Bug 962857 - SELinux is preventing /usr/lib64/libreoffice/program/soffice.bin from 'read' accesses on the file firewalld.pid.
SELinux is preventing /usr/lib64/libreoffice/program/soffice.bin from 'read' ...
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
x86_64 Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Miroslav Grepl
Fedora Extras Quality Assurance
Depends On:
  Show dependency treegraph
Reported: 2013-05-14 11:20 EDT by p1kp0kt
Modified: 2013-05-18 06:40 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2013-05-18 06:40:40 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description p1kp0kt 2013-05-14 11:20:06 EDT
Description of problem:
Opened libreoffice writer. It appears to try and read all pid. I also recieved denials for gpm.pid mcelog.pid syslogd.pid ksmtune.pid restorecond.pid setroubleshootd.pid crond.pid auditd.pid but am only filing this one report. This did not result in a crash of libreoffice. Libreoffice still worked fine.
SELinux is preventing /usr/lib64/libreoffice/program/soffice.bin from 'read' accesses on the file firewalld.pid.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that soffice.bin should be allowed read access on the firewalld.pid file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
allow this access for now by executing:
# grep pool /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                staff_u:staff_r:staff_t:s0-s0:c0.c1023
Target Context                system_u:object_r:firewalld_var_run_t:s0
Target Objects                firewalld.pid [ file ]
Source                        pool
Source Path                   /usr/lib64/libreoffice/program/soffice.bin
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           libreoffice-core-
Target RPM Packages           
Policy RPM                    selinux-policy-3.11.1-92.fc18.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 3.8.11-200.fc18.x86_64 #1 SMP Wed
                              May 1 19:44:27 UTC 2013 x86_64 x86_64
Alert Count                   1
First Seen                    2013-05-13 09:52:45 CDT
Last Seen                     2013-05-13 09:52:45 CDT
Local ID                      e2f7cff4-ec45-4935-9164-f734fb6ec0a1

Raw Audit Messages
type=AVC msg=audit(1368456765.382:238958): avc:  denied  { read } for  pid=31231 comm="pool" name="firewalld.pid" dev="tmpfs" ino=19287 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:object_r:firewalld_var_run_t:s0 tclass=file

type=SYSCALL msg=audit(1368456765.382:238958): arch=x86_64 syscall=open success=no exit=EACCES a0=7faa6c011fb0 a1=40000 a2=0 a3=746163696c707061 items=0 ppid=30842 pid=31231 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 ses=209 tty=(none) comm=pool exe=/usr/lib64/libreoffice/program/soffice.bin subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key=(null)

Hash: pool,staff_t,firewalld_var_run_t,file,read


#============= staff_t ==============
allow staff_t firewalld_var_run_t:file read;

audit2allow -R
require {
	type staff_t;
	type firewalld_var_run_t;
	class file read;

#============= staff_t ==============
allow staff_t firewalld_var_run_t:file read;

Additional info:
hashmarkername: setroubleshoot
kernel:         3.8.11-200.fc18.x86_64
type:           libreport
Comment 1 Daniel Walsh 2013-05-14 16:53:00 EDT
Did you do an open on /run directory?
Comment 2 p1kp0kt 2013-05-17 19:55:53 EDT
I apologize for taking so long to respond. My attempt earlier this week evidently go through. 

No I did not open a file from /run. I opened libreoffice-writer from the menu of Cinnamon. It opened an empty, new document. I don't believe I had ever used libreoffice on this install. This is a approximately 3 month old install of Fedora 18. 

I am happy to provide any other details you need. I will try and find time this weekend to reproduce and if I can I will try to get a trace. I consider myself healthily skeptical of anything Java and my first instinct was that bad things were happening. Other than the pid reads I have not noticed any unusual behavior of the machine.
Comment 3 Daniel Walsh 2013-05-18 06:40:40 EDT
Well it is strange, the only way I would see this happening would be if you opened a file browser to the /run directory.

Seems like something staff_t should not need.  Glad to see you using confined users.  Lets just close this for now, and reopen if it happens again.

Note You need to log in before you can comment on or make changes to this bug.