-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 06/18/2012 11:05 AM, Daniel J Walsh wrote: > On 06/16/2012 05:14 AM, Stevo Slavić wrote: >> Hello Fedora community, > >> I've just upgraded Fedora 16 to 17 using PreUpgrade. After second restart >> I was welcomed by SELinux alert (see [1] for alert details). This bug, >> https://bugzilla.redhat.com/show_bug.cgi?id=704591 , seems related but >> it's labelled as fixed in older version of selinux-policy. Maybe >> regression issue? Should I reopen bug or report another one? Is it a bug >> at all - I'm not sure whether "GoogleTalkPlugin should be allowed getattr >> access on the gpmctl sock_file by default". > >> Kind regards, Stevo. > > > >> [1] SELinux alert details > >> SELinux is preventing /opt/google/talkplugin/GoogleTalkPlugin from >> getattr access on the sock_file /dev/gpmctl. > >> ***** Plugin catchall (100. confidence) suggests >> *************************** > >> If you believe that GoogleTalkPlugin should be allowed getattr access on >> the gpmctl sock_file by default. Then you should report this as a bug. >> You can generate a local policy module to allow this access. Do allow >> this access for now by executing: # grep GoogleTalkPlugi >> /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp > >> Additional Information: Source Context >> unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c 0.c1023 Target >> Context system_u:object_r:gpmctl_t:s0 Target Objects >> /dev/gpmctl [ sock_file ] Source GoogleTalkPlugi >> Source Path /opt/google/talkplugin/GoogleTalkPlugin Port <Unknown> Host >> sslavic Source RPM Packages google-talkplugin-2.9.10.0-1.x86_64 Target >> RPM Packages Policy RPM selinux-policy-3.10.0-128.fc17.noarch Selinux >> Enabled True Policy Type targeted >> Enforcing Mode Enforcing Host Name sslavic Platform >> Linux sslavic 3.4.0-1.fc17.x86_64 #1 SMP Sun Jun 3 06:35:17 UTC 2012 >> x86_64 x86_64 Alert Count 4 First Seen >> Sat 16 Jun 2012 10:36:53 AM CEST Last Seen Sat 16 Jun >> 2012 10:36:54 AM CEST Local ID c1545ce3-f86b-4e20-b078-8db9db556a52 > >> Raw Audit Messages type=AVC msg=audit(1339835814.939:165): avc: denied >> { getattr } for pid=8507 comm="GoogleTalkPlugi" path="/dev/gpmctl" >> dev="devtmpfs" ino=15878 >> scontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 >> tcontext=system_u:object_r:gpmctl_t:s0 tclass=sock_file > > >> type=SYSCALL msg=audit(1339835814.939:165): arch=x86_64 syscall=stat >> success=no exit=EACCES a0=23fc998 a1=23fd580 a2=23fd580 a3=24 items=0 >> ppid=1 pid=8507 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 >> fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=2 >> comm=GoogleTalkPlugi exe=/opt/google/talkplugin/GoogleTalkPlugin >> subj=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 >> key=(null) > >> Hash: GoogleTalkPlugi,mozilla_plugin_t,gpmctl_t,sock_file,getattr > >> audit2allowunable to open /sys/fs/selinux/policy: Permission denied > > >> audit2allow -Runable to open /sys/fs/selinux/policy: Permission denied > > > > > > > > This should be dontaudited and can be safely ignored, Basically the plugin > is doing an ls -l /dev, and this is generating the AVC. GoolgeTalkPlugin > has no need to interact with gpmctl. > > > > > I just added a dontaudit line. Fixed in selinux-policy-3.10.0-132.fc17 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk/fRrUACgkQrlYvE4MpobO30gCgpPGvf7UgSU20nnQxQCWicIl/ YJ4AniAT7BqtmVBOV9NQ2n/tZsUgURmn =YFvj -----END PGP SIGNATURE----- -- users mailing list users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
