This service will be undergoing maintenance at 00:00 UTC, 2016-08-01. It is expected to last about 1 hours
Bug 903173 - SELinux is preventing /usr/libexec/colord from 'read' accesses on the file 2.
SELinux is preventing /usr/libexec/colord from 'read' accesses on the file 2.
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
18
x86_64 Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Miroslav Grepl
Fedora Extras Quality Assurance
abrt_hash:2a338791fc69a2c1aa4ef1d2780...
:
: 906970 907437 (view as bug list)
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-01-23 06:29 EST by Fabio Valentini
Modified: 2013-02-10 23:54 EST (History)
24 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-02-07 21:22:52 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Fabio Valentini 2013-01-23 06:29:31 EST
Description of problem:
SELinux is preventing /usr/libexec/colord from 'read' accesses on the file 2.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that colord should be allowed read access on the 2 file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep colord /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:colord_t:s0
Target Context                system_u:object_r:systemd_logind_sessions_t:s0
Target Objects                2 [ file ]
Source                        colord
Source Path                   /usr/libexec/colord
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           colord-0.1.28-1.fc18.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.11.1-73.fc18.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     (removed)
Platform                      Linux (removed) 3.8.0-rc4 #3 SMP Fri Jan 18
                              13:06:29 CET 2013 x86_64 x86_64
Alert Count                   2
First Seen                    2013-01-23 11:33:56 CET
Last Seen                     2013-01-23 12:27:33 CET
Local ID                      c82bcd76-9858-4d5c-a595-92542fa19cfa

Raw Audit Messages
type=AVC msg=audit(1358940453.140:72): avc:  denied  { read } for  pid=1757 comm="colord" name="2" dev="tmpfs" ino=21935 scontext=system_u:system_r:colord_t:s0 tcontext=system_u:object_r:systemd_logind_sessions_t:s0 tclass=file


type=AVC msg=audit(1358940453.140:72): avc:  denied  { open } for  pid=1757 comm="colord" path="/run/systemd/sessions/2" dev="tmpfs" ino=21935 scontext=system_u:system_r:colord_t:s0 tcontext=system_u:object_r:systemd_logind_sessions_t:s0 tclass=file


type=SYSCALL msg=audit(1358940453.140:72): arch=x86_64 syscall=open success=yes exit=ENOTBLK a0=2123900 a1=80000 a2=1b6 a3=238 items=0 ppid=1 pid=1757 auid=4294967295 uid=998 gid=997 euid=998 suid=998 fsuid=998 egid=997 sgid=997 fsgid=997 ses=4294967295 tty=(none) comm=colord exe=/usr/libexec/colord subj=system_u:system_r:colord_t:s0 key=(null)

Hash: colord,colord_t,systemd_logind_sessions_t,file,read

audit2allow

#============= colord_t ==============
allow colord_t systemd_logind_sessions_t:file { read open };

audit2allow -R

#============= colord_t ==============
allow colord_t systemd_logind_sessions_t:file { read open };


Additional info:
hashmarkername: setroubleshoot
kernel:         3.8.0-rc4
type:           libreport
Comment 1 Miroslav Grepl 2013-01-23 06:54:17 EST
Fixed in selinux-policy-3.11.1-74.fc18.noarch
Comment 2 Fedora Update System 2013-01-31 08:17:53 EST
selinux-policy-3.11.1-74.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/selinux-policy-3.11.1-74.fc18
Comment 3 Fedora Update System 2013-02-01 11:38:25 EST
Package selinux-policy-3.11.1-74.fc18:
* should fix your issue,
* was pushed to the Fedora 18 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.11.1-74.fc18'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-1693/selinux-policy-3.11.1-74.fc18
then log in and leave karma (feedback).
Comment 4 Simone Tolotti 2013-02-03 11:58:55 EST
I have updates-testing enabled and selinux-policy-3.11.1-74.fc18 installed but still getting this SeLinux alert.
I'va also tried to relabel all system doing #touch /.autorelabel
Comment 5 Miroslav Grepl 2013-02-04 06:31:04 EST
Fixed in selinux-policy-3.11.1-75.fc18
Comment 6 Miroslav Grepl 2013-02-04 06:40:40 EST
*** Bug 906970 has been marked as a duplicate of this bug. ***
Comment 7 Miroslav Grepl 2013-02-04 06:52:09 EST
*** Bug 907437 has been marked as a duplicate of this bug. ***
Comment 8 david sutherland 2013-02-04 14:32:41 EST
Laptop did not start from suspended state,  Had to force shut down.

Package: (null)
OS Release: Fedora release 18 (Spherical Cow)
Comment 9 Casper Gasper 2013-02-04 15:02:16 EST
AVC denial happens consistently when logging in.

Package: (null)
OS Release: Fedora release 18 (Spherical Cow)
Comment 10 Jared Smith 2013-02-05 00:49:23 EST
Booted into GNOME 3, and noticed the sealert message.

Package: (null)
OS Release: Fedora release 18 (Spherical Cow)
Comment 11 Fedora Update System 2013-02-05 04:23:19 EST
selinux-policy-3.11.1-76.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/selinux-policy-3.11.1-76.fc18
Comment 12 Pascal94 2013-02-05 06:43:15 EST
just at startup, like every day

Package: (null)
OS Release: Fedora release 18 (Spherical Cow)
Comment 13 Kostya Berger 2013-02-06 05:16:15 EST
No steps, just session startup and I got this alert. That's it.

Package: (null)
OS Release: Fedora release 18 (Spherical Cow)
Comment 14 Javier Villanueva 2013-02-06 09:56:58 EST
This happened when I turned on the lap.

Package: (null)
Architecture: i686
OS Release: Fedora release 18 (Spherical Cow)
Comment 15 Artur M. 2013-02-06 11:12:45 EST
Happens right after login. 

Package: (null)
OS Release: Fedora release 18 (Spherical Cow)
Comment 16 Scott Tsai 2013-02-07 02:24:05 EST
Happends everytime I log into the Gnome desktop.

Package: (null)
OS Release: Fedora release 18 (Spherical Cow)
Comment 17 Chrit van Ewijk 2013-02-07 13:55:12 EST
Alert keeps coming right after startup. 

Package: (null)
OS Release: Fedora release 18 (Spherical Cow)
Comment 18 Fedora Update System 2013-02-07 21:22:54 EST
selinux-policy-3.11.1-74.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 19 joey10946 2013-02-08 04:45:08 EST
The problem still persists.
Comment 20 Miroslav Grepl 2013-02-08 07:21:14 EST
Please update to the latest policy

# yum update selinux-policy-targeted --enablerepo=updates-testing
Comment 21 joey10946 2013-02-08 11:12:14 EST
Updating to 3.11.1-76 solved the problem.
Comment 22 Edouard Bourguignon 2013-02-09 05:37:38 EST
type=AVC msg=audit(1360406105.149:368): avc:  denied  { search } for  pid=2517 comm="colord" name="sessions" dev="tmpfs" ino=13931 scontext=system_u:system_r:colord_t:s0 tcontext=system_u:object_r:systemd_logind_sessions_t:s0 tclass=dir

search is denied now with 3.11.1-76
Comment 23 code 2013-02-09 11:50:04 EST
Observed this bug on selinux-policy-3.11.1-74.fc18.

type=AVC msg=audit(1360427076.051:363): avc:  denied  { search } for  pid=803 comm="colord" name="sessions" dev="tmpfs" ino=15045 scontext=system_u:system_r:colord_t:s0 tcontext=system_u:object_r:systemd_logind_sessions_t:s0 tclass=dir

Resolved for me by updating to selinux-policy-3.11.1-76.fc18: no new entries in SELinux Troubleshooter or in audit.log after a reboot.
Comment 24 Fedora Update System 2013-02-10 23:54:50 EST
selinux-policy-3.11.1-76.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.