Timezones and SELinux...
Marko Vojinovic
vvmarko at gmail.com
Wed Mar 21 11:28:17 UTC 2012
Hi folks!
// This is a repost from the KDE mailing list, with the hope that more eyes
will see it here... //
After the yum update, both before and after the restart of the system (there
was a new kernel as well), my timezone setting is wrong (again) --- it is set
to Lisbon (GMT), which was my previous setting, rather than Belgrade (GMT+1)
which was my current setting (prior to update). AFAIK, this should not happen
unless I ask for the timezone change.
Second, when I open systemsettings to change the timezone, after clicking
"apply" and giving the root password, the timezone change fails, and SELinux
gives an alert:
===== long quote =====
SELinux is preventing /usr/libexec/kde4/kcmdatetimehelper from using the
dac_override capability.
***** Plugin dac_override (91.4 confidence) suggests ***********************
If you want to help identify if domain needs this access or you have a file
with the wrong permissions on your system
Then turn on full auditing to get path information about the offending file and
generate the error again.
Do
Turn on full auditing
# auditctl -w /etc/shadow -p w
Try to recreate AVC. Then execute
# ausearch -m avc -ts recent
If you see PATH record check ownership/permissions on file, and fix it,
otherwise report as a bugzilla.
***** Plugin catchall (9.59 confidence) suggests ***************************
If you believe that kcmdatetimehelper should have the dac_override capability
by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep kcmdatetimehelp /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
Additional Information:
Source Context system_u:system_r:gnomeclock_t:s0-s0:c0.c1023
Target Context system_u:system_r:gnomeclock_t:s0-s0:c0.c1023
Target Objects [ capability ]
Source kcmdatetimehelp
Source Path /usr/libexec/kde4/kcmdatetimehelper
Port <Unknown>
Host Yoda
Source RPM Packages kde-workspace-4.8.1-6.fc16.x86_64
Target RPM Packages
Policy RPM selinux-policy-3.10.0-75.fc16.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name Yoda
Platform Linux Yoda 3.2.10-3.fc16.x86_64 #1 SMP Thu Mar
15
19:39:46 UTC 2012 x86_64 x86_64
Alert Count 1
First Seen Mon 19 Mar 2012 08:00:25 AM WET
Last Seen Mon 19 Mar 2012 08:00:25 AM WET
Local ID 6c829d68-d5d6-4696-b636-f6efa26b8b49
Raw Audit Messages
type=AVC msg=audit(1332144025.273:73): avc: denied { dac_override } for
pid=2173 comm="kcmdatetimehelp" capability=1
scontext=system_u:system_r:gnomeclock_t:s0-s0:c0.c1023
tcontext=system_u:system_r:gnomeclock_t:s0-s0:c0.c1023 tclass=capability
type=SYSCALL msg=audit(1332144025.273:73): arch=x86_64 syscall=access
success=no exit=EACCES a0=1db33d8 a1=2 a2=200 a3=0 items=0 ppid=1 pid=2173
auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=(none) ses=4294967295 comm=kcmdatetimehelp
exe=/usr/libexec/kde4/kcmdatetimehelper
subj=system_u:system_r:gnomeclock_t:s0-s0:c0.c1023 key=(null)
Hash: kcmdatetimehelp,gnomeclock_t,gnomeclock_t,capability,dac_override
audit2allow
#============= gnomeclock_t ==============
allow gnomeclock_t self:capability dac_override;
audit2allow -R
#============= gnomeclock_t ==============
allow gnomeclock_t self:capability dac_override;
===== end of long quote =====
Somehow I feel that I am not supposed to tweak SELinux policy in order to
change my timezone setting. In the past I would put SELinux into permissive
mode, change the timezone, and then re-enforce SELinux. But the issue keeps
reappearing, so I don't believe that this is the right solution.
Ideas?
Best, :-)
Marko
More information about the users
mailing list