Description of problem: I was tring to stop/kill a process owned by root, from the System Activity window (CTRL-ESC). Several more dialogues popped up explaining that I did not have the required privligies to terminate the process or somthing a like. I then attempted to close the popup(s), but they were unresponsive. However I did manage to close the parent System Activity window. I then recieved an SELinux Alert with details below: SELinux is preventing /usr/libexec/kde4/ksysguardprocesslist_helper from read access on the file /etc/passwd. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that ksysguardprocesslist_helper should be allowed read access on the passwd file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep ksysguardproces /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:gnomesystemmm_t:s0-s0:c0.c1023 Target Context system_u:object_r:passwd_file_t:s0 Target Objects /etc/passwd [ file ] Source ksysguardproces Source Path /usr/libexec/kde4/ksysguardprocesslist_helper Port <Unknown> Host fedora-vaio Source RPM Packages ksysguard-4.9.3-1.fc17.x86_64 Target RPM Packages setup-2.8.48-1.fc17.noarch Policy RPM selinux-policy-3.10.0-159.fc17.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name fedora-vaio Platform Linux fedora-vaio 3.6.6-1.fc17.x86_64 #1 SMP Mon Nov 5 21:59:35 UTC 2012 x86_64 x86_64 Alert Count 4 First Seen 2012-11-19 00:11:12 CST Last Seen 2012-11-19 00:11:14 CST Local ID 771c561f-a8dc-4c75-aa12-9a69c5c0a46a Raw Audit Messages type=AVC msg=audit(1353246074.228:110): avc: denied { read } for pid=3393 comm="ksysguardproces" name="passwd" dev="dm-2" ino=2891712 scontext=system_u:system_r:gnomesystemmm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file type=SYSCALL msg=audit(1353246074.228:110): arch=x86_64 syscall=open success=no exit=EACCES a0=7f36823956ca a1=80000 a2=1b6 a3=238 items=0 ppid=3392 pid=3393 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=ksysguardproces exe=/usr/libexec/kde4/ksysguardprocesslist_helper subj=system_u:system_r:gnomesystemmm_t:s0-s0:c0.c1023 key=(null) Hash: ksysguardproces,gnomesystemmm_t,passwd_file_t,file,read audit2allow #============= gnomesystemmm_t ============== allow gnomesystemmm_t passwd_file_t:file read; audit2allow -R #============= gnomesystemmm_t ============== allow gnomesystemmm_t passwd_file_t:file read; Version-Release number of selected component: ksysguard-4.9.3-1.fc17 Additional info: libreport version: 2.0.18 abrt_version: 2.0.18 backtrace_rating: 4 cmdline: /usr/libexec/kde4/ksysguardprocesslist_helper crash_function: QFileSystemEngine::homePath kernel: 3.6.6-1.fc17.x86_64 truncated backtrace: :Thread no. 1 (10 frames) : #0 QFileSystemEngine::homePath at io/qfilesystemengine_unix.cpp:631 : #1 QDir::homePath at io/qdir.cpp:1884 : #2 initDefaultPaths at io/qsettings.cpp:1076 : #3 getPath at io/qsettings.cpp:1140 : #4 QConfFileSettingsPrivate::QConfFileSettingsPrivate at io/qsettings.cpp:1170 : #5 QSettingsPrivate::create at io/qsettings.cpp:369 : #6 QSettings::QSettings at io/qsettings.cpp:2658 : #7 staticTrolltechConf at kernel/qcoreapplication.cpp:332 : #8 QCoreApplicationPrivate::trolltechConf at kernel/qcoreapplication.cpp:336 : #9 QLibraryPrivate::isPlugin at plugin/qlibrary.cpp:717
Created attachment 647160 [details] File: core_backtrace
Created attachment 647161 [details] File: environ
Created attachment 647162 [details] File: limits
Created attachment 647163 [details] File: backtrace
Created attachment 647164 [details] File: cgroup
Created attachment 647165 [details] File: smolt_data
Created attachment 647166 [details] File: executable
Created attachment 647167 [details] File: maps
Created attachment 647168 [details] File: dso_list
Created attachment 647169 [details] File: build_ids
Created attachment 647170 [details] File: proc_pid_status
Created attachment 647171 [details] File: open_fds
Created attachment 647172 [details] File: var_log_messages
So the thing is, the KAuth helpers need to find root's home directory SOMEHOW. Using $HOME does not work because it is not set in the environment used with D-Bus activation, which lead to that /.config issue we had several bugs filed about. So now we applied a proposed patch from the upstream Qt bug tracker which falls back to the pwent API when $HOME is not set, but that API of course needs access to /etc/passwd.
(And by the way, the APIs used are generic APIs which need to work for all users, not just root. The KAuth helpers always run as root, but the configuration APIs they use can work as any user. So we cannot just hardcode /root.)
I see with the latest F17 policy # sesearch -A -s gnomesystemmm_t -t passwd_file_t Found 1 semantic av rules: allow gnomesystemmm_t passwd_file_t : file { ioctl read getattr lock open } ;