Bug 891114 - SELinux is preventing /usr/libexec/kde4/ksysguardprocesslist_helper from 'read' accesses on the file /etc/passwd.
Summary: SELinux is preventing /usr/libexec/kde4/ksysguardprocesslist_helper from 'rea...
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 18
Hardware: x86_64
OS: Unspecified
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
Whiteboard: abrt_hash:838f04c837bb48739b45edaa14d...
Depends On:
TreeView+ depends on / blocked
Reported: 2013-01-01 19:32 UTC by Mustafa Muhammad
Modified: 2013-01-02 14:21 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2013-01-02 12:54:13 UTC
Type: ---

Attachments (Terms of Use)
File: type (9 bytes, text/plain)
2013-01-01 19:32 UTC, Mustafa Muhammad
no flags Details
File: hashmarkername (14 bytes, text/plain)
2013-01-01 19:32 UTC, Mustafa Muhammad
no flags Details

Description Mustafa Muhammad 2013-01-01 19:32:42 UTC
Description of problem:
I tried to kill a process (yumBackend) because it was taking forever so I wanted to use yum.
Instead of displaying a dialog box asking for root passward to allow me to kill the process, I got AVC denial.

How reproducible:

How to reproduce:
1) As a user (not in the Admins group) try to kill a root process

What happens:
AVC denial

What is expected:
Display a dialog asking for the root password and after entering it, executing the command.

Additional info:
libreport version: 2.0.17
kernel:         3.6.6-3.fc18.x86_64

:SELinux is preventing /usr/libexec/kde4/ksysguardprocesslist_helper from 'read' accesses on the file /etc/passwd.
:*****  Plugin catchall (100. confidence) suggests  ***************************
:If you believe that ksysguardprocesslist_helper should be allowed read access on the passwd file by default.
:Then you should report this as a bug.
:You can generate a local policy module to allow this access.
:allow this access for now by executing:
:# grep ksysguardproces /var/log/audit/audit.log | audit2allow -M mypol
:# semodule -i mypol.pp
:Additional Information:
:Source Context                system_u:system_r:gnomesystemmm_t:s0-s0:c0.c1023
:Target Context                system_u:object_r:passwd_file_t:s0
:Target Objects                /etc/passwd [ file ]
:Source                        ksysguardproces
:Source Path                   /usr/libexec/kde4/ksysguardprocesslist_helper
:Port                          <Unknown>
:Host                          (removed)
:Source RPM Packages           ksysguard-4.9.3-1.fc18.x86_64
:Target RPM Packages           setup-2.8.57-1.fc18.noarch
:Policy RPM                    selinux-policy-3.11.1-50.fc18.noarch
:Selinux Enabled               True
:Policy Type                   targeted
:Enforcing Mode                Enforcing
:Host Name                     (removed)
:Platform                      Linux (removed) 3.6.6-3.fc18.x86_64 #1 SMP Mon Nov
:                              5 16:26:34 UTC 2012 x86_64 x86_64
:Alert Count                   2
:First Seen                    2013-01-01 22:24:38 AST
:Last Seen                     2013-01-01 22:24:38 AST
:Local ID                      abe5120d-4520-4495-98e7-2b0caef027cd
:Raw Audit Messages
:type=AVC msg=audit(1357068278.725:346): avc:  denied  { read } for  pid=3158 comm="ksysguardproces" name="passwd" dev="sda7" ino=524739 scontext=system_u:system_r:gnomesystemmm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file
:type=SYSCALL msg=audit(1357068278.725:346): arch=x86_64 syscall=open success=no exit=EACCES a0=7f05602306ea a1=80000 a2=1b6 a3=238 items=0 ppid=3157 pid=3158 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=ksysguardproces exe=/usr/libexec/kde4/ksysguardprocesslist_helper subj=system_u:system_r:gnomesystemmm_t:s0-s0:c0.c1023 key=(null)
:Hash: ksysguardproces,gnomesystemmm_t,passwd_file_t,file,read
:#============= gnomesystemmm_t ==============
:allow gnomesystemmm_t passwd_file_t:file read;
:audit2allow -R
:#============= gnomesystemmm_t ==============
:allow gnomesystemmm_t passwd_file_t:file read;

Comment 1 Mustafa Muhammad 2013-01-01 19:32:46 UTC
Created attachment 671120 [details]
File: type

Comment 2 Mustafa Muhammad 2013-01-01 19:32:51 UTC
Created attachment 671121 [details]
File: hashmarkername

Comment 3 Miroslav Grepl 2013-01-02 12:54:13 UTC
Please update your system.

# yum update

Comment 4 Mustafa Muhammad 2013-01-02 14:21:44 UTC
(In reply to comment #3)
> Please update your system.
> # yum update

Thanks, now it works.

Note You need to log in before you can comment on or make changes to this bug.