selinux denying dev-kit, and others
Daniel J Walsh
dwalsh at redhat.com
Tue Jun 16 14:07:27 UTC 2009
On 06/16/2009 09:40 AM, Antonio Olivares wrote:
>
>
> Summary:
>
> SELinux is preventing gnome-clock-app (gnomeclock_t) "read" inotifyfs_t.
>
> Detailed Description:
>
> SELinux denied access requested by gnome-clock-app. It is not expected that this
> access is required by gnome-clock-app and this access may signal an intrusion
> attempt. It is also possible that the specific version or configuration of the
> application is causing it to require additional access.
>
> Allowing Access:
>
> You can generate a local policy module to allow this access - see FAQ
> (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
> SELinux protection altogether. Disabling SELinux protection is not recommended.
> Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
> against this package.
>
> Additional Information:
>
> Source Context system_u:system_r:gnomeclock_t:SystemLow-
> SystemHigh
> Target Context system_u:object_r:inotifyfs_t:SystemLow
> Target Objects inotify [ dir ]
> Source gnome-clock-app
> Source Path /usr/libexec/gnome-clock-applet-mechanism
> Port<Unknown>
> Host localhost.localdomain
> Source RPM Packages gnome-panel-2.26.2-3.fc12
> Target RPM Packages
> Policy RPM selinux-policy-3.6.15-1.fc12
> Selinux Enabled True
> Policy Type targeted
> MLS Enabled True
> Enforcing Mode Enforcing
> Plugin Name catchall
> Host Name localhost.localdomain
> Platform Linux localhost.localdomain 2.6.30-6.fc12.i586 #1
> SMP Fri Jun 12 11:36:06 EDT 2009 i686 i686
> Alert Count 1
> First Seen Tue 16 Jun 2009 08:36:10 AM CDT
> Last Seen Tue 16 Jun 2009 08:36:10 AM CDT
> Local ID b01fae6b-cc0e-42cb-bea3-2c84383966e0
> Line Numbers
>
> Raw Audit Messages
>
> node=localhost.localdomain type=AVC msg=audit(1245159370.605:31): avc: denied { read } for pid=2250 comm="gnome-clock-app" path="inotify" dev=inotifyfs ino=1 scontext=system_u:system_r:gnomeclock_t:s0-s0:c0.c1023 tcontext=system_u:object_r:inotifyfs_t:s0 tclass=dir
>
> node=localhost.localdomain type=SYSCALL msg=audit(1245159370.605:31): arch=40000003 syscall=11 success=yes exit=0 a0=9a9fe28 a1=9a9fce8 a2=9a9f008 a3=9aa22a8 items=0 ppid=2249 pid=2250 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="gnome-clock-app" exe="/usr/libexec/gnome-clock-applet-mechanism" subj=system_u:system_r:gnomeclock_t:s0-s0:c0.c1023 key=(null)
>
>
>
>
> Summary:
>
> SELinux is preventing devkit-disks-da (devicekit_disk_t) "getattr" inotifyfs_t.
>
> Detailed Description:
>
> SELinux denied access requested by devkit-disks-da. It is not expected that this
> access is required by devkit-disks-da and this access may signal an intrusion
> attempt. It is also possible that the specific version or configuration of the
> application is causing it to require additional access.
>
> Allowing Access:
>
> You can generate a local policy module to allow this access - see FAQ
> (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
> SELinux protection altogether. Disabling SELinux protection is not recommended.
> Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
> against this package.
>
> Additional Information:
>
> Source Context system_u:system_r:devicekit_disk_t:SystemLow-
> SystemHigh
> Target Context system_u:object_r:inotifyfs_t:SystemLow
> Target Objects inotify [ dir ]
> Source devkit-disks-da
> Source Path /usr/libexec/devkit-disks-daemon
> Port<Unknown>
> Host localhost.localdomain
> Source RPM Packages DeviceKit-disks-004-3.fc12
> Target RPM Packages
> Policy RPM selinux-policy-3.6.15-1.fc12
> Selinux Enabled True
> Policy Type targeted
> MLS Enabled True
> Enforcing Mode Enforcing
> Plugin Name catchall
> Host Name localhost.localdomain
> Platform Linux localhost.localdomain 2.6.30-6.fc12.i586 #1
> SMP Fri Jun 12 11:36:06 EDT 2009 i686 i686
> Alert Count 1
> First Seen Tue 16 Jun 2009 08:35:52 AM CDT
> Last Seen Tue 16 Jun 2009 08:35:52 AM CDT
> Local ID 8b03ae67-6d8b-49ea-821b-c78a2b4e715e
> Line Numbers
>
> Raw Audit Messages
>
> node=localhost.localdomain type=AVC msg=audit(1245159352.360:30): avc: denied { getattr } for pid=2214 comm="devkit-disks-da" path="inotify" dev=inotifyfs ino=1 scontext=system_u:system_r:devicekit_disk_t:s0-s0:c0.c1023 tcontext=system_u:object_r:inotifyfs_t:s0 tclass=dir
>
> node=localhost.localdomain type=SYSCALL msg=audit(1245159352.360:30): arch=40000003 syscall=197 success=yes exit=0 a0=7 a1=bfd94d00 a2=5ddff4 a3=95f8510 items=0 ppid=1 pid=2214 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="devkit-disks-da" exe="/usr/libexec/devkit-disks-daemon" subj=system_u:system_r:devicekit_disk_t:s0-s0:c0.c1023 key=(null)
>
>
>
>
> Summary:
>
> SELinux is preventing devkit-disks-da (devicekit_disk_t) "read" inotifyfs_t.
>
> Detailed Description:
>
> SELinux denied access requested by devkit-disks-da. It is not expected that this
> access is required by devkit-disks-da and this access may signal an intrusion
> attempt. It is also possible that the specific version or configuration of the
> application is causing it to require additional access.
>
> Allowing Access:
>
> You can generate a local policy module to allow this access - see FAQ
> (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
> SELinux protection altogether. Disabling SELinux protection is not recommended.
> Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
> against this package.
>
> Additional Information:
>
> Source Context system_u:system_r:devicekit_disk_t:SystemLow-
> SystemHigh
> Target Context system_u:object_r:inotifyfs_t:SystemLow
> Target Objects inotify [ dir ]
> Source devkit-disks-da
> Source Path /usr/libexec/devkit-disks-daemon
> Port<Unknown>
> Host localhost.localdomain
> Source RPM Packages DeviceKit-disks-004-3.fc12
> Target RPM Packages
> Policy RPM selinux-policy-3.6.15-1.fc12
> Selinux Enabled True
> Policy Type targeted
> MLS Enabled True
> Enforcing Mode Enforcing
> Plugin Name catchall
> Host Name localhost.localdomain
> Platform Linux localhost.localdomain 2.6.30-6.fc12.i586 #1
> SMP Fri Jun 12 11:36:06 EDT 2009 i686 i686
> Alert Count 8
> First Seen Tue 16 Jun 2009 07:21:24 AM CDT
> Last Seen Tue 16 Jun 2009 08:35:51 AM CDT
> Local ID 0ecb0348-2ba7-401d-a917-9c0f74a7f61d
> Line Numbers
>
> Raw Audit Messages
>
> node=localhost.localdomain type=AVC msg=audit(1245159351.885:29): avc: denied { read } for pid=2214 comm="devkit-disks-da" path="inotify" dev=inotifyfs ino=1 scontext=system_u:system_r:devicekit_disk_t:s0-s0:c0.c1023 tcontext=system_u:object_r:inotifyfs_t:s0 tclass=dir
>
> node=localhost.localdomain type=SYSCALL msg=audit(1245159351.885:29): arch=40000003 syscall=11 success=yes exit=0 a0=87bbe50 a1=87be290 a2=87bb008 a3=87bbd90 items=0 ppid=2213 pid=2214 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="devkit-disks-da" exe="/usr/libexec/devkit-disks-daemon" subj=system_u:system_r:devicekit_disk_t:s0-s0:c0.c1023 key=(null)
>
>
>
>
> Summary:
>
> SELinux is preventing devkit-power-da (devicekit_power_t) "getattr" inotifyfs_t.
>
> Detailed Description:
>
> SELinux denied access requested by devkit-power-da. It is not expected that this
> access is required by devkit-power-da and this access may signal an intrusion
> attempt. It is also possible that the specific version or configuration of the
> application is causing it to require additional access.
>
> Allowing Access:
>
> You can generate a local policy module to allow this access - see FAQ
> (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
> SELinux protection altogether. Disabling SELinux protection is not recommended.
> Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
> against this package.
>
> Additional Information:
>
> Source Context system_u:system_r:devicekit_power_t:SystemLow-
> SystemHigh
> Target Context system_u:object_r:inotifyfs_t:SystemLow
> Target Objects inotify [ dir ]
> Source devkit-power-da
> Source Path /usr/libexec/devkit-power-daemon
> Port<Unknown>
> Host localhost.localdomain
> Source RPM Packages DeviceKit-power-008-1.fc12
> Target RPM Packages
> Policy RPM selinux-policy-3.6.15-1.fc12
> Selinux Enabled True
> Policy Type targeted
> MLS Enabled True
> Enforcing Mode Enforcing
> Plugin Name catchall
> Host Name localhost.localdomain
> Platform Linux localhost.localdomain 2.6.30-6.fc12.i586 #1
> SMP Fri Jun 12 11:36:06 EDT 2009 i686 i686
> Alert Count 1
> First Seen Tue 16 Jun 2009 08:35:45 AM CDT
> Last Seen Tue 16 Jun 2009 08:35:45 AM CDT
> Local ID 48abf8a4-c9fb-4129-abd3-35ed578349eb
> Line Numbers
>
> Raw Audit Messages
>
> node=localhost.localdomain type=AVC msg=audit(1245159345.55:27): avc: denied { getattr } for pid=2174 comm="devkit-power-da" path="inotify" dev=inotifyfs ino=1 scontext=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 tcontext=system_u:object_r:inotifyfs_t:s0 tclass=dir
>
> node=localhost.localdomain type=SYSCALL msg=audit(1245159345.55:27): arch=40000003 syscall=197 success=yes exit=0 a0=5 a1=bfeb5e40 a2=5ddff4 a3=90cc030 items=0 ppid=1 pid=2174 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="devkit-power-da" exe="/usr/libexec/devkit-power-daemon" subj=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 key=(null)
>
>
>
>
> Summary:
>
> SELinux is preventing devkit-daemon (devicekit_t) "read" inotifyfs_t.
>
> Detailed Description:
>
> SELinux denied access requested by devkit-daemon. It is not expected that this
> access is required by devkit-daemon and this access may signal an intrusion
> attempt. It is also possible that the specific version or configuration of the
> application is causing it to require additional access.
>
> Allowing Access:
>
> You can generate a local policy module to allow this access - see FAQ
> (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
> SELinux protection altogether. Disabling SELinux protection is not recommended.
> Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
> against this package.
>
> Additional Information:
>
> Source Context system_u:system_r:devicekit_t:SystemLow-SystemHigh
> Target Context system_u:object_r:inotifyfs_t:SystemLow
> Target Objects inotify [ dir ]
> Source devkit-daemon
> Source Path /usr/libexec/devkit-daemon
> Port<Unknown>
> Host localhost.localdomain
> Source RPM Packages DeviceKit-003-1
> Target RPM Packages
> Policy RPM selinux-policy-3.6.15-1.fc12
> Selinux Enabled True
> Policy Type targeted
> MLS Enabled True
> Enforcing Mode Enforcing
> Plugin Name catchall
> Host Name localhost.localdomain
> Platform Linux localhost.localdomain 2.6.30-6.fc12.i586 #1
> SMP Fri Jun 12 11:36:06 EDT 2009 i686 i686
> Alert Count 1
> First Seen Tue 16 Jun 2009 08:35:45 AM CDT
> Last Seen Tue 16 Jun 2009 08:35:45 AM CDT
> Local ID a1417ce4-b120-4778-9802-f21888673601
> Line Numbers
>
> Raw Audit Messages
>
> node=localhost.localdomain type=AVC msg=audit(1245159345.63:28): avc: denied { read } for pid=2178 comm="devkit-daemon" path="inotify" dev=inotifyfs ino=1 scontext=system_u:system_r:devicekit_t:s0-s0:c0.c1023 tcontext=system_u:object_r:inotifyfs_t:s0 tclass=dir
>
> node=localhost.localdomain type=SYSCALL msg=audit(1245159345.63:28): arch=40000003 syscall=11 success=yes exit=0 a0=8fe4e10 a1=8fe4d98 a2=8fe4008 a3=8fe7358 items=0 ppid=2177 pid=2178 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="devkit-daemon" exe="/usr/libexec/devkit-daemon" subj=system_u:system_r:devicekit_t:s0-s0:c0.c1023 key=(null)
>
>
>
> Summary:
>
> SELinux is preventing devkit-power-da (devicekit_power_t) "read" inotifyfs_t.
>
> Detailed Description:
>
> SELinux denied access requested by devkit-power-da. It is not expected that this
> access is required by devkit-power-da and this access may signal an intrusion
> attempt. It is also possible that the specific version or configuration of the
> application is causing it to require additional access.
>
> Allowing Access:
>
> You can generate a local policy module to allow this access - see FAQ
> (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
> SELinux protection altogether. Disabling SELinux protection is not recommended.
> Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
> against this package.
>
> Additional Information:
>
> Source Context system_u:system_r:devicekit_power_t:SystemLow-
> SystemHigh
> Target Context system_u:object_r:inotifyfs_t:SystemLow
> Target Objects inotify [ dir ]
> Source devkit-power-da
> Source Path /usr/libexec/devkit-power-daemon
> Port<Unknown>
> Host localhost.localdomain
> Source RPM Packages DeviceKit-power-008-1.fc12
> Target RPM Packages
> Policy RPM selinux-policy-3.6.15-1.fc12
> Selinux Enabled True
> Policy Type targeted
> MLS Enabled True
> Enforcing Mode Enforcing
> Plugin Name catchall
> Host Name localhost.localdomain
> Platform Linux localhost.localdomain 2.6.30-6.fc12.i586 #1
> SMP Fri Jun 12 11:36:06 EDT 2009 i686 i686
> Alert Count 9
> First Seen Tue 16 Jun 2009 07:21:24 AM CDT
> Last Seen Tue 16 Jun 2009 08:35:44 AM CDT
> Local ID a3306212-15db-4b4b-a00a-d2c310e28d4f
> Line Numbers
>
> Raw Audit Messages
>
> node=localhost.localdomain type=AVC msg=audit(1245159344.629:26): avc: denied { read } for pid=2174 comm="devkit-power-da" path="inotify" dev=inotifyfs ino=1 scontext=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 tcontext=system_u:object_r:inotifyfs_t:s0 tclass=dir
>
> node=localhost.localdomain type=SYSCALL msg=audit(1245159344.629:26): arch=40000003 syscall=11 success=yes exit=0 a0=9147e50 a1=914a290 a2=9147008 a3=9147d90 items=0 ppid=2173 pid=2174 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="devkit-power-da" exe="/usr/libexec/devkit-power-daemon" subj=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 key=(null)
>
>
>
>
>
>
>
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
This is a leak in dbus that we are trying to get cleaned up. I posted
an patch but they have not been updated yet.
We have found leaks in dbus and cron that were causing lots of domains
to request this access, so we want to clean up these tools and then see
what domains really need this access.
More information about the fedora-selinux-list
mailing list