Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 451820 - AVC denials when logging in with KDE
Summary: AVC denials when logging in with KDE
Keywords:
Status: CLOSED DUPLICATE of bug 443661
Alias: None
Product: Fedora
Classification: Fedora
Component: nss_ldap
Version: 9
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Nalin Dahyabhai
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2008-06-17 16:45 UTC by Carl Roth
Modified: 2008-06-23 10:09 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2008-06-23 10:09:08 UTC


Attachments (Terms of Use)

Description Carl Roth 2008-06-17 16:45:08 UTC
Description of problem:

I get the following AVC denials on my system when I log in with KDE.  On this
system, NetworkManager is not running (not sure if that's important).  I'm also
not sure these denials are related; they happen to occur at first login.

host=huggy.ursus.net type=AVC msg=audit(1213716699.166:5): avc: denied { read
write } for pid=3541 comm="console-kit-dae" path="socket:[8670]" dev=sockfs
ino=8670 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023
tcontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tclass=tcp_socket 

host=huggy.ursus.net type=AVC msg=audit(1213716699.166:5): avc: denied { read
write } for pid=3541 comm="console-kit-dae" path="socket:[10668]" dev=sockfs
ino=10668 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023
tcontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tclass=tcp_socket 

host=huggy.ursus.net type=SYSCALL msg=audit(1213716699.166:5): arch=c000003e
syscall=59 success=yes exit=0 a0=185a870 a1=185a5c0 a2=185a010 a3=316bf67a70
items=0 ppid=3540 pid=3541 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="console-kit-dae"
exe="/usr/sbin/console-kit-daemon"
subj=system_u:system_r:consolekit_t:s0-s0:c0.c1023 key=(null) 

host=huggy.ursus.net type=AVC msg=audit(1213716769.752:12): avc: denied { read
write } for pid=4263 comm="nm-system-setti" path="socket:[8670]" dev=sockfs
ino=8670 scontext=system_u:system_r:NetworkManager_t:s0-s0:c0.c1023
tcontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tclass=tcp_socket 

host=huggy.ursus.net type=SYSCALL msg=audit(1213716769.752:12): arch=c000003e
syscall=59 success=yes exit=0 a0=1aee990 a1=1aee630 a2=1aee010 a3=316bf67a70
items=0 ppid=4262 pid=4263 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="nm-system-setti"
exe="/usr/sbin/nm-system-settings"
subj=system_u:system_r:NetworkManager_t:s0-s0:c0.c1023 key=(null) 

host=huggy.ursus.net type=AVC msg=audit(1213716770.574:13): avc: denied {
getattr } for pid=4263 comm="nm-system-setti" path="/dev/root" dev=tmpfs ino=351
scontext=system_u:system_r:NetworkManager_t:s0-s0:c0.c1023
tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file 

host=huggy.ursus.net type=SYSCALL msg=audit(1213716770.574:13): arch=c000003e
syscall=4 success=no exit=-13 a0=3d6c65bce5 a1=7fffe5f24460 a2=7fffe5f24460
a3=316bf67a70 items=0 ppid=1 pid=4263 auid=4294967295 uid=0 gid=0 euid=0 suid=0
fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="nm-system-setti"
exe="/usr/sbin/nm-system-settings"
subj=system_u:system_r:NetworkManager_t:s0-s0:c0.c1023 key=(null) 


Version-Release number of selected component (if applicable):

ConsoleKit-0.2.10-3.fc9.x86_64
NetworkManager-0.7.0-0.9.4.svn3675.fc9.x86_64
selinux-policy-targeted-3.3.1-64.fc9.noarch

How reproducible:


Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:

Comment 1 Carl Roth 2008-06-17 16:51:30 UTC
The NetworkManager_t denials appear to be chained off of the nm-applet startup
in /etc/xdg/autostart/nm-applet --sm-disable.

What's the utility of running nm-applet and nm-settings-daemon if NetworkManager
is not running at all?


Comment 2 Carl Roth 2008-06-17 16:58:47 UTC
er, meant to say, "/etc/xdg/autostart/nm-applet.desktop".  "Problem between
screen, keyboard and primary cut buffer"


Comment 3 Carl Roth 2008-06-17 21:22:02 UTC
On one of my systems with a fixed (wired) configuration, NetworkManager is not
needed.  On this system, if I uninstall NetworkManager-gnome, it causes the
NetworkManager_t AVCs to go away.

On another one of my systems (wireless networking with NetworkManager) the
NetworkManager_t/system_dbusd_t denials do not occur, but the
NetworkManager_t/root_device_t denials do still occur.  On this system, the
consolekit_t denials do not occur.



Comment 4 Daniel Walsh 2008-06-22 12:24:20 UTC
Are you using nssldap for authorization?  There is a known file descriptor leak
that consolekit and dbus are complaining about.


The networkmanager looking at fixed disk is fixed in
selinux-policy-3.3.1-68.fc9.noarch


Comment 5 Carl Roth 2008-06-22 17:33:21 UTC
yes, i'm using nss_ldap.  any other symptoms i should be looking for?  high gas
prices, perhaps?


Comment 6 Daniel Walsh 2008-06-23 10:09:08 UTC
You can ignore those until the leaked file descriptor is fixed.

*** This bug has been marked as a duplicate of 443661 ***


Note You need to log in before you can comment on or make changes to this bug.