Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 229998 - AVC produced during consolekit startup (running targeted/enforcing)
Summary: AVC produced during consolekit startup (running targeted/enforcing)
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: rawhide
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Ben Levenson
Depends On:
TreeView+ depends on / blocked
Reported: 2007-02-25 17:29 UTC by Tom London
Modified: 2007-11-30 22:11 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2007-03-04 17:51:45 UTC

Attachments (Terms of Use)

Description Tom London 2007-02-25 17:29:04 UTC
Description of problem:
Running with SELinux in targeted/enforcing mode, get this in

type=USER_AVC msg=audit(1172350749.077:20): user pid=2688 uid=81 auid=4294967295
subj=system_u:system_r:system_dbusd_t:s0 msg='avc:  denied  { send_msg } for
msgtype=method_call interface=org.freedesktop.ConsoleKit.Manager
member=OpenSessionWithParameters dest=org.freedesktop.ConsoleKit spid=3419
tpid=2921 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023
tcontext=system_u:system_r:initrc_t:s0 tclass=dbus : exe="/bin/dbus-daemon"
(sauid=81, hostname=?, addr=?, terminal=?)'

Version-Release number of selected component (if applicable):

How reproducible:
Every time

Steps to Reproduce:
Actual results:

Expected results:

Additional info:

Comment 1 David Zeuthen 2007-02-25 18:04:22 UTC
-> selinux-policy-targeted

Comment 2 David Zeuthen 2007-02-25 18:07:48 UTC
Am not sure why SELinux is denying someone to talk to the ConsoleKit daemon? For
the record, gdm, and in the future /bin/login, xinit, kdm, xdm, wdm and so forth
needs to be able to speak to ConsoleKit over D-Bus. Also, apps in a desktop
session will need to be able to speak to it.

Tell me, is the default policy to lock down access to all D-Bus services and
only open it up bit for bit? Because that's not very nice; what happens if a
third party package provides a system-wide D-Bus service? Thanks.

Comment 3 Tom London 2007-03-02 02:04:19 UTC
Seems fixed in selinux-policy-2.5.6-1.fc7

Comment 4 Tom London 2007-03-04 17:51:45 UTC
This one now:

type=AVC msg=audit(1173029651.416:13): avc:  denied  { write } for  pid=2891
comm="console-kit-dae" name="run" dev=dm-0 ino=65576
tcontext=system_u:object_r:var_run_t:s0 tclass=dir
type=SYSCALL msg=audit(1173029651.416:13): arch=40000003 syscall=5 success=no
exit=-13 a0=805280c a1=2c1 a2=1a4 a3=bf9aa720 items=0 ppid=2890 pid=2891
auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=(none) comm="console-kit-dae" exe="/usr/sbin/console-kit-daemon"
subj=system_u:system_r:consolekit_t:s0 key=(null)

Comment 5 Daniel Walsh 2007-03-06 17:57:43 UTC
This is not a problem in selinux-policy-2.5.8-1

If you audit2why this avc, what does it say?

Comment 6 Tom London 2007-03-06 21:15:57 UTC
Sorry, I didn't notice that this one was reassigned to selinux-policy.

To avoid confusion, I'll open a new issue.

audit2why/audit2allow implicate consolekit.

Note You need to log in before you can comment on or make changes to this bug.