First Last Prev Next    This bug is not in your last search results.
Bug 865770 - SELinux is preventing /usr/libexec/mission-control-5 from 'create' accesses on the file accounts.cfg.619BMW.
SELinux is preventing /usr/libexec/mission-control-5 from 'create' accesses o...
Status: CLOSED WORKSFORME
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
18
x86_64 Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Miroslav Grepl
Fedora Extras Quality Assurance
abrt_hash:14374cc0b61b633735ebe7fa7c2...
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-10-12 08:08 EDT by Jeff Bastian
Modified: 2012-10-12 14:51 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-10-12 14:51:41 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
File: type (9 bytes, text/plain)
2012-10-12 08:08 EDT, Jeff Bastian 		no flags Details
File: hashmarkername (14 bytes, text/plain)
2012-10-12 08:08 EDT, Jeff Bastian 		no flags Details
Add an attachment (proposed patch, testcase, etc.)

  None (edit)
Description Jeff Bastian 2012-10-12 08:08:51 EDT 
Additional info:
libreport version: 2.0.14
kernel:         3.6.0-3.fc18.x86_64

description:
:SELinux is preventing /usr/libexec/mission-control-5 from 'create' accesses on the file accounts.cfg.619BMW.
:
:*****  Plugin catchall (100. confidence) suggests  ***************************
:
:If you believe that mission-control-5 should be allowed create access on the accounts.cfg.619BMW file by default.
:Then you should report this as a bug.
:You can generate a local policy module to allow this access.
:Do
:allow this access for now by executing:
:# grep mission-control /var/log/audit/audit.log | audit2allow -M mypol
:# semodule -i mypol.pp
:
:Additional Information:
:Source Context                system_u:system_r:xdm_dbusd_t:s0-s0:c0.c1023
:Target Context                system_u:object_r:xdm_var_lib_t:s0
:Target Objects                accounts.cfg.619BMW [ file ]
:Source                        mission-control
:Source Path                   /usr/libexec/mission-control-5
:Port                          <Unknown>
:Host                          (removed)
:Source RPM Packages           telepathy-mission-control-5.14.0-1.fc18.x86_64
:Target RPM Packages           
:Policy RPM                    selinux-policy-3.11.1-32.fc18.noarch
:Selinux Enabled               True
:Policy Type                   targeted
:Enforcing Mode                Permissive
:Host Name                     (removed)
:Platform                      Linux (removed) 3.6.0-3.fc18.x86_64 #1 SMP Wed Oct
:                              3 13:29:15 UTC 2012 x86_64 x86_64
:Alert Count                   1
:First Seen                    2012-10-11 20:12:52 CDT
:Last Seen                     2012-10-11 20:12:52 CDT
:Local ID                      3cca8c84-be61-437a-a44d-834b8799c17d
:
:Raw Audit Messages
:type=AVC msg=audit(1350004372.548:155): avc:  denied  { create } for  pid=3281 comm="mission-control" name="accounts.cfg.619BMW" scontext=system_u:system_r:xdm_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xdm_var_lib_t:s0 tclass=file
:
:
:type=AVC msg=audit(1350004372.548:155): avc:  denied  { read write open } for  pid=3281 comm="mission-control" path="/var/lib/gdm/.local/share/telepathy/mission-control/accounts.cfg.619BMW" dev="dm-2" ino=2493975 scontext=system_u:system_r:xdm_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xdm_var_lib_t:s0 tclass=file
:
:
:type=SYSCALL msg=audit(1350004372.548:155): arch=x86_64 syscall=open success=yes exit=ECHILD a0=a033e0 a1=c2 a2=1b6 a3=0 items=0 ppid=3280 pid=3281 auid=42 uid=42 gid=42 euid=42 suid=42 fsuid=42 egid=42 sgid=42 fsgid=42 tty=(none) ses=4 comm=mission-control exe=/usr/libexec/mission-control-5 subj=system_u:system_r:xdm_dbusd_t:s0-s0:c0.c1023 key=(null)
:
:Hash: mission-control,xdm_dbusd_t,xdm_var_lib_t,file,create
:
:audit2allow
:
:#============= xdm_dbusd_t ==============
:#!!!! The source type 'xdm_dbusd_t' can write to a 'file' of the following types:
:# user_home_t, session_dbusd_tmp_t
:
:allow xdm_dbusd_t xdm_var_lib_t:file { read write create open };
:
:audit2allow -R
:
:#============= xdm_dbusd_t ==============
:#!!!! The source type 'xdm_dbusd_t' can write to a 'file' of the following types:
:# user_home_t, session_dbusd_tmp_t
:
:allow xdm_dbusd_t xdm_var_lib_t:file { read write create open };
:
Comment 1 Jeff Bastian 2012-10-12 08:08:56 EDT 
Created attachment 625919 [details]
File: type
Comment 2 Jeff Bastian 2012-10-12 08:08:58 EDT 
Created attachment 625920 [details]
File: hashmarkername
Comment 3 Jeff Bastian 2012-10-12 08:12:33 EDT 
I see a number of errors from mission-control-5 and related to accounts.cfg.*

SELinux is preventing /usr/libexec/mission-control-5 from 'getattr' accesses on the file /var/lib/gdm/.local/share/telepathy/mission-control/accounts.cfg.619BMW.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that mission-control-5 should be allowed getattr access on the accounts.cfg.619BMW file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep mission-control /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:xdm_dbusd_t:s0-s0:c0.c1023
Target Context                system_u:object_r:xdm_var_lib_t:s0
Target Objects                /var/lib/gdm/.local/share/telepathy/mission-
                              control/accounts.cfg.619BMW [ file ]
Source                        mission-control
Source Path                   /usr/libexec/mission-control-5
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           telepathy-mission-control-5.14.0-1.fc18.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.11.1-32.fc18.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     (removed)
Platform                      Linux (removed) 3.6.0-3.fc18.x86_64 #1 SMP Wed Oct
                              3 13:29:15 UTC 2012 x86_64 x86_64
Alert Count                   1
First Seen                    2012-10-11 20:12:52 CDT
Last Seen                     2012-10-11 20:12:52 CDT
Local ID                      84f25b65-ff97-4705-8c47-8db52ce884c5

Raw Audit Messages
type=AVC msg=audit(1350004372.548:156): avc:  denied  { getattr } for  pid=3281 comm="mission-control" path="/var/lib/gdm/.local/share/telepathy/mission-control/accounts.cfg.619BMW" dev="dm-2" ino=2493975 scontext=system_u:system_r:xdm_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xdm_var_lib_t:s0 tclass=file


type=SYSCALL msg=audit(1350004372.548:156): arch=x86_64 syscall=fstat success=yes exit=0 a0=a a1=7fff33897270 a2=7fff33897270 a3=238 items=0 ppid=3280 pid=3281 auid=42 uid=42 gid=42 euid=42 suid=42 fsuid=42 egid=42 sgid=42 fsgid=42 tty=(none) ses=4 comm=mission-control exe=/usr/libexec/mission-control-5 subj=system_u:system_r:xdm_dbusd_t:s0-s0:c0.c1023 key=(null)

Hash: mission-control,xdm_dbusd_t,xdm_var_lib_t,file,getattr

audit2allow

#============= xdm_dbusd_t ==============
allow xdm_dbusd_t xdm_var_lib_t:file getattr;

audit2allow -R

#============= xdm_dbusd_t ==============
allow xdm_dbusd_t xdm_var_lib_t:file getattr;
Comment 4 Jeff Bastian 2012-10-12 08:13:09 EDT 
Another:

SELinux is preventing /usr/libexec/mission-control-5 from 'remove_name' accesses on the directory accounts.cfg.619BMW.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that mission-control-5 should be allowed remove_name access on the accounts.cfg.619BMW directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep mission-control /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:xdm_dbusd_t:s0-s0:c0.c1023
Target Context                system_u:object_r:xdm_var_lib_t:s0
Target Objects                accounts.cfg.619BMW [ dir ]
Source                        mission-control
Source Path                   /usr/libexec/mission-control-5
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           telepathy-mission-control-5.14.0-1.fc18.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.11.1-32.fc18.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     (removed)
Platform                      Linux (removed) 3.6.0-3.fc18.x86_64 #1 SMP Wed Oct
                              3 13:29:15 UTC 2012 x86_64 x86_64
Alert Count                   1
First Seen                    2012-10-11 20:12:52 CDT
Last Seen                     2012-10-11 20:12:52 CDT
Local ID                      ed47e010-e841-401a-88f1-433e8cd4d80b

Raw Audit Messages
type=AVC msg=audit(1350004372.548:157): avc:  denied  { remove_name } for  pid=3281 comm="mission-control" name="accounts.cfg.619BMW" dev="dm-2" ino=2493975 scontext=system_u:system_r:xdm_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xdm_var_lib_t:s0 tclass=dir


type=AVC msg=audit(1350004372.548:157): avc:  denied  { rename } for  pid=3281 comm="mission-control" name="accounts.cfg.619BMW" dev="dm-2" ino=2493975 scontext=system_u:system_r:xdm_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xdm_var_lib_t:s0 tclass=file


type=SYSCALL msg=audit(1350004372.548:157): arch=x86_64 syscall=rename success=yes exit=0 a0=9fab10 a1=9f9af0 a2=31587b1760 a3=6f6363612f6c6f72 items=0 ppid=3280 pid=3281 auid=42 uid=42 gid=42 euid=42 suid=42 fsuid=42 egid=42 sgid=42 fsgid=42 tty=(none) ses=4 comm=mission-control exe=/usr/libexec/mission-control-5 subj=system_u:system_r:xdm_dbusd_t:s0-s0:c0.c1023 key=(null)

Hash: mission-control,xdm_dbusd_t,xdm_var_lib_t,dir,remove_name

audit2allow

#============= xdm_dbusd_t ==============
allow xdm_dbusd_t xdm_var_lib_t:dir remove_name;
allow xdm_dbusd_t xdm_var_lib_t:file rename;

audit2allow -R

#============= xdm_dbusd_t ==============
allow xdm_dbusd_t xdm_var_lib_t:dir remove_name;
allow xdm_dbusd_t xdm_var_lib_t:file rename;
Comment 5 Jeff Bastian 2012-10-12 08:13:58 EDT 
And the 4th and last:

SELinux is preventing /usr/libexec/mission-control-5 from using the 'setsched' accesses on a process.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that mission-control-5 should be allowed setsched access on processes labeled xdm_dbusd_t by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep mission-control /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:xdm_dbusd_t:s0-s0:c0.c1023
Target Context                system_u:system_r:xdm_dbusd_t:s0-s0:c0.c1023
Target Objects                 [ process ]
Source                        mission-control
Source Path                   /usr/libexec/mission-control-5
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           telepathy-mission-control-5.14.0-1.fc18.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.11.1-32.fc18.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     (removed)
Platform                      Linux (removed) 3.6.0-3.fc18.x86_64 #1 SMP Wed Oct
                              3 13:29:15 UTC 2012 x86_64 x86_64
Alert Count                   1
First Seen                    2012-10-11 20:12:52 CDT
Last Seen                     2012-10-11 20:12:52 CDT
Local ID                      70d638b1-7610-435c-aa47-24b1154234a8

Raw Audit Messages
type=AVC msg=audit(1350004372.910:166): avc:  denied  { setsched } for  pid=3281 comm="mission-control" scontext=system_u:system_r:xdm_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:xdm_dbusd_t:s0-s0:c0.c1023 tclass=process


type=SYSCALL msg=audit(1350004372.910:166): arch=x86_64 syscall=sched_setscheduler success=yes exit=0 a0=cd1 a1=0 a2=7fff338972d0 a3=1 items=0 ppid=1 pid=3281 auid=42 uid=42 gid=42 euid=42 suid=42 fsuid=42 egid=42 sgid=42 fsgid=42 tty=(none) ses=4 comm=mission-control exe=/usr/libexec/mission-control-5 subj=system_u:system_r:xdm_dbusd_t:s0-s0:c0.c1023 key=(null)

Hash: mission-control,xdm_dbusd_t,xdm_dbusd_t,process,setsched

audit2allow

#============= xdm_dbusd_t ==============
allow xdm_dbusd_t self:process setsched;

audit2allow -R

#============= xdm_dbusd_t ==============
allow xdm_dbusd_t self:process setsched;
Comment 6 Jeff Bastian 2012-10-12 08:14:39 EDT 
Actually, I had a 5th error, but it was already reported in bug 859782
Comment 7 Daniel Walsh 2012-10-12 09:02:41 EDT 
Jeff why is gdm running mission-control?
Comment 8 Jeff Bastian 2012-10-12 09:55:44 EDT 
I'm really not sure.  I just unlocked my screen this morning and had the above sealerts waiting for me.
Comment 9 Jeff Bastian 2012-10-12 11:15:59 EDT 
After updating selinux-policy to 3.11.1-36.fc18 and rebooting (see bug 863678), I see mission-control is running as unconfined_t now:

$ ps wwZp $(pgrep -f mission-control)
LABEL                             PID TTY      STAT   TIME COMMAND
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 2453 ? Sl   0:00 /usr/libexec/mission-control-5

I'll keep an eye on it.
Comment 10 Daniel Walsh 2012-10-12 14:51:41 EDT 
Ok reopen if it happens again.
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.