This service will be undergoing maintenance at 00:00 UTC, 2017-10-23 It is expected to last about 30 minutes
Bug 855676 - SELinux is preventing /usr/bin/pkcon from 'execute' accesses on the file /usr/bin/pkcon.
SELinux is preventing /usr/bin/pkcon from 'execute' accesses on the file /usr...
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
16
x86_64 Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Miroslav Grepl
Fedora Extras Quality Assurance
abrt_hash:dc004e14879953a0f419e734150...
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-09-09 17:16 EDT by Malcolm Parker
Modified: 2012-11-19 21:57 EST (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-11-19 21:57:50 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Malcolm Parker 2012-09-09 17:16:39 EDT
libreport version: 2.0.10
executable:     /usr/bin/python2.7
hashmarkername: setroubleshoot
kernel:         3.4.9-1.fc16.x86_64
time:           Sun 09 Sep 2012 05:16:04 PM EDT

description:
:SELinux is preventing /usr/bin/pkcon from 'execute' accesses on the file /usr/bin/pkcon.
:
:*****  Plugin leaks (86.2 confidence) suggests  ******************************
:
:If you want to ignore pkcon trying to execute access the pkcon file, because you believe it should not need this access.
:Then you should report this as a bug.  
:You can generate a local policy module to dontaudit this access.
:Do
:# grep /usr/bin/pkcon /var/log/audit/audit.log | audit2allow -D -M mypol
:# semodule -i mypol.pp
:
:*****  Plugin catchall (14.7 confidence) suggests  ***************************
:
:If you believe that pkcon should be allowed execute access on the pkcon file by default.
:Then you should report this as a bug.
:You can generate a local policy module to allow this access.
:Do
:allow this access for now by executing:
:# grep pkcon /var/log/audit/audit.log | audit2allow -M mypol
:# semodule -i mypol.pp
:
:Additional Information:
:Source Context                system_u:system_r:jockey_t:s0-s0:c0.c1023
:Target Context                system_u:object_r:bin_t:s0
:Target Objects                /usr/bin/pkcon [ file ]
:Source                        pkcon
:Source Path                   /usr/bin/pkcon
:Port                          <Unknown>
:Host                          (removed)
:Source RPM Packages           PackageKit-0.6.22-2.fc16.x86_64
:Target RPM Packages           PackageKit-0.6.22-2.fc16.x86_64
:Policy RPM                    selinux-policy-3.10.0-91.fc16.noarch
:Selinux Enabled               True
:Policy Type                   targeted
:Enforcing Mode                Enforcing
:Host Name                     (removed)
:Platform                      Linux (removed) 3.4.9-1.fc16.x86_64 #1 SMP Wed Aug
:                              15 20:45:23 UTC 2012 x86_64 x86_64
:Alert Count                   2
:First Seen                    Sun 09 Sep 2012 04:59:04 PM EDT
:Last Seen                     Sun 09 Sep 2012 05:15:10 PM EDT
:Local ID                      8ab50886-229b-488b-b0b8-4a0e1961df60
:
:Raw Audit Messages
:type=AVC msg=audit(1347225310.105:144): avc:  denied  { execute } for  pid=22196 comm="jockey-backend" name="pkcon" dev="dm-1" ino=136346 scontext=system_u:system_r:jockey_t:s0-s0:c0.c1023 tcontext=system_u:object_r:bin_t:s0 tclass=file
:
:
:type=AVC msg=audit(1347225310.105:144): avc:  denied  { read open } for  pid=22196 comm="jockey-backend" name="pkcon" dev="dm-1" ino=136346 scontext=system_u:system_r:jockey_t:s0-s0:c0.c1023 tcontext=system_u:object_r:bin_t:s0 tclass=file
:
:
:type=AVC msg=audit(1347225310.105:144): avc:  denied  { execute_no_trans } for  pid=22196 comm="jockey-backend" path="/usr/bin/pkcon" dev="dm-1" ino=136346 scontext=system_u:system_r:jockey_t:s0-s0:c0.c1023 tcontext=system_u:object_r:bin_t:s0 tclass=file
:
:
:type=SYSCALL msg=audit(1347225310.105:144): arch=x86_64 syscall=execve success=yes exit=0 a0=260e2d0 a1=26103d0 a2=7fff95a651a8 a3=20 items=0 ppid=1826 pid=22196 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=pkcon exe=/usr/bin/pkcon subj=system_u:system_r:jockey_t:s0-s0:c0.c1023 key=(null)
:
:Hash: pkcon,jockey_t,bin_t,file,execute
:
:audit2allow
:
:#============= jockey_t ==============
:allow jockey_t bin_t:file { read execute open execute_no_trans };
:
:audit2allow -R
:
:#============= jockey_t ==============
:allow jockey_t bin_t:file { read execute open execute_no_trans };
:
Comment 1 Miroslav Grepl 2012-09-10 02:18:50 EDT
Fixed in selinux-policy-3.10.0-92.fc16.noarch
Comment 2 Fedora Update System 2012-11-13 13:29:39 EST
selinux-policy-3.10.0-96.fc16 has been submitted as an update for Fedora 16.
https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-96.fc16
Comment 3 Fedora Update System 2012-11-14 21:42:44 EST
Package selinux-policy-3.10.0-96.fc16:
* should fix your issue,
* was pushed to the Fedora 16 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-96.fc16'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-18243/selinux-policy-3.10.0-96.fc16
then log in and leave karma (feedback).
Comment 4 Fedora Update System 2012-11-19 21:57:52 EST
selinux-policy-3.10.0-96.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.