Description of problem: SELinux alert F17 KDE x86-64 UEFI install Version-Release number of selected component (if applicable): selinux-policy-3.10.0-128.fc17.noarch How reproducible: Steps to Reproduce: 1. AVC notification appears on panel at random times 2. 3. Actual results: Expected results: Additional info: SELinux is preventing /usr/bin/updatedb from search access on the directory .kde. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that updatedb should be allowed search access on the .kde directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep updatedb /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:locate_t:s0-s0:c0.c1023 Target Context system_u:object_r:gnomeclock_t:s0 Target Objects .kde [ dir ] Source updatedb Source Path /usr/bin/updatedb Port <Unknown> Host fedora17kde64 Source RPM Packages mlocate-0.25-1.fc17.x86_64 Target RPM Packages Policy RPM selinux-policy-3.10.0-128.fc17.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name fedora17kde64 Platform Linux fedora17kde64 3.4.0-1.fc17.x86_64 #1 SMP Sun Jun 3 06:35:17 UTC 2012 x86_64 x86_64 Alert Count 1 First Seen Thu 07 Jun 2012 12:30:07 PM EDT Last Seen Thu 07 Jun 2012 12:30:07 PM EDT Local ID 876e91fc-0673-46f8-99e7-4225f7994888 Raw Audit Messages type=AVC msg=audit(1339086607.244:70): avc: denied { search } for pid=3378 comm="updatedb" name=".kde" dev="sda3" ino=1700610 scontext=system_u:system_r:locate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:gnomeclock_t:s0 tclass=dir type=SYSCALL msg=audit(1339086607.244:70): arch=x86_64 syscall=chdir success=no exit=EACCES a0=b627a9 a1=0 a2=7fffbd207250 a3=0 items=0 ppid=3372 pid=3378 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=2 comm=updatedb exe=/usr/bin/updatedb subj=system_u:system_r:locate_t:s0-s0:c0.c1023 key=(null) Hash: updatedb,locate_t,gnomeclock_t,dir,search audit2allowunable to open /sys/fs/selinux/policy: Permission denied audit2allow -Runable to open /sys/fs/selinux/policy: Permission denied
This looks like someone put a label of gnomeclock_t on a directory. This is a process label and should never be on a file. touch /.autorelabel; reboot Your machine is badly mislabeled. If you put this label on the machine your self, did you use the semanage command?
Thanks Dan. I usually just follow the fixes in the "Details" when I get an AVC noticiation. Although, an semanage command may have been in one of the fixes, I may have copy/pasted it incorrectly. I did however, use the touch ./autorelabel; reboot fix before this, but the AVC errors returned. I did just run touch ./autorelabel; reboot again, so, instead of waiting till I get frustrated, I'll report the problem first before trying the next fix myself. Hopefully, after this autorelabel, it will be fixed. FYI - This install was done using UEFI mode on an ASUS Sabertooth motherboard. I had to turn SELinux off to do the install because an error came up complaining that is couldn't label a file in the FAT16 partition used for the ESP. When I noticed SELinux was not enabled, I changed the line in /etc/selinux/config to enforcing and rebooted. It seemed to complete the labeling without a problem. Thanks again
Ok very strange that you would get a process label on a directory.
So, 24 hours without an AVC notification, then, after using the computer for about a half an hour, I get the notification icon, and, I see gnomeclock_t in the Hash within the details. SELinux is preventing /usr/bin/updatedb from search access on the directory .kde. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that updatedb should be allowed search access on the .kde directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep updatedb /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:locate_t:s0-s0:c0.c1023 Target Context system_u:object_r:gnomeclock_t:s0 Target Objects .kde [ dir ] Source updatedb Source Path /usr/bin/updatedb Port <Unknown> Host fedora17kde64 Source RPM Packages mlocate-0.25-1.fc17.x86_64 Target RPM Packages Policy RPM selinux-policy-3.10.0-128.fc17.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name fedora17kde64 Platform Linux fedora17kde64 3.4.0-1.fc17.x86_64 #1 SMP Sun Jun 3 06:35:17 UTC 2012 x86_64 x86_64 Alert Count 2 First Seen Thu 07 Jun 2012 12:30:07 PM EDT Last Seen Sat 09 Jun 2012 07:24:08 PM EDT Local ID 876e91fc-0673-46f8-99e7-4225f7994888 Raw Audit Messages type=AVC msg=audit(1339284248.978:70): avc: denied { search } for pid=3606 comm="updatedb" name=".kde" dev="sda3" ino=1700610 scontext=system_u:system_r:locate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:gnomeclock_t:s0 tclass=dir type=SYSCALL msg=audit(1339284248.978:70): arch=x86_64 syscall=chdir success=no exit=EACCES a0=8ce7a9 a1=0 a2=7fffbd456470 a3=0 items=0 ppid=3600 pid=3606 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=2 comm=updatedb exe=/usr/bin/updatedb subj=system_u:system_r:locate_t:s0-s0:c0.c1023 key=(null) Hash: updatedb,locate_t,gnomeclock_t,dir,search audit2allowunable to open /sys/fs/selinux/policy: Permission denied audit2allow -Runable to open /sys/fs/selinux/policy: Permission denied I did notice the Hard Disk light working, I guess it was looking for updates, just before the notification appeared. I did do an update and a reboot before shutting down last night. No notification at that time. I opened up Krusader to see what updates came in last night and got another AVC error: SELinux is preventing /usr/bin/krusader from write access on the directory .kde. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that krusader should be allowed write access on the .kde directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep krusader /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1 023 Target Context system_u:object_r:gnomeclock_t:s0 Target Objects .kde [ dir ] Source krusader Source Path /usr/bin/krusader Port <Unknown> Host fedora17kde64 Source RPM Packages krusader-2.4.0-0.4.beta1.fc17.x86_64 Target RPM Packages Policy RPM selinux-policy-3.10.0-128.fc17.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name fedora17kde64 Platform Linux fedora17kde64 3.4.0-1.fc17.x86_64 #1 SMP Sun Jun 3 06:35:17 UTC 2012 x86_64 x86_64 Alert Count 19 First Seen Thu 07 Jun 2012 02:07:40 PM EDT Last Seen Sat 09 Jun 2012 07:35:43 PM EDT Local ID f5f2f0f1-a567-4b9f-8614-660f28a1a868 Raw Audit Messages type=AVC msg=audit(1339284943.186:91): avc: denied { write } for pid=4489 comm="krusader" name=".kde" dev="sda3" ino=1700610 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:gnomeclock_t:s0 tclass=dir type=SYSCALL msg=audit(1339284943.186:91): arch=x86_64 syscall=access success=no exit=EACCES a0=2733758 a1=2 a2=200 a3=2f items=0 ppid=4486 pid=4489 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm=krusader exe=/usr/bin/krusader subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) Hash: krusader,unconfined_t,gnomeclock_t,dir,write audit2allowunable to open /sys/fs/selinux/policy: Permission denied audit2allow -Runable to open /sys/fs/selinux/policy: Permission denied I also noticed when opening up mypol.pp that gnomeclock_t is visible in that file. Is it safe to remove mypol.pp and mypole.te before doing another relabel? It probably is, but, I'd like an affirmation from you. This is what's written in the mypol.te file: module mypol 1.0; require { type gnomeclock_t; type locate_t; class dir getattr; } #============= locate_t ============== allow locate_t gnomeclock_t:dir getattr; I only just starting to understand the labeling, but, this doesn't look right to me.
OK, I couldn't wait, so, I moved the mypol* files out of the way, downloaded the most recent selinux-policy, selinux-policy-targeted and selinux-policy-devel from koji. Did a touch ./autorelabel and a reboot. Went into krusader, had no AVC errors. Worked on gmail with Firefox, browsed reddit, looked at some videos linked to on Google+, then first AVC error. ----------------------------------------------------------------------------------------------- SELinux is preventing /usr/libexec/totem-plugin-viewer from execute access on the file /home/GoinEasy9/.orc/orcexec.VuogEQ (deleted). ***** Plugin catchall (100. confidence) suggests *************************** If you believe that totem-plugin-viewer should be allowed execute access on the orcexec.VuogEQ (deleted) file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep multiqueue0:src /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context unconfined_u:unconfined_r:mozilla_plugin_t:s0 Target Context unconfined_u:object_r:gstreamer_home_t:s0 Target Objects /home/GoinEasy9/.orc/orcexec.VuogEQ (deleted) [ file ] Source multiqueue0:src Source Path /usr/libexec/totem-plugin-viewer Port <Unknown> Host fedora17kde64 Source RPM Packages totem-mozplugin-3.4.2-1.fc17.x86_64 Target RPM Packages Policy RPM selinux-policy-3.10.0-129.fc17.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name fedora17kde64 Platform Linux fedora17kde64 3.4.0-1.fc17.x86_64 #1 SMP Sun Jun 3 06:35:17 UTC 2012 x86_64 x86_64 Alert Count 2 First Seen Sun 10 Jun 2012 01:03:57 AM EDT Last Seen Sun 10 Jun 2012 01:03:57 AM EDT Local ID 3947a156-4cd0-412a-938c-cc4028b1644a Raw Audit Messages type=AVC msg=audit(1339304637.932:105): avc: denied { execute } for pid=3900 comm="multiqueue0:src" path=2F686F6D652F476F696E45617379392F2E6F72632F6F7263657865632E56756F674551202864656C6574656429 dev="sda4" ino=9044557 scontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0 tcontext=unconfined_u:object_r:gstreamer_home_t:s0 tclass=file type=SYSCALL msg=audit(1339304637.932:105): arch=x86_64 syscall=mmap success=no exit=EACCES a0=0 a1=10000 a2=5 a3=1 items=0 ppid=1 pid=3900 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=1 comm=multiqueue0:src exe=/usr/libexec/totem-plugin-viewer subj=unconfined_u:unconfined_r:mozilla_plugin_t:s0 key=(null) Hash: multiqueue0:src,mozilla_plugin_t,gstreamer_home_t,file,execute audit2allowunable to open /sys/fs/selinux/policy: Permission denied audit2allow -Runable to open /sys/fs/selinux/policy: Permission denied ------------------------------------------------------------------------------------------------- I expect mozilla addons to give me a problem occasionally with selinux, so, I didn't use the fix and shut down for the night. Upon booting up in the morning. Entering my password in the KDE login screen there is a noticable 20 to 30 second pause before the login procedes. I am met with a systemd-logind AVC error. I've noticed the lag the last few times I've rebooted. ------------------------------------------------------------------------------------------------- SELinux is preventing /usr/lib/systemd/systemd-logind from using the signal access on a process. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that systemd-logind should be allowed signal access on processes labeled initrc_t by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep systemd-logind /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:systemd_logind_t:s0 Target Context system_u:system_r:initrc_t:s0 Target Objects [ process ] Source systemd-logind Source Path /usr/lib/systemd/systemd-logind Port <Unknown> Host fedora17kde64 Source RPM Packages systemd-44-12.fc17.x86_64 Target RPM Packages Policy RPM selinux-policy-3.10.0-129.fc17.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name fedora17kde64 Platform Linux fedora17kde64 3.4.0-1.fc17.x86_64 #1 SMP Sun Jun 3 06:35:17 UTC 2012 x86_64 x86_64 Alert Count 1 First Seen Sun 10 Jun 2012 01:30:20 AM EDT Last Seen Sun 10 Jun 2012 01:30:20 AM EDT Local ID 9637738a-5b71-445d-b282-567a9604ed65 Raw Audit Messages type=AVC msg=audit(1339306220.651:112): avc: denied { signal } for pid=630 comm="systemd-logind" scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=process type=SYSCALL msg=audit(1339306220.651:112): arch=x86_64 syscall=kill success=no exit=EACCES a0=2fa a1=12 a2=d a3=12 items=0 ppid=1 pid=630 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=systemd-logind exe=/usr/lib/systemd/systemd-logind subj=system_u:system_r:systemd_logind_t:s0 key=(null) Hash: systemd-logind,systemd_logind_t,initrc_t,process,signal audit2allowunable to open /sys/fs/selinux/policy: Permission denied audit2allow -Runable to open /sys/fs/selinux/policy: Permission denied ----------------------------------------------------------------------------------------------- Once logged in, everything appears to be running smoothly, until updatedb is accessed. ----------------------------------------------------------------------------------------------- SELinux is preventing /usr/bin/updatedb from search access on the directory .kde. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that updatedb should be allowed search access on the .kde directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep updatedb /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:locate_t:s0-s0:c0.c1023 Target Context system_u:object_r:gnomeclock_t:s0 Target Objects .kde [ dir ] Source updatedb Source Path /usr/bin/updatedb Port <Unknown> Host fedora17kde64 Source RPM Packages mlocate-0.25-1.fc17.x86_64 Target RPM Packages Policy RPM selinux-policy-3.10.0-129.fc17.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name fedora17kde64 Platform Linux fedora17kde64 3.4.0-1.fc17.x86_64 #1 SMP Sun Jun 3 06:35:17 UTC 2012 x86_64 x86_64 Alert Count 3 First Seen Thu 07 Jun 2012 12:30:07 PM EDT Last Seen Sun 10 Jun 2012 12:47:10 PM EDT Local ID 876e91fc-0673-46f8-99e7-4225f7994888 Raw Audit Messages type=AVC msg=audit(1339346830.812:112): avc: denied { search } for pid=5378 comm="updatedb" name=".kde" dev="sda3" ino=1700610 scontext=system_u:system_r:locate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:gnomeclock_t:s0 tclass=dir type=SYSCALL msg=audit(1339346830.812:112): arch=x86_64 syscall=chdir success=no exit=EACCES a0=127b7a9 a1=0 a2=7fff5b40a670 a3=0 items=0 ppid=5372 pid=5378 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=2 comm=updatedb exe=/usr/bin/updatedb subj=system_u:system_r:locate_t:s0-s0:c0.c1023 key=(null) Hash: updatedb,locate_t,gnomeclock_t,dir,search audit2allowunable to open /sys/fs/selinux/policy: Permission denied audit2allow -Runable to open /sys/fs/selinux/policy: Permission denied --------------------------------------------------------------------------------------------- Then, running krusader to look at logs, another AVC error, and the cycle continues. --------------------------------------------------------------------------------------------- SELinux is preventing /usr/bin/krusader from write access on the directory .kde. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that krusader should be allowed write access on the .kde directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep krusader /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context unconfined_u:unconfined_r:unconfined_t:s0 Target Context system_u:object_r:gnomeclock_t:s0 Target Objects .kde [ dir ] Source krusader Source Path /usr/bin/krusader Port <Unknown> Host fedora17kde64 Source RPM Packages krusader-2.4.0-0.4.beta1.fc17.x86_64 Target RPM Packages Policy RPM selinux-policy-3.10.0-129.fc17.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name fedora17kde64 Platform Linux fedora17kde64 3.4.0-1.fc17.x86_64 #1 SMP Sun Jun 3 06:35:17 UTC 2012 x86_64 x86_64 Alert Count 52 First Seen Sun 10 Jun 2012 12:17:37 AM EDT Last Seen Sun 10 Jun 2012 12:53:36 PM EDT Local ID 4bf7ebc0-846c-4760-afd1-be75e5417a4b Raw Audit Messages type=AVC msg=audit(1339347216.624:133): avc: denied { write } for pid=6260 comm="krusader" name=".kde" dev="sda3" ino=1700610 scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=system_u:object_r:gnomeclock_t:s0 tclass=dir type=SYSCALL msg=audit(1339347216.624:133): arch=x86_64 syscall=access success=no exit=EACCES a0=1f1c228 a1=2 a2=200 a3=2f items=0 ppid=6257 pid=6260 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm=krusader exe=/usr/bin/krusader subj=unconfined_u:unconfined_r:unconfined_t:s0 key=(null) Hash: krusader,unconfined_t,gnomeclock_t,dir,write audit2allowunable to open /sys/fs/selinux/policy: Permission denied audit2allow -Runable to open /sys/fs/selinux/policy: Permission denied ---------------------------------------------------------------------------------------------- Whole messages file after discovering updatedb AVC error and openinging krusader-root to look at logs: ---------------------------------------------------------------------------------------------- Jun 10 12:47:02 fedora17kde64 rsyslogd: [origin software="rsyslogd" swVersion="5.8.10" x-pid="703" x-info="http://www.rsyslog.com"] rsyslogd was HUPed Jun 10 12:47:11 fedora17kde64 setroubleshoot: SELinux is preventing /usr/bin/updatedb from search access on the directory .kde. For complete SELinux messages. run sealert -l 876e91fc-0673-46f8-99e7-4225f7994888 Jun 10 12:49:34 fedora17kde64 dbus-daemon[672]: dbus[672]: [system] Activating service name='org.kde.powerdevil.backlighthelper' (using servicehelper) Jun 10 12:49:34 fedora17kde64 dbus[672]: [system] Activating service name='org.kde.powerdevil.backlighthelper' (using servicehelper) Jun 10 12:49:34 fedora17kde64 dbus-daemon[672]: dbus[672]: [system] Successfully activated service 'org.kde.powerdevil.backlighthelper' Jun 10 12:49:34 fedora17kde64 dbus[672]: [system] Successfully activated service 'org.kde.powerdevil.backlighthelper' Jun 10 12:53:14 fedora17kde64 dbus-daemon[672]: dbus[672]: [system] Activating service name='net.reactivated.Fprint' (using servicehelper) Jun 10 12:53:14 fedora17kde64 dbus[672]: [system] Activating service name='net.reactivated.Fprint' (using servicehelper) Jun 10 12:53:14 fedora17kde64 dbus-daemon[672]: Launching FprintObject Jun 10 12:53:14 fedora17kde64 dbus-daemon[672]: dbus[672]: [system] Successfully activated service 'net.reactivated.Fprint' Jun 10 12:53:14 fedora17kde64 dbus[672]: [system] Successfully activated service 'net.reactivated.Fprint' Jun 10 12:53:14 fedora17kde64 dbus-daemon[672]: ** Message: D-Bus service launched with name: net.reactivated.Fprint Jun 10 12:53:14 fedora17kde64 dbus-daemon[672]: ** Message: entering main loop Jun 10 12:53:35 fedora17kde64 setroubleshoot: SELinux is preventing /usr/bin/krusader from write access on the directory .kde. For complete SELinux messages. run sealert -l 4bf7ebc0-846c-4760-afd1-be75e5417a4b Jun 10 12:53:36 fedora17kde64 setroubleshoot: SELinux is preventing /usr/bin/krusader from write access on the directory .kde. For complete SELinux messages. run sealert -l 4bf7ebc0-846c-4760-afd1-be75e5417a4b Jun 10 12:53:36 fedora17kde64 setroubleshoot: SELinux is preventing /usr/bin/krusader from write access on the directory .kde. For complete SELinux messages. run sealert -l 4bf7ebc0-846c-4760-afd1-be75e5417a4b Jun 10 12:53:36 fedora17kde64 rsyslogd-2177: imuxsock begins to drop messages from pid 6018 due to rate-limiting Jun 10 12:53:36 fedora17kde64 setroubleshoot: SELinux is preventing /usr/bin/krusader from write access on the directory .kde. For complete SELinux messages. run sealert -l 4bf7ebc0-846c-4760-afd1-be75e5417a4b Jun 10 12:53:36 fedora17kde64 setroubleshoot: SELinux is preventing /usr/bin/krusader from write access on the directory .kde. For complete SELinux messages. run sealert -l 4bf7ebc0-846c-4760-afd1-be75e5417a4b Jun 10 12:53:36 fedora17kde64 setroubleshoot: SELinux is preventing /usr/bin/krusader from write access on the directory .kde. For complete SELinux messages. run sealert -l 4bf7ebc0-846c-4760-afd1-be75e5417a4b Jun 10 12:53:37 fedora17kde64 setroubleshoot: SELinux is preventing /usr/bin/krusader from write access on the directory .kde. For complete SELinux messages. run sealert -l 4bf7ebc0-846c-4760-afd1-be75e5417a4b Jun 10 12:53:37 fedora17kde64 rsyslogd-2177: imuxsock begins to drop messages from pid 2072 due to rate-limiting Jun 10 12:53:45 fedora17kde64 dbus-daemon[672]: ** Message: No devices in use, exit Jun 10 12:53:59 fedora17kde64 rsyslogd-2177: imuxsock lost 616 messages from pid 6018 due to rate-limiting Jun 10 12:53:59 fedora17kde64 rsyslogd-2177: imuxsock lost 75 messages from pid 2072 due to rate-limiting ---------------------------------------------------------------------------------------------- Just an FYI. This is a straightforward Fedora 17 KDE 64 bit fresh install. While I do have adobe for flash and google repos for chrome, earth and talkplugin, everything else comes straight from fedora repos (and the rpmfusion repos). I run with updates-testing enabled. I put up this box to test the UEFI install and have not written to any root files manually, I've just used krusader to look at how things are set up. I don't have any developement applications, or have even set up KVM on this machine so far. I'm puzzled why, after running 32 bit with selinux enabled with only minor problems since F15, that this install would be so problematic, and why, after multiple relabelings, the problem reappears. I'm still searching my logs to see if i can find something. I'm attaching the messages file that goes back to June 3rd, when I enabled SELinux.
Created attachment 590777 [details] messages-20120610
Where is .kde located? ls -lZd .kde? The thumb avc is being addressed in https://bugzilla.redhat.com/show_bug.cgi?id=827128 What process is running as initrc_t? ps -eZ | grep initrc_t
Sorry for the delay. I install version -130, relabeled, and these are the answers to your 2 questions: [GoinEasy9@fedora17kde64 ~]$ ls -lZd .kde drwx------. GoinEasy9 GoinEasy9 unconfined_u:object_r:config_home_t:s0 .kde [GoinEasy9@fedora17kde64 ~]$ ps -eZ | grep initrc_t system_u:system_r:initrc_t:s0 683 ? 00:00:00 kdm system_u:system_r:initrc_t:s0 759 ? 00:00:00 kdm I haven't recieved an AVC error yet, even though I opened krusader, which accesses the .kde folder. I'll post later after using the machine a while. One thing I've noticed: The contents of my /etc/selinux/targeted/contexts/file_contexts.local file read: # This file is auto-generated by libsemanage # Do not edit directly. /.kde/share/config system_u:object_r:config_usr_t:s0 /.kde system_u:object_r:gnomeclock_t:s0 There's the gnomeclock_t label, even after relabeling. I'm not proficient enough in SELinux to track down why it's still there, but, with earlier experiments, I know that deleteing the bottom line, it will reappear. I also tracked down why this might have happened. I booted a Live CD of another distribution, which changed the date & time on my motherboard. Upon rebooting into Fedora, I got an AVC error when I tried to restore the date using KDE settings. It was at this point where I probabaly used semanage, but don't remember the exact command I used. I was given a whole list of different labels to use, and, chose the wrong one. Is there anyway to completely wipe the damaged labels, and, start anew? I was under the impression that autorelabel did that. Thanks again for your help.
So did you try to do relabel?
As mentioned above, I have executed the relabel, multiple times. It's been app. 48 hours since the last relabel. I'm presently running selinux-policy-3.10.0-130.fc17.noarch and haven't had a .kde AVC error since the last relabel. I have an okular, mozilla_plugin error, and, my login is pausing for 20 to 30 seconds after hitting enter, which, doesn't happen if selinux is disabled. I'll get back if the .kde and gnomeclock error appears again. I'll put okular and logind errors in their own bugzilla entries.
Oh well, I guess it didn't fix the .kde problem. Computer was left running for about an hour on it's own, when I returned, an AVC error was in notifications. Same as before: SELinux is preventing /usr/bin/updatedb from search access on the directory .kde. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that updatedb should be allowed search access on the .kde directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep updatedb /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:locate_t:s0-s0:c0.c1023 Target Context system_u:object_r:gnomeclock_t:s0 Target Objects .kde [ dir ] Source updatedb Source Path /usr/bin/updatedb Port <Unknown> Host fedora17kde64 Source RPM Packages mlocate-0.25-1.fc17.x86_64 Target RPM Packages Policy RPM selinux-policy-3.10.0-130.fc17.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name fedora17kde64 Platform Linux fedora17kde64 3.4.0-1.fc17.x86_64 #1 SMP Sun Jun 3 06:35:17 UTC 2012 x86_64 x86_64 Alert Count 5 First Seen Thu 07 Jun 2012 12:30:07 PM EDT Last Seen Fri 15 Jun 2012 03:10:08 PM EDT Local ID 876e91fc-0673-46f8-99e7-4225f7994888 Raw Audit Messages type=AVC msg=audit(1339787408.564:90): avc: denied { search } for pid=5774 comm="updatedb" name=".kde" dev="sda3" ino=1700610 scontext=system_u:system_r:locate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:gnomeclock_t:s0 tclass=dir type=SYSCALL msg=audit(1339787408.564:90): arch=x86_64 syscall=chdir success=no exit=EACCES a0=ca47a9 a1=0 a2=7fff4a98d300 a3=61632f65646b2e2f items=0 ppid=5768 pid=5774 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=2 comm=updatedb exe=/usr/bin/updatedb subj=system_u:system_r:locate_t:s0-s0:c0.c1023 key=(null) Hash: updatedb,locate_t,gnomeclock_t,dir,search audit2allowunable to open /sys/fs/selinux/policy: Permission denied audit2allow -Runable to open /sys/fs/selinux/policy: Permission denied
Can locate the directory that is labeled gnomeclock named .kde? ls -lZd /.kde /root/.kde or ~/.kde
[root@fedora17kde64 GoinEasy9]# ls -lZd /.kde drwxr-xr-x. root root system_u:object_r:gnomeclock_t:s0 /.kde [root@fedora17kde64 GoinEasy9]# ls -lZd /root/.kde drwx------. root root system_u:object_r:config_home_t:s0 /root/.kde [root@fedora17kde64 GoinEasy9]# ls -lZd /home/GoinEasy9/.kde drwx------. GoinEasy9 GoinEasy9 unconfined_u:object_r:config_home_t:s0 /home/GoinEasy9/.kde Ah, it's the "/" .kde that's labeled gnomeclock. At least now I see why Krusader-Root mode is getting the errors.
And could you also add your output of # grep -r gnomeclock /etc/selinux/targeted/contexts/files/ I have a suspicion it could be caused by KDE issue which we have together gnomeclock.
GoinEasy9 rm -rf /.kde You should not have this directory, it is caused by a bug in kde. I have no idea why it gets labeled as gnomeclock_t.
Just in case it's helpful: [root@fedora17kde64 GoinEasy9]# grep -r gnomeclock /etc/selinux/targeted/contexts/files/ /etc/selinux/targeted/contexts/files/file_contexts:/usr/libexec/kde(3|4)/kcmdatetimehelper -- system_u:object_r:gnomeclock_exec_t:s0 /etc/selinux/targeted/contexts/files/file_contexts:/usr/libexec/gsd-datetime-mechanism -- system_u:object_r:gnomeclock_exec_t:s0 /etc/selinux/targeted/contexts/files/file_contexts:/usr/libexec/gnome-clock-applet-mechanism -- system_u:object_r:gnomeclock_exec_t:s0 /etc/selinux/targeted/contexts/files/file_contexts.local~:/.kde system_u:object_r:gnomeclock_t:s0 /etc/selinux/targeted/contexts/files/file_contexts.pre:/usr/libexec/kde(3|4)/kcmdatetimehelper -- system_u:object_r:gnomeclock_exec_t:s0 /etc/selinux/targeted/contexts/files/file_contexts.pre:/usr/libexec/gsd-datetime-mechanism -- system_u:object_r:gnomeclock_exec_t:s0 /etc/selinux/targeted/contexts/files/file_contexts.pre:/usr/libexec/gnome-clock-applet-mechanism -- system_u:object_r:gnomeclock_exec_t:s0 /etc/selinux/targeted/contexts/files/file_contexts.local:/.kde system_u:object_r:gnomeclock_t:s0 And heh, /.kde doesn't want to leave: [root@fedora17kde64 GoinEasy9]# rm -rf /.kde rm: cannot remove `/.kde/socket-fedora17kde64': Permission denied rm: cannot remove `/.kde/cache-fedora17kde64': Permission denied rm: cannot remove `/.kde/tmp-fedora17kde64': Permission denied rm: cannot remove `/.kde/share': Permission denied I'll try init 1 or a rescue cd, somethings holding access to those files, and, I'm not technical enough to know what that is.
Well, I got rid of /.kde, let's see how that works. I thought that a .kde folder in root was odd, but, as much as I try, I can't keep up with all the changes. Thanks for the instructions.
The problem is /etc/selinux/targeted/contexts/files/file_contexts.local~:/.kde system_u:object_r:gnomeclock_t:s0 Also remove this line. I guess you ran # semanage fcontext .... I hope KDE will fix these issues soon.
I was able to remove /etc/selinux/targeted/contexts/files/file_contexts.local~:/.kde system_u:object_r:gnomeclock_t:s0 Before removing /.kde, the line always came back, now it doesn't. And yes, you are correct, I do remember using # semanage fcontext at one point. At this point AVC errors are gone, and, I also hope KDE will fix the issues. Thank you again for the help.