 fedora17kde64 dbus[672]: [system] Successfully activated service 'org.kde.powerdevil.backlighthelper'
Jun 10 12:53:14 fedora17kde64 dbus-daemon[672]: dbus[672]: [system] Activating service name='net.reactivated.Fprint' (using servicehelper)
Jun 10 12:53:14 fedora17kde64 dbus[672]: [system] Activating service name='net.reactivated.Fprint' (using servicehelper)
Jun 10 12:53:14 fedora17kde64 dbus-daemon[672]: Launching FprintObject
Jun 10 12:53:14 fedora17kde64 dbus-daemon[672]: dbus[672]: [system] Successfully activated service 'net.reactivated.Fprint'
Jun 10 12:53:14 fedora17kde64 dbus[672]: [system] Successfully activated service 'net.reactivated.Fprint'
Jun 10 12:53:14 fedora17kde64 dbus-daemon[672]: ** Message: D-Bus service launched with name: net.reactivated.Fprint
Jun 10 12:53:14 fedora17kde64 dbus-daemon[672]: ** Message: entering main loop
Jun 10 12:53:35 fedora17kde64 setroubleshoot: SELinux is preventing /usr/bin/krusader from write access on the directory .kde. For complete SELinux messages. run sealert -l 4bf7ebc0-846c-4760-afd1-be75e5417a4b
Jun 10 12:53:36 fedora17kde64 setroubleshoot: SELinux is preventing /usr/bin/krusader from write access on the directory .kde. For complete SELinux messages. run sealert -l 4bf7ebc0-846c-4760-afd1-be75e5417a4b
Jun 10 12:53:36 fedora17kde64 setroubleshoot: SELinux is preventing /usr/bin/krusader from write access on the directory .kde. For complete SELinux messages. run sealert -l 4bf7ebc0-846c-4760-afd1-be75e5417a4b
Jun 10 12:53:36 fedora17kde64 rsyslogd-2177: imuxsock begins to drop messages from pid 6018 due to rate-limiting
Jun 10 12:53:36 fedora17kde64 setroubleshoot: SELinux is preventing /usr/bin/krusader from write access on the directory .kde. For complete SELinux messages. run sealert -l 4bf7ebc0-846c-4760-afd1-be75e5417a4b
Jun 10 12:53:36 fedora17kde64 setroubleshoot: SELinux is preventing /usr/bin/krusader from write access on the directory .kde. For complete SELinux messages. run sealert -l 4bf7ebc0-846c-4760-afd1-be75e5417a4b
Jun 10 12:53:36 fedora17kde64 setroubleshoot: SELinux is preventing /usr/bin/krusader from write access on the directory .kde. For complete SELinux messages. run sealert -l 4bf7ebc0-846c-4760-afd1-be75e5417a4b
Jun 10 12:53:37 fedora17kde64 setroubleshoot: SELinux is preventing /usr/bin/krusader from write access on the directory .kde. For complete SELinux messages. run sealert -l 4bf7ebc0-846c-4760-afd1-be75e5417a4b
Jun 10 12:53:37 fedora17kde64 rsyslogd-2177: imuxsock begins to drop messages from pid 2072 due to rate-limiting
Jun 10 12:53:45 fedora17kde64 dbus-daemon[672]: ** Message: No devices in use, exit
Jun 10 12:53:59 fedora17kde64 rsyslogd-2177: imuxsock lost 616 messages from pid 6018 due to rate-limiting
Jun 10 12:53:59 fedora17kde64 rsyslogd-2177: imuxsock lost 75 messages from pid 2072 due to rate-limiting

----------------------------------------------------------------------------------------------

Just an FYI.  This is a straightforward Fedora 17 KDE 64 bit fresh install.  While I do have adobe for flash and google repos for chrome, earth and talkplugin, everything else comes straight from fedora repos (and the rpmfusion repos).  I run with updates-testing enabled.

I put up this box to test the UEFI install and have not written to any root files manually, I've just used krusader to look at how things are set up.  I don't have any developement applications, or have even set up KVM on this machine so far.

I'm puzzled why, after running 32 bit with selinux enabled with only minor problems since F15, that this install would be so problematic, and why, after multiple relabelings, the problem reappears.  I'm still searching my logs to see if i can find something.

I'm attaching the messages file that goes back to June 3rd, when I enabled SELinux.
Comment 6 GoinEasy9 2012-06-10 14:42:18 EDT
Created attachment 590777 [details]
messages-20120610
Comment 7 Daniel Walsh 2012-06-11 09:35:11 EDT
Where is .kde located? ls -lZd .kde?

The thumb avc is being addressed in 

https://bugzilla.redhat.com/show_bug.cgi?id=827128

What process is running as initrc_t?

ps -eZ | grep initrc_t
Comment 8 GoinEasy9 2012-06-13 15:11:40 EDT
Sorry for the delay.

I install version -130, relabeled, and these are the answers to your 2 questions:

[GoinEasy9@fedora17kde64 ~]$ ls -lZd .kde
drwx------. GoinEasy9 GoinEasy9 unconfined_u:object_r:config_home_t:s0 .kde
[GoinEasy9@fedora17kde64 ~]$ ps -eZ | grep initrc_t
system_u:system_r:initrc_t:s0     683 ?        00:00:00 kdm
system_u:system_r:initrc_t:s0     759 ?        00:00:00 kdm

I haven't recieved an AVC error yet, even though I opened krusader, which accesses the .kde folder.  I'll post later after using the machine a while.

One thing I've noticed:
The contents of my /etc/selinux/targeted/contexts/file_contexts.local file read:

# This file is auto-generated by libsemanage
# Do not edit directly.

/.kde/share/config    system_u:object_r:config_usr_t:s0
/.kde    system_u:object_r:gnomeclock_t:s0

There's the gnomeclock_t label, even after relabeling.  I'm not proficient enough in SELinux to track down why it's still there, but, with earlier experiments, I know that deleteing the bottom line, it will reappear.

I also tracked down why this might have happened.  I booted a Live CD of another distribution, which changed the date & time on my motherboard.  Upon rebooting into Fedora, I got an AVC error when I tried to restore the date using KDE settings.  It was at this point where I probabaly used semanage, but don't remember the exact command I used.  I was given a whole list of different labels to use, and, chose the wrong one.

Is there anyway to completely wipe the damaged labels, and, start anew?  I was under the impression that autorelabel did that.

Thanks again for your help.
Comment 9 Miroslav Grepl 2012-06-15 07:27:06 EDT
So did you try to do relabel?
Comment 10 GoinEasy9 2012-06-15 14:46:39 EDT
As mentioned above, I have executed the relabel, multiple times.

It's been app. 48 hours since the last relabel.  I'm presently running selinux-policy-3.10.0-130.fc17.noarch and haven't had a .kde AVC error since the last relabel.

I have an okular, mozilla_plugin error, and, my login is pausing for 20 to 30 seconds after hitting enter, which, doesn't happen if selinux is disabled.  

I'll get back if the .kde and gnomeclock error appears again.  I'll put okular and logind errors in their own bugzilla entries.
Comment 11 GoinEasy9 2012-06-15 16:17:29 EDT
Oh well, I guess it didn't fix the .kde problem.  Computer was left running for about an hour on it's own, when I returned, an AVC error was in notifications.  Same as before:

SELinux is preventing /usr/bin/updatedb from search access on the directory .kde.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that updatedb should be allowed search access on the .kde directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep updatedb /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:locate_t:s0-s0:c0.c1023
Target Context                system_u:object_r:gnomeclock_t:s0
Target Objects                .kde [ dir ]
Source                        updatedb
Source Path                   /usr/bin/updatedb
Port                          <Unknown>
Host                          fedora17kde64
Source RPM Packages           mlocate-0.25-1.fc17.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.10.0-130.fc17.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     fedora17kde64
Platform                      Linux fedora17kde64 3.4.0-1.fc17.x86_64 #1 SMP Sun
                              Jun 3 06:35:17 UTC 2012 x86_64 x86_64
Alert Count                   5
First Seen                    Thu 07 Jun 2012 12:30:07 PM EDT
Last Seen                     Fri 15 Jun 2012 03:10:08 PM EDT
Local ID                      876e91fc-0673-46f8-99e7-4225f7994888

Raw Audit Messages
type=AVC msg=audit(1339787408.564:90): avc:  denied  { search } for  pid=5774 comm="updatedb" name=".kde" dev="sda3" ino=1700610 scontext=system_u:system_r:locate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:gnomeclock_t:s0 tclass=dir


type=SYSCALL msg=audit(1339787408.564:90): arch=x86_64 syscall=chdir success=no exit=EACCES a0=ca47a9 a1=0 a2=7fff4a98d300 a3=61632f65646b2e2f items=0 ppid=5768 pid=5774 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=2 comm=updatedb exe=/usr/bin/updatedb subj=system_u:system_r:locate_t:s0-s0:c0.c1023 key=(null)

Hash: updatedb,locate_t,gnomeclock_t,dir,search

audit2allowunable to open /sys/fs/selinux/policy:  Permission denied


audit2allow -Runable to open /sys/fs/selinux/policy:  Permission denied
Comment 12 Daniel Walsh 2012-06-15 16:21:24 EDT
Can locate the directory that is labeled  gnomeclock named .kde?

ls -lZd /.kde /root/.kde or ~/.kde
Comment 13 GoinEasy9 2012-06-16 19:58:13 EDT
[root@fedora17kde64 GoinEasy9]# ls -lZd /.kde
drwxr-xr-x. root root system_u:object_r:gnomeclock_t:s0 /.kde

[root@fedora17kde64 GoinEasy9]# ls -lZd /root/.kde
drwx------. root root system_u:object_r:config_home_t:s0 /root/.kde

[root@fedora17kde64 GoinEasy9]# ls -lZd /home/GoinEasy9/.kde
drwx------. GoinEasy9 GoinEasy9 unconfined_u:object_r:config_home_t:s0 /home/GoinEasy9/.kde

Ah, it's the "/" .kde that's labeled gnomeclock.  At least now I see why Krusader-Root mode is getting the errors.
Comment 14 Miroslav Grepl 2012-06-18 12:30:56 EDT
And could you also add your output of

# grep -r gnomeclock /etc/selinux/targeted/contexts/files/



I have a suspicion it could be caused by KDE issue which we have together gnomeclock.
Comment 15 Daniel Walsh 2012-06-18 16:32:12 EDT
GoinEasy9  

rm -rf /.kde

You should not have this directory, it is caused by a bug in kde.  I have no idea why it gets labeled as gnomeclock_t.
Comment 16 GoinEasy9 2012-06-18 22:49:16 EDT
Just in case it's helpful:

[root@fedora17kde64 GoinEasy9]# grep -r gnomeclock /etc/selinux/targeted/contexts/files/
/etc/selinux/targeted/contexts/files/file_contexts:/usr/libexec/kde(3|4)/kcmdatetimehelper      --      system_u:object_r:gnomeclock_exec_t:s0
/etc/selinux/targeted/contexts/files/file_contexts:/usr/libexec/gsd-datetime-mechanism  --      system_u:object_r:gnomeclock_exec_t:s0
/etc/selinux/targeted/contexts/files/file_contexts:/usr/libexec/gnome-clock-applet-mechanism    --      system_u:object_r:gnomeclock_exec_t:s0
/etc/selinux/targeted/contexts/files/file_contexts.local~:/.kde    system_u:object_r:gnomeclock_t:s0
/etc/selinux/targeted/contexts/files/file_contexts.pre:/usr/libexec/kde(3|4)/kcmdatetimehelper  --      system_u:object_r:gnomeclock_exec_t:s0
/etc/selinux/targeted/contexts/files/file_contexts.pre:/usr/libexec/gsd-datetime-mechanism      --      system_u:object_r:gnomeclock_exec_t:s0
/etc/selinux/targeted/contexts/files/file_contexts.pre:/usr/libexec/gnome-clock-applet-mechanism        --      system_u:object_r:gnomeclock_exec_t:s0
/etc/selinux/targeted/contexts/files/file_contexts.local:/.kde    system_u:object_r:gnomeclock_t:s0

And heh, /.kde doesn't want to leave:

[root@fedora17kde64 GoinEasy9]# rm -rf /.kde
rm: cannot remove `/.kde/socket-fedora17kde64': Permission denied
rm: cannot remove `/.kde/cache-fedora17kde64': Permission denied
rm: cannot remove `/.kde/tmp-fedora17kde64': Permission denied
rm: cannot remove `/.kde/share': Permission denied

I'll try init 1 or a rescue cd, somethings holding access to those files, and, I'm not technical enough to know what that is.
Comment 17 GoinEasy9 2012-06-18 23:12:01 EDT
Well, I got rid of /.kde, let's see how that works.  I thought that a .kde folder in root was odd, but, as much as I try, I can't keep up with all the changes.

Thanks for the instructions.
Comment 18 Miroslav Grepl 2012-06-22 04:50:17 EDT
The problem is 

/etc/selinux/targeted/contexts/files/file_contexts.local~:/.kde    system_u:object_r:gnomeclock_t:s0


Also remove this line. I guess you ran

# semanage fcontext ....

I hope KDE will fix these issues soon.
Comment 19 GoinEasy9 2012-06-22 22:56:49 EDT
I was able to remove /etc/selinux/targeted/contexts/files/file_contexts.local~:/.kde system_u:object_r:gnomeclock_t:s0

Before removing /.kde, the line always came back, now it doesn't.

And yes, you are correct, I do remember using # semanage fcontext at one point.

At this point AVC errors are gone, and, I also hope KDE will fix the issues.

Thank you again for the help.

Note You need to log in before you can comment on or make changes to this bug.