Created attachment 623159 [details]
File: type

Created attachment 623160 [details]
File: hashmarkername

Adam,
what were you doing with s-c-kdump to get all these AVC msgs?


Bugs: 863867,863868,863869,863870,863873,863865 and 863875


#============= kdumpgui_t ==============
allow kdumpgui_t xdm_etc_t:dir getattr;

allow kdumpgui_t self:capability { dac_read_search dac_override };
allow kdumpgui_t shadow_t:file getattr;

allow kdumpgui_t urandom_device_t:chr_file read;

allow kdumpgui_t self:capability sys_nice;
allow kdumpgui_t self:process setsched;

allow kdumpgui_t mysqld_etc_t:file read;
allow kdumpgui_t sysctl_net_t:dir search;


I don't see them.

*** Bug 863867 has been marked as a duplicate of this bug. ***

*** Bug 863868 has been marked as a duplicate of this bug. ***

*** Bug 863869 has been marked as a duplicate of this bug. ***

*** Bug 863873 has been marked as a duplicate of this bug. ***

*** Bug 863865 has been marked as a duplicate of this bug. ***

*** Bug 863875 has been marked as a duplicate of this bug. ***

SELinux threw this issue every time I simply start system-config-kdump. I do not even get a chance to do anything within the GUI.

Roman,
any idea? Any chance you also get them?

I wasn't able to install F18 so far, but will try it again.

ok, now I have it running.
I don't have any idea why is python trying to sigkill anything. Maybe it is some consequences of other denies.
I also see the following deny:
type=AVC msg=audit(1349696729.914:181): avc:  denied  { getattr } for  pid=4053 comm="chkconfig" path="/usr/lib/systemd/systemd" dev="vda3" ino=260011 scontext=system_u:system_r:kdumpgui_t:s0-s0:c0.c1023 tcontext=system_u:object_r:init_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1349696729.914:181): arch=c000003e syscall=6 success=no exit=-13 a0=1597410 a1=7fffe239d340 a2=7fffe239d340 a3=1000 items=0 ppid=3892 pid=4053 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="chkconfig" exe="/usr/sbin/chkconfig" subj=system_u:system_r:kdumpgui_t:s0-s0:c0.c1023 key=(null)

s-c-kdump is using chkconfig.

The other denies (which I don't get) seems to be some kind of problem with starting python. I can see one similar:
type=AVC msg=audit(1349697557.379:185): avc:  denied  { ioctl } for  pid=4122 comm="system-config-k" path="/dev/urandom" dev="devtmpfs" ino=4507 scontext=system_u:system_r:kdumpgui_t:s0-s0:c0.c1023 tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file
type=SYSCALL msg=audit(1349697557.379:185): arch=c000003e syscall=16 success=no exit=-22 a0=8 a1=5401 a2=7fff891a0de0 a3=238 items=0 ppid=4121 pid=4122 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="system-config-k" exe="/usr/bin/python2.7" subj=system_u:system_r:kdumpgui_t:s0-s0:c0.c1023 key=(null)

Does kdumpgui run netstat?

no

I know there used to be a library of mozilla? That used to exec netstat to generate randomness.

But s-c-kdump has nothing to do with mozilla anyway.
When I'm trying s-c-kdump I'm not getting such deny.

I am talking about the NSS crypto libraries.

@Roman I suppose that it is strange that you are not getting this denial on your system. I am still getting it upon starting system-config-kdump in the terminal even after several days of updates. Is there any additional information from my system that I can provide to help.

Adam

rpm -q selinux-policy

ausearch -m avc -ts recent

Sorry it took so long to respond to this bug. I just tonight re-installed and updated fully Fedora 18 on the system in question. Without doing much, I installed system-config-kdump and ran it. Again, I was presented with several SELinux denials. One is on /usr/bin/python2.7, the others are on /usr/sbin/grubby. I thought perhaps some of the previous test day work was effecting this issue falsely. Apparently, this is not the case.

@Daniel Walsh, per your request above.

# rpm -q selinux-policy
selinux-policy-3.11.1-36.fc18.noarch

# ausearch -m avc -ts recent
(Please see my new attachment to this bug report.)

Since I am rather new on the scene, I will just ask the question. Should I open new bug reports on the 'grubby' denials shown?

Created attachment 627924 [details]
Output of ausearch -m avc -ts recent directly after s-c-kdump SELinux denials

This message is a reminder that Fedora 18 is nearing its end of life.
Approximately 4 (four) weeks from now Fedora will stop maintaining
and issuing updates for Fedora 18. It is Fedora's policy to close all
bug reports from releases that are no longer maintained. At that time
this bug will be closed as WONTFIX if it remains open with a Fedora 
'version' of '18'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version prior to Fedora 18's end of life.

Thank you for reporting this issue and we are sorry that we may not be 
able to fix it before Fedora 18 is end of life. If you would still like 
to see this bug fixed and are able to reproduce it against a later version 
of Fedora, you are encouraged  change the 'version' to a later Fedora 
version prior to Fedora 18's end of life.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

Fedora 18 changed to end-of-life (EOL) status on 2014-01-14. Fedora 18 is
no longer maintained, which means that it will not receive any further
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of
Fedora please feel free to reopen this bug against that version. If you
are unable to reopen this bug, please file a new report against the
current release. If you experience problems, please add a comment to this
bug.

Thank you for reporting this bug and we are sorry it could not be fixed.