Bug 873954 - SELinux is preventing /usr/libexec/colord-sane from 'read' accesses on the file osrelease.
Summary: SELinux is preventing /usr/libexec/colord-sane from 'read' accesses on the fi...
Keywords:
Status: CLOSED DUPLICATE of bug 858714
Alias: None
Product: Fedora
Classification: Fedora
Component: colord
Version: 17
Hardware: i686
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Richard Hughes
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: abrt_hash:40127b242f62cfd9ef5b16f2130...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2012-11-07 05:15 UTC by kksheth
Modified: 2013-04-24 10:36 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2013-04-24 10:36:12 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)
File: type (9 bytes, text/plain)
2012-11-07 05:15 UTC, kksheth 		no flags Details
File: hashmarkername (14 bytes, text/plain)
2012-11-07 05:15 UTC, kksheth 		no flags Details
View All

Description kksheth 2012-11-07 05:15:31 UTC 
Additional info:
libreport version: 2.0.18
kernel:         3.6.3-1.fc17.i686

description:
:SELinux is preventing /usr/libexec/colord-sane from 'read' accesses on the file osrelease.
:
:*****  Plugin catchall (100. confidence) suggests  ***************************
:
:If you believe that colord-sane should be allowed read access on the osrelease file by default.
:Then you should report this as a bug.
:You can generate a local policy module to allow this access.
:Do
:allow this access for now by executing:
:# grep colord-sane /var/log/audit/audit.log | audit2allow -M mypol
:# semodule -i mypol.pp
:
:Additional Information:
:Source Context                system_u:system_r:colord_t:s0
:Target Context                system_u:object_r:sysctl_kernel_t:s0
:Target Objects                osrelease [ file ]
:Source                        colord-sane
:Source Path                   /usr/libexec/colord-sane
:Port                          <Unknown>
:Host                          (removed)
:Source RPM Packages           colord-0.1.23-1.fc17.i686
:Target RPM Packages           
:Policy RPM                    selinux-policy-3.10.0-156.fc17.noarch
:Selinux Enabled               True
:Policy Type                   targeted
:Enforcing Mode                Enforcing
:Host Name                     (removed)
:Platform                      Linux (removed) 3.6.3-1.fc17.i686 #1 SMP Mon Oct
:                              22 16:10:29 UTC 2012 i686 i686
:Alert Count                   17
:First Seen                    2012-11-06 19:05:55 IST
:Last Seen                     2012-11-06 19:06:04 IST
:Local ID                      e2935a61-d091-400c-a93e-c33a20404cae
:
:Raw Audit Messages
:type=AVC msg=audit(1352208964.335:179): avc:  denied  { read } for  pid=1321 comm="colord-sane" name="osrelease" dev="proc" ino=18296 scontext=system_u:system_r:colord_t:s0 tcontext=system_u:object_r:sysctl_kernel_t:s0 tclass=file
:
:
:type=SYSCALL msg=audit(1352208964.335:179): arch=i386 syscall=open success=no exit=EACCES a0=b6d95aa2 a1=0 a2=1b6 a3=83823d0 items=0 ppid=1 pid=1321 auid=4294967295 uid=997 gid=994 euid=997 suid=997 fsuid=997 egid=994 sgid=994 fsgid=994 tty=(none) ses=4294967295 comm=colord-sane exe=/usr/libexec/colord-sane subj=system_u:system_r:colord_t:s0 key=(null)
:
:Hash: colord-sane,colord_t,sysctl_kernel_t,file,read
:
:audit2allow
:
:#============= colord_t ==============
:allow colord_t sysctl_kernel_t:file read;
:
:audit2allow -R
:
:#============= colord_t ==============
:allow colord_t sysctl_kernel_t:file read;
:
Comment 1 kksheth 2012-11-07 05:15:37 UTC 
Created attachment 639808 [details]
File: type
Comment 2 kksheth 2012-11-07 05:15:40 UTC 
Created attachment 639809 [details]
File: hashmarkername
Comment 3 Miroslav Grepl 2012-11-07 09:49:00 UTC 
Another issue related to colord-sane.

kksheth,
you can execute

# semanager permissive -a colord

and re-test to see if you get more AVC msgs

# ausearch -m avc -ts recent
Comment 4 Richard Hughes 2013-04-24 10:36:12 UTC 

*** This bug has been marked as a duplicate of bug 858714 ***
Note You need to log in before you can comment on or make changes to this bug.