Description of problem: SELinux is preventing /usr/libexec/colord from 'getattr' accesses on the file /proc/<pid>/cgroup. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that colord should be allowed getattr access on the cgroup file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep colord /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:colord_t:s0 Target Context system_u:system_r:init_t:s0 Target Objects /proc/<pid>/cgroup [ file ] Source colord Source Path /usr/libexec/colord Port <Unknown> Host (removed) Source RPM Packages colord-0.1.28-1.fc18.x86_64 Target RPM Packages Policy RPM selinux-policy-3.11.1-71.fc18.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name (removed) Platform Linux (removed) 3.7.2-204.fc18.x86_64 #1 SMP Wed Jan 16 16:22:52 UTC 2013 x86_64 x86_64 Alert Count 1 First Seen 2013-01-21 12:07:06 WET Last Seen 2013-01-21 12:07:06 WET Local ID 950458f0-ee07-4bca-82a6-f6872ed5c554 Raw Audit Messages type=AVC msg=audit(1358770026.373:347): avc: denied { getattr } for pid=1679 comm="colord" path="/proc/1/cgroup" dev="proc" ino=8064 scontext=system_u:system_r:colord_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=file type=SYSCALL msg=audit(1358770026.373:347): arch=x86_64 syscall=fstat success=yes exit=0 a0=f a1=7fff5ffa28a0 a2=7fff5ffa28a0 a3=0 items=0 ppid=1 pid=1679 auid=4294967295 uid=998 gid=997 euid=998 suid=998 fsuid=998 egid=997 sgid=997 fsgid=997 ses=4294967295 tty=(none) comm=colord exe=/usr/libexec/colord subj=system_u:system_r:colord_t:s0 key=(null) Hash: colord,colord_t,init_t,file,getattr audit2allow #============= colord_t ============== allow colord_t init_t:file getattr; audit2allow -R #============= colord_t ============== allow colord_t init_t:file getattr; Additional info: hashmarkername: setroubleshoot kernel: 3.7.2-204.fc18.x86_64 type: libreport
We have this in F19.
Backported.
selinux-policy-3.11.1-73.fc18 has been submitted as an update for Fedora 18. https://admin.fedoraproject.org/updates/selinux-policy-3.11.1-73.fc18
Package selinux-policy-3.11.1-73.fc18: * should fix your issue, * was pushed to the Fedora 18 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.11.1-73.fc18' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2013-1272/selinux-policy-3.11.1-73.fc18 then log in and leave karma (feedback).
I still encounter this problem with selinux-policy-3.11.1-73.fc18 from updates-testing installed.
Please attach the AVC's you are seeing?
selinux-policy-3.11.1-73.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report.
This is the output I get from setroubleshoot. SELinux is preventing /usr/libexec/colord from 'getattr' accesses on the file /proc/<pid>/cgroup. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that colord should be allowed getattr access on the cgroup file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep colord /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:colord_t:s0 Target Context system_u:system_r:init_t:s0 Target Objects /proc/<pid>/cgroup [ file ] Source colord Source Path /usr/libexec/colord Port <Unknown> Host (removed) Source RPM Packages colord-0.1.28-1.fc18.x86_64 Target RPM Packages Policy RPM selinux-policy-3.11.1-73.fc18.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name (removed) Platform Linux (removed) 3.8.0-rc4 #3 SMP Fri Jan 18 13:06:29 CET 2013 x86_64 x86_64 Alert Count 1 First Seen 2013-01-25 23:19:49 CET Last Seen 2013-01-25 23:19:49 CET Local ID 5be55b39-f5c8-4b1b-897f-9f9c6d2b2cd7 Raw Audit Messages type=AVC msg=audit(1359152389.362:70): avc: denied { getattr } for pid=1766 comm="colord" path="/proc/1/cgroup" dev="proc" ino=6543 scontext=system_u:system_r:colord_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=file type=SYSCALL msg=audit(1359152389.362:70): arch=x86_64 syscall=fstat success=yes exit=0 a0=f a1=7fffb2568d00 a2=7fffb2568d00 a3=0 items=0 ppid=1 pid=1766 auid=4294967295 uid=998 gid=997 euid=998 suid=998 fsuid=998 egid=997 sgid=997 fsgid=997 ses=4294967295 tty=(none) comm=colord exe=/usr/libexec/colord subj=system_u:system_r:colord_t:s0 key=(null) Hash: colord,colord_t,init_t,file,getattr audit2allow #============= colord_t ============== allow colord_t init_t:file getattr; audit2allow -R #============= colord_t ============== allow colord_t init_t:file getattr;
Actually it is going to be fixed in selinux-policy-3.11.1-74.fc18.noarch.
This happens every time I log in Package: (null) OS Release: Fedora release 18 (Spherical Cow)
selinux-policy-3.11.1-74.fc18 has been submitted as an update for Fedora 18. https://admin.fedoraproject.org/updates/selinux-policy-3.11.1-74.fc18
Package selinux-policy-3.11.1-74.fc18: * should fix your issue, * was pushed to the Fedora 18 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.11.1-74.fc18' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2013-1693/selinux-policy-3.11.1-74.fc18 then log in and leave karma (feedback).
selinux-policy-3.11.1-74.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report.