904801 – SELinux is preventing /usr/libexec/kde4/kcmdatetimehelper from 'add_name' accesses on the directory qt_temp.hX1998.

Bug 904801 - SELinux is preventing /usr/libexec/kde4/kcmdatetimehelper from 'add_name' accesses on the directory qt_temp.hX1998.

Summary: SELinux is preventing /usr/libexec/kde4/kcmdatetimehelper from 'add_name' acc...

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	18
Hardware:	x86_64
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Miroslav Grepl
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:	abrt_hash:0e3941ce4c5e157135ebead6cdf...
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2013-01-27 15:45 UTC by Joe Buckley
Modified:	2013-02-08 02:25 UTC (History)
CC List:	13 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2013-02-08 02:24:58 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Joe Buckley 2013-01-27 15:45:10 UTC

Description of problem:
Attempted to change the time zone (unsuccessful). Trouble shooter came up with the instructions to change the local policy. This fails also without bringing up the troubleshooter.
SELinux is preventing /usr/libexec/kde4/kcmdatetimehelper from 'add_name' accesses on the directory qt_temp.hX1998.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that kcmdatetimehelper should be allowed add_name access on the qt_temp.hX1998 directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep kcmdatetimehelp /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:gnomeclock_t:s0-s0:c0.c1023
Target Context                system_u:object_r:tmp_t:s0
Target Objects                qt_temp.hX1998 [ dir ]
Source                        kcmdatetimehelp
Source Path                   /usr/libexec/kde4/kcmdatetimehelper
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           kde-workspace-4.9.5-1.fc18.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.11.1-71.fc18.noarch selinux-
                              policy-3.11.1-73.fc18.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 3.7.2-204.fc18.x86_64 #1 SMP Wed
                              Jan 16 16:22:52 UTC 2013 x86_64 x86_64
Alert Count                   1
First Seen                    2013-01-27 15:38:29 UTC
Last Seen                     2013-01-27 15:38:29 UTC
Local ID                      0a2cdd2d-0d58-49e7-a058-64c75c7c7f11

Raw Audit Messages
type=AVC msg=audit(1359301109.822:304): avc:  denied  { add_name } for  pid=1998 comm="kcmdatetimehelp" name="qt_temp.hX1998" scontext=system_u:system_r:gnomeclock_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tmp_t:s0 tclass=dir


type=SYSCALL msg=audit(1359301109.822:304): arch=x86_64 syscall=open success=no exit=EACCES a0=10c77c8 a1=800c2 a2=180 a3=2 items=0 ppid=1 pid=1998 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm=kcmdatetimehelp exe=/usr/libexec/kde4/kcmdatetimehelper subj=system_u:system_r:gnomeclock_t:s0-s0:c0.c1023 key=(null)

Hash: kcmdatetimehelp,gnomeclock_t,tmp_t,dir,add_name

audit2allow

#============= gnomeclock_t ==============
#!!!! This avc is allowed in the current policy

allow gnomeclock_t tmp_t:dir add_name;

audit2allow -R

#============= gnomeclock_t ==============
#!!!! This avc is allowed in the current policy

allow gnomeclock_t tmp_t:dir add_name;


Additional info:
hashmarkername: setroubleshoot
kernel:         3.7.2-204.fc18.x86_64
type:           libreport

Comment 1 Miroslav Grepl 2013-01-28 16:18:50 UTC

Does kcmdatetimehelper use /tmp?

Comment 2 Kevin Kofler 2013-01-28 16:58:42 UTC

Yes, the above AVC is clear evidence that it does, isn't it?

KAuth mechanisms use kdelibs, which assumes a working /tmp in many places. It is not practical to expect any KAuth mechanism to work without /tmp.

Comment 3 Daniel Walsh 2013-01-28 17:11:55 UTC

Kevin, we are just looking for confirmation on whether or not this is required. In the case of kerberos libraries, it is.

Comment 4 Daniel Walsh 2013-01-28 17:13:14 UTC

We support gnomeclock working in /tmp in Rawhide.

Comment 5 Miroslav Grepl 2013-01-30 09:03:06 UTC

And we have it also in F18 in git.

Fixed in selinux-policy-3.11.1-74.fc18.noarch

Comment 6 Patrick O'Callaghan 2013-01-30 19:15:30 UTC

I installed selinux-policy-3.11.1-74.fc18.noarch.rpm (from Koji) and saw no change. I don't get the policy warning, just an error popup saying "Error setting new time zone." (exactly the same as before the update).

Comment 7 Daniel Walsh 2013-01-30 21:18:44 UTC

Could you attach the output of 

ausearch -m avc -ts recent

Comment 8 Patrick O'Callaghan 2013-01-30 21:33:06 UTC

(In reply to comment #7)
> Could you attach the output of 
> 
> ausearch -m avc -ts recent

$ sudo ausearch -m avc -ts recent
<no matches>

(This is after a system reboot followed by a further attempt to change timezone).

Comment 9 Kevin Kofler 2013-01-31 00:00:13 UTC

Do you still get that error if you set SELinux to permissive or disabled? (If so, it's not an SELinux issue, but a separate bug.)

Comment 10 Fedora Update System 2013-01-31 13:19:27 UTC

selinux-policy-3.11.1-74.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/selinux-policy-3.11.1-74.fc18

Comment 11 Patrick O'Callaghan 2013-01-31 15:25:39 UTC

(In reply to comment #9)
> Do you still get that error if you set SELinux to permissive or disabled?
> (If so, it's not an SELinux issue, but a separate bug.)

I disabled SELinux, rebooted and the error is still there, so it must be something else.

Comment 12 Fedora Update System 2013-02-01 16:40:14 UTC

Package selinux-policy-3.11.1-74.fc18:
* should fix your issue,
* was pushed to the Fedora 18 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.11.1-74.fc18'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-1693/selinux-policy-3.11.1-74.fc18
then log in and leave karma (feedback).

Comment 13 Patrick O'Callaghan 2013-02-01 17:34:22 UTC

(In reply to comment #11)
> (In reply to comment #9)
> > Do you still get that error if you set SELinux to permissive or disabled?
> > (If so, it's not an SELinux issue, but a separate bug.)
> 
> I disabled SELinux, rebooted and the error is still there, so it must be
> something else.

Refiled as https://bugzilla.redhat.com/show_bug.cgi?id=906854

Comment 14 Fedora Update System 2013-02-08 02:25:01 UTC

selinux-policy-3.11.1-74.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.