Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 597044 - SELinux is preventing /usr/libexec/accounts-daemon "getattr" access on /tmp/usericonR4EDDV.
Summary: SELinux is preventing /usr/libexec/accounts-daemon "getattr" access on /...
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 13
Hardware: i386
OS: Linux
low
medium
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: setroubleshoot_trace_hash:63fba2f84c9...
: 597106 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-05-28 01:42 UTC by chenhuan.gt
Modified: 2010-06-10 12:20 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2010-06-10 12:20:59 UTC


Attachments (Terms of Use)

Description chenhuan.gt 2010-05-28 01:42:06 UTC
Summary:

SELinux is preventing /usr/libexec/accounts-daemon "getattr" access on
/tmp/usericonR4EDDV.

Detailed Description:

[accounts-daemon has a permissive type (accountsd_t). This access was not
denied.]

SELinux denied access requested by accounts-daemon. It is not expected that this
access is required by accounts-daemon and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug
report.

Additional Information:

Source Context                system_u:system_r:accountsd_t:s0-s0:c0.c1023
Target Context                unconfined_u:object_r:user_tmp_t:s0
Target Objects                /tmp/usericonR4EDDV [ file ]
Source                        accounts-daemon
Source Path                   /usr/libexec/accounts-daemon
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           accountsservice-0.6-2.fc13
Target RPM Packages           
Policy RPM                    selinux-policy-3.7.19-15.fc13
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     (removed)
Platform                      Linux localhost.localdomain 2.6.33.4-95.fc13.i686
                              #1 SMP Thu May 13 05:55:24 UTC 2010 i686 i686
Alert Count                   1
First Seen                    Fri 28 May 2010 09:35:45 AM EDT
Last Seen                     Fri 28 May 2010 09:35:45 AM EDT
Local ID                      177fe922-0882-4e30-9a39-b040586b3d66
Line Numbers                  

Raw Audit Messages            

node=localhost.localdomain type=AVC msg=audit(1275053745.224:17855): avc:  denied  { getattr } for  pid=10772 comm="accounts-daemon" path="/tmp/usericonR4EDDV" dev=dm-0 ino=4431 scontext=system_u:system_r:accountsd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file

node=localhost.localdomain type=SYSCALL msg=audit(1275053745.224:17855): arch=40000003 syscall=196 success=yes exit=0 a0=937de28 a1=bfec667c a2=54bff4 a3=936b550 items=0 ppid=1 pid=10772 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="accounts-daemon" exe="/usr/libexec/accounts-daemon" subj=system_u:system_r:accountsd_t:s0-s0:c0.c1023 key=(null)



Hash String generated from  catchall,accounts-daemon,accountsd_t,user_tmp_t,file,getattr
audit2allow suggests:

#============= accountsd_t ==============
allow accountsd_t user_tmp_t:file getattr;

Comment 1 chenhuan.gt 2010-05-28 01:47:27 UTC
When I edited the login icon of a test account and close accountsdialog, it happened.

Comment 2 Daniel Walsh 2010-05-28 12:04:51 UTC
Matthias, when a user adds an icon is accountsdialog going to copy the icon to its /var/lib/AccountsService directory?

Comment 3 Daniel Walsh 2010-05-28 12:08:47 UTC
I can allow it to read user content in /tmp and ~/

As well as content in /mnt and /media and from all files systems on removable devices.

Comment 4 Daniel Walsh 2010-05-28 12:17:07 UTC
*** Bug 597106 has been marked as a duplicate of this bug. ***

Comment 5 Steven Drinnan 2010-06-07 06:07:12 UTC
Confirmed with F13 64 bit, 

Need to set SE to Permissive for accountsdialog to work.

Comment 6 Daniel Walsh 2010-06-07 14:21:59 UTC
Looks like this is fixed in selinux-policy-3.7.19-23.fc13

yum update

Comment 7 Steven Drinnan 2010-06-08 06:55:58 UTC
System is up to date

But now no error report, 

Fails with enforcing,
runs with permissive

Please reopen

Comment 8 Daniel Walsh 2010-06-08 12:16:18 UTC
rpm -q selinux-policy

Comment 9 Steven Drinnan 2010-06-09 00:21:03 UTC
selinux-policy-3.7.19-21.fc13.noarch

Comment 10 Steven Drinnan 2010-06-09 00:22:46 UTC
when will 'selinux-policy-3.7.19-23.fc13'
that be pushed to updates?
Is it in testing?

Comment 11 Steven Drinnan 2010-06-09 00:54:06 UTC
Just tried in updates-testing not available.

Comment 12 Steven Drinnan 2010-06-09 09:25:06 UTC
Just updated with selinux-policy-3.7.19-23.fc13

No change, still need selinux set to percussive to get accountsdialog to work

Comment 13 Daniel Walsh 2010-06-09 20:51:26 UTC
Can you attach the latest avc messages.

Comment 14 Steven Drinnan 2010-06-10 00:30:25 UTC
These are all thsts avail, as i said the warnings disapear but selinux is still blocking the accounts demon. I.E if a set it to permissive it works. I'll attach a video latter today to show you what i mean.

this was the last one

Summary:

SELinux is preventing /usr/libexec/accounts-daemon (deleted) "remove_name"
access on custom.conf.XK9YDV.

Detailed Description:

[SELinux is in permissive mode. This access was not denied.]

SELinux denied access requested by accounts-daemon. It is not expected that this
access is required by accounts-daemon and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug
report.

Additional Information:

Source Context                system_u:system_r:accountsd_t:s0-s0:c0.c1023
Target Context                system_u:object_r:etc_t:s0
Target Objects                custom.conf.XK9YDV [ dir ]
Source                        accounts-daemon
Source Path                   /usr/libexec/accounts-daemon (deleted)
Port                          <Unknown>
Host                          mylaptop.myhome
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.7.19-21.fc13
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Plugin Name                   catchall
Host Name                     mylaptop.myhome
Platform                      Linux mylaptop.myhome 2.6.33.5-112.fc13.x86_64 #1
                              SMP Thu May 27 02:28:31 UTC 2010 x86_64 x86_64
Alert Count                   3
First Seen                    Mon 07 Jun 2010 01:34:44 PM HKT
Last Seen                     Mon 07 Jun 2010 01:34:44 PM HKT
Local ID                      d88aa63b-be02-4ede-aee1-72367573ab13
Line Numbers                  

Raw Audit Messages            

node=mylaptop.myhome type=AVC msg=audit(1275888884.222:25096): avc:  denied  { remove_name } for  pid=1864 comm="accounts-daemon" name="custom.conf.XK9YDV" dev=dm-1 ino=1050260 scontext=system_u:system_r:accountsd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=dir

node=mylaptop.myhome type=AVC msg=audit(1275888884.222:25096): avc:  denied  { rename } for  pid=1864 comm="accounts-daemon" name="custom.conf.XK9YDV" dev=dm-1 ino=1050260 scontext=system_u:system_r:accountsd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=file

node=mylaptop.myhome type=AVC msg=audit(1275888884.222:25096): avc:  denied  { unlink } for  pid=1864 comm="accounts-daemon" name="custom.conf" dev=dm-1 ino=1050835 scontext=system_u:system_r:accountsd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=file

node=mylaptop.myhome type=SYSCALL msg=audit(1275888884.222:25096): arch=c000003e syscall=82 success=yes exit=0 a0=211daf0 a1=40aa10 a2=0 a3=1 items=0 ppid=1 pid=1864 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="accounts-daemon" exe=2F7573722F6C6962657865632F6163636F756E74732D6461656D6F6E202864656C6574656429 subj=system_u:system_r:accountsd_t:s0-s0:c0.c1023 key=(null)

Comment 15 Steven Drinnan 2010-06-10 00:56:58 UTC
so i am not  sure if this is what is causing the block.

Comment 16 Daniel Walsh 2010-06-10 12:20:59 UTC
You have a labeling problem in /etc

restorecon -R -v /etc

Should fix.

/etc/gdm directory is mislabeled.


Note You need to log in before you can comment on or make changes to this bug.