SELinux Error with bonobo-activation-server

Adam D. Ligas adam at physco.com
Sun Dec 7 22:14:25 UTC 2008 

Hey folks,

I installed the VNC server package from the Fedora repo on my F10
server, and then edited my .vnc/xstartup file to allow a normal desktop
environment.

Now, each time the server boots, Nautilus bombs out with the following
error:

"Nautilus cannot be used now, due to an unexpected error from Bonobo
when attempting to locate the factory.  Killing bonobo-activation-server
and restarting Nautilus may help fix the problem".

In conjunction with this dialog box, I get the following SELinux error.

--- Begin SELinux Error ---
Summary:

SELinux is preventing ck-get-x11-serv (consolekit_t) "connectto"
unconfined_notrans_t.

Detailed Description:

SELinux denied access requested by ck-get-x11-serv. It is not expected
that this
access is required by ck-get-x11-serv and this access may signal an
intrusion
attempt. It is also possible that the specific version or configuration
of the
application is causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can
disable
SELinux protection altogether. Disabling SELinux protection is not
recommended.
Please file a bug report
(http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context
system_u:system_r:consolekit_t:s0-s0:c0.c1023
Target Context                system_u:system_r:unconfined_notrans_t:s0
Target Objects                002F746D702F2E5831312D756E69782F5831 [
                              unix_stream_socket ]
Source                        ck-get-x11-serv
Source Path                   /usr/libexec/ck-get-x11-server-pid
Port                          <Unknown>
Host                          boris
Source RPM Packages           ConsoleKit-x11-0.3.0-2.fc10
Target RPM Packages           
Policy RPM                    selinux-policy-3.5.13-26.fc10
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     boris
Platform                      Linux boris 2.6.27.5-117.fc10.i686 #1 SMP
Tue Nov
                              18 12:19:59 EST 2008 i686 athlon
Alert Count                   2
First Seen                    Sat 06 Dec 2008 04:40:19 PM EST
Last Seen                     Sun 07 Dec 2008 05:04:49 PM EST
Local ID                      a654e04f-23ae-4f1e-8c47-9583cd2b5c27
Line Numbers                  

Raw Audit Messages            

node=boris type=AVC msg=audit(1228687489.309:9): avc:  denied
{ connectto } for  pid=2291 comm="ck-get-x11-serv"
path=002F746D702F2E5831312D756E69782F5831
scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023
tcontext=system_u:system_r:unconfined_notrans_t:s0
tclass=unix_stream_socket

node=boris type=SYSCALL msg=audit(1228687489.309:9): arch=40000003
syscall=102 success=no exit=-13 a0=3 a1=bfc677c0 a2=61a160 a3=11 items=0
ppid=2290 pid=2291 auid=4294967295 uid=500 gid=504 euid=500 suid=500
fsuid=500 egid=504 sgid=504 fsgid=504 tty=(none) ses=4294967295
comm="ck-get-x11-serv" exe="/usr/libexec/ck-get-x11-server-pid"
subj=system_u:system_r:consolekit_t:s0-s0:c0.c1023 key=(null)
--- End SELinux Error ---

The workaround for now is to SSH to the server, kill -9 the bonobo
process, and then restart the vncserver service.  But I would like to
remove all of those steps if at all possible.

Thoughts?

- Adam

More information about the fedora-selinux-list mailing list