Hi all!
I've been running F19 (alpha and now beta) on my Acer Aspire One D255E netbook for a few weeks now.
just today when I booted up I got this alert I've not gotten before. I know how to teach selinux not to alert for that, but I don't know if it's an action that SHOULD be allowed or not.
It also give another alert, apparently at boot, for complaining that /usr/sbin/lightdm tried to create file .dmrc.0GT8WW, presumably in my home directory, though it didn't explicitly say.
Wondering if these are bugs/features introduced in recent updates...
I'd appreciate advice on what to do here.
thanks!
Fred - - - - - - - - - - - - - - -
The alert says:
The source process: /usr/libexec/accounts/daemon Attempted this access: read on this directory: /var/log
Here's the "details" output:
SELinux is preventing /usr/libexec/accounts-daemon from read access on the directory /var/log.
***** Plugin catchall (100. confidence) suggests ***************************
If you believe that accounts-daemon should be allowed read access on the log directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep accounts-daemon /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp
Additional Information: Source Context system_u:system_r:accountsd_t:s0 Target Context system_u:object_r:var_log_t:s0 Target Objects /var/log [ dir ] Source accounts-daemon Source Path /usr/libexec/accounts-daemon Port <Unknown> Host aspirebox Source RPM Packages accountsservice-0.6.34-1.fc19.x86_64 Target RPM Packages filesystem-3.2-10.fc19.x86_64 Policy RPM selinux-policy-3.12.1-48.fc19.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name aspirebox Platform Linux aspirebox 3.9.5-301.fc19.x86_64 #1 SMP Tue Jun 11 19:39:38 UTC 2013 x86_64 x86_64 Alert Count 3948 First Seen 2013-06-14 13:49:29 EDT Last Seen 2013-06-15 12:16:19 EDT Local ID eaab0b0b-7b1c-4823-90eb-5dd00ff0ca7a
Raw Audit Messages type=AVC msg=audit(1371312979.299:646): avc: denied { read } for pid=399 comm="accounts-daemon" name="log" dev="sda6" ino=2883620 scontext=system_u:system_r:accountsd_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=dir
type=SYSCALL msg=audit(1371312979.299:646): arch=x86_64 syscall=inotify_add_watch success=no exit=EACCES a0=8 a1=7f09d8b4ad00 a2=1002fce a3=0 items=0 ppid=1 pid=399 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm=accounts-daemon exe=/usr/libexec/accounts-daemon subj=system_u:system_r:accountsd_t:s0 key=(null)
Hash: accounts-daemon,accountsd_t,var_log_t,dir,read
On 06/16/13 00:27, Fred Smith wrote:
Hi all!
I've been running F19 (alpha and now beta) on my Acer Aspire One D255E netbook for a few weeks now.
just today when I booted up I got this alert I've not gotten before. I know how to teach selinux not to alert for that, but I don't know if it's an action that SHOULD be allowed or not.
It also give another alert, apparently at boot, for complaining that /usr/sbin/lightdm tried to create file .dmrc.0GT8WW, presumably in my home directory, though it didn't explicitly say.
Wondering if these are bugs/features introduced in recent updates...
I'd appreciate advice on what to do here.
If you are going to run beta/test version of Fedora then you should join the test@lists.fedoraproject.org list.
https://bugzilla.redhat.com/show_bug.cgi?id=974200 updated selinux-policy https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-52.fc19
On Sun, Jun 16, 2013 at 12:43:44AM +0800, Ed Greshko wrote:
On 06/16/13 00:27, Fred Smith wrote:
Hi all!
I've been running F19 (alpha and now beta) on my Acer Aspire One D255E netbook for a few weeks now.
just today when I booted up I got this alert I've not gotten before. I know how to teach selinux not to alert for that, but I don't know if it's an action that SHOULD be allowed or not.
It also give another alert, apparently at boot, for complaining that /usr/sbin/lightdm tried to create file .dmrc.0GT8WW, presumably in my home directory, though it didn't explicitly say.
Wondering if these are bugs/features introduced in recent updates...
I'd appreciate advice on what to do here.
If you are going to run beta/test version of Fedora then you should join the test@lists.fedoraproject.org list.
https://bugzilla.redhat.com/show_bug.cgi?id=974200 updated selinux-policy https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-52.fc19
Ed, thanks for the info!
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 06/15/2013 12:27 PM, Fred Smith wrote:
Hi all!
I've been running F19 (alpha and now beta) on my Acer Aspire One D255E netbook for a few weeks now.
just today when I booted up I got this alert I've not gotten before. I know how to teach selinux not to alert for that, but I don't know if it's an action that SHOULD be allowed or not.
It also give another alert, apparently at boot, for complaining that /usr/sbin/lightdm tried to create file .dmrc.0GT8WW, presumably in my home directory, though it didn't explicitly say.
Wondering if these are bugs/features introduced in recent updates...
I'd appreciate advice on what to do here.
thanks!
Fred - - - - - - - - - - - - - - -
The alert says:
The source process: /usr/libexec/accounts/daemon Attempted this access: read on this directory: /var/log
Here's the "details" output:
SELinux is preventing /usr/libexec/accounts-daemon from read access on the directory /var/log.
***** Plugin catchall (100. confidence) suggests
If you believe that accounts-daemon should be allowed read access on the log directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep accounts-daemon /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp
Additional Information: Source Context system_u:system_r:accountsd_t:s0 Target Context system_u:object_r:var_log_t:s0 Target Objects /var/log [ dir ] Source accounts-daemon Source Path /usr/libexec/accounts-daemon Port <Unknown> Host aspirebox Source RPM Packages accountsservice-0.6.34-1.fc19.x86_64 Target RPM Packages filesystem-3.2-10.fc19.x86_64 Policy RPM selinux-policy-3.12.1-48.fc19.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name aspirebox Platform Linux aspirebox 3.9.5-301.fc19.x86_64 #1 SMP Tue Jun 11 19:39:38 UTC 2013 x86_64 x86_64 Alert Count 3948 First Seen 2013-06-14 13:49:29 EDT Last Seen 2013-06-15 12:16:19 EDT Local ID eaab0b0b-7b1c-4823-90eb-5dd00ff0ca7a
Raw Audit Messages type=AVC msg=audit(1371312979.299:646): avc: denied { read } for pid=399 comm="accounts-daemon" name="log" dev="sda6" ino=2883620 scontext=system_u:system_r:accountsd_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=dir
type=SYSCALL msg=audit(1371312979.299:646): arch=x86_64 syscall=inotify_add_watch success=no exit=EACCES a0=8 a1=7f09d8b4ad00 a2=1002fce a3=0 items=0 ppid=1 pid=399 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm=accounts-daemon exe=/usr/libexec/accounts-daemon subj=system_u:system_r:accountsd_t:s0 key=(null)
Hash: accounts-daemon,accountsd_t,var_log_t,dir,read
THis should be fixed in the latest policy packages. Fixed in selinux-policy-3.12.1-52.fc19.noarch
On Mon, Jun 17, 2013 at 11:48:45AM -0400, Daniel J Walsh wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 06/15/2013 12:27 PM, Fred Smith wrote:
Hi all!
I've been running F19 (alpha and now beta) on my Acer Aspire One D255E netbook for a few weeks now.
just today when I booted up I got this alert I've not gotten before. I know how to teach selinux not to alert for that, but I don't know if it's an action that SHOULD be allowed or not.
It also give another alert, apparently at boot, for complaining that /usr/sbin/lightdm tried to create file .dmrc.0GT8WW, presumably in my home directory, though it didn't explicitly say.
Wondering if these are bugs/features introduced in recent updates...
I'd appreciate advice on what to do here.
thanks!
Fred - - - - - - - - - - - - - - -
The alert says:
The source process: /usr/libexec/accounts/daemon Attempted this access: read on this directory: /var/log
Here's the "details" output:
SELinux is preventing /usr/libexec/accounts-daemon from read access on the directory /var/log.
***** Plugin catchall (100. confidence) suggests
If you believe that accounts-daemon should be allowed read access on the log directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep accounts-daemon /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp
Additional Information: Source Context system_u:system_r:accountsd_t:s0 Target Context system_u:object_r:var_log_t:s0 Target Objects /var/log [ dir ] Source accounts-daemon Source Path /usr/libexec/accounts-daemon Port <Unknown> Host aspirebox Source RPM Packages accountsservice-0.6.34-1.fc19.x86_64 Target RPM Packages filesystem-3.2-10.fc19.x86_64 Policy RPM selinux-policy-3.12.1-48.fc19.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name aspirebox Platform Linux aspirebox 3.9.5-301.fc19.x86_64 #1 SMP Tue Jun 11 19:39:38 UTC 2013 x86_64 x86_64 Alert Count 3948 First Seen 2013-06-14 13:49:29 EDT Last Seen 2013-06-15 12:16:19 EDT Local ID eaab0b0b-7b1c-4823-90eb-5dd00ff0ca7a
Raw Audit Messages type=AVC msg=audit(1371312979.299:646): avc: denied { read } for pid=399 comm="accounts-daemon" name="log" dev="sda6" ino=2883620 scontext=system_u:system_r:accountsd_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=dir
type=SYSCALL msg=audit(1371312979.299:646): arch=x86_64 syscall=inotify_add_watch success=no exit=EACCES a0=8 a1=7f09d8b4ad00 a2=1002fce a3=0 items=0 ppid=1 pid=399 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm=accounts-daemon exe=/usr/libexec/accounts-daemon subj=system_u:system_r:accountsd_t:s0 key=(null)
Hash: accounts-daemon,accountsd_t,var_log_t,dir,read
THis should be fixed in the latest policy packages. Fixed in selinux-policy-3.12.1-52.fc19.noarch
thanks, I'll give it a whirl when I get home this evening.
-
Daniel J Walsh -
Ed Greshko -
Fred Smith