Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 982338 - SELinux is preventing /usr/bin/gnome-session from 'setattr' accesses on the directory at-spi2.
Summary: SELinux is preventing /usr/bin/gnome-session from 'setattr' accesses on the d...
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 17
Hardware: x86_64
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: abrt_hash:5790fa42a2819e08e3098895abb...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-07-08 18:11 UTC by mardanmar
Modified: 2013-08-01 05:02 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2013-08-01 05:01:56 UTC


Attachments (Terms of Use)

Description mardanmar 2013-07-08 18:11:43 UTC
Description of problem:
SELinux is preventing /usr/bin/gnome-session from 'setattr' accesses on the directory at-spi2.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that gnome-session should be allowed setattr access on the at-spi2 directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep gnome-session /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:xdm_t:s0-s0:c0.c1023
Target Context                system_u:object_r:tmp_t:s0
Target Objects                at-spi2 [ dir ]
Source                        gnome-session
Source Path                   /usr/bin/gnome-session
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           gnome-shell-3.4.1-6.fc17.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.10.0-170.fc17.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 3.9.8-100.fc17.x86_64 #1 SMP Thu
                              Jun 27 19:19:57 UTC 2013 x86_64 x86_64
Alert Count                   3
First Seen                    2013-07-08 14:15:50 CDT
Last Seen                     2013-07-08 14:15:52 CDT
Local ID                      d0441720-0d68-4575-8d6c-46280766d82b

Raw Audit Messages
type=AVC msg=audit(1373310952.271:44): avc:  denied  { setattr } for  pid=1023 comm="gnome-shell" name="at-spi2" dev="dm-1" ino=1051792 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tmp_t:s0 tclass=dir


type=SYSCALL msg=audit(1373310952.271:44): arch=x86_64 syscall=chmod success=no exit=EACCES a0=7ff1653fa761 a1=3ff a2=11 a3=7fffd484fe70 items=0 ppid=942 pid=1023 auid=42 uid=42 gid=42 euid=42 suid=42 fsuid=42 egid=42 sgid=42 fsgid=42 ses=1 tty=(none) comm=gnome-shell exe=/usr/bin/gnome-shell subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)

Hash: gnome-session,xdm_t,tmp_t,dir,setattr

audit2allow

#============= xdm_t ==============
#!!!! This avc can be allowed using the boolean 'allow_polyinstantiation'

allow xdm_t tmp_t:dir setattr;

audit2allow -R

#============= xdm_t ==============
#!!!! This avc can be allowed using the boolean 'allow_polyinstantiation'

allow xdm_t tmp_t:dir setattr;


Additional info:
hashmarkername: setroubleshoot
kernel:         3.9.8-100.fc17.x86_64
type:           libreport

Potential duplicate: bug 690326

Comment 1 Miroslav Grepl 2013-07-10 09:21:11 UTC
Have you seen this happen again?

Comment 2 Fedora End Of Life 2013-08-01 05:02:00 UTC
Fedora 17 changed to end-of-life (EOL) status on 2013-07-30. Fedora 17 is 
no longer maintained, which means that it will not receive any further 
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of 
Fedora please feel free to reopen this bug against that version.

Thank you for reporting this bug and we are sorry it could not be fixed.


Note You need to log in before you can comment on or make changes to this bug.