On 06/16/2009 09:40 AM, Antonio Olivares wrote:
Summary:
SELinux is preventing gnome-clock-app (gnomeclock_t) "read" inotifyfs_t.
Detailed Description:
SELinux denied access requested by gnome-clock-app. It is not expected that this
access is required by gnome-clock-app and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.
Allowing Access:
You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.
Additional Information:
Source Context system_u:system_r:gnomeclock_t:SystemLow-
SystemHigh
Target Context system_u:object_r:inotifyfs_t:SystemLow
Target Objects inotify [ dir ]
Source gnome-clock-app
Source Path /usr/libexec/gnome-clock-applet-mechanism
Port<Unknown>
Host localhost.localdomain
Source RPM Packages gnome-panel-2.26.2-3.fc12
Target RPM Packages
Policy RPM selinux-policy-3.6.15-1.fc12
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name catchall
Host Name localhost.localdomain
Platform Linux localhost.localdomain 2.6.30-6.fc12.i586 #1
SMP Fri Jun 12 11:36:06 EDT 2009 i686 i686
Alert Count 1
First Seen Tue 16 Jun 2009 08:36:10 AM CDT
Last Seen Tue 16 Jun 2009 08:36:10 AM CDT
Local ID b01fae6b-cc0e-42cb-bea3-2c84383966e0
Line Numbers
Raw Audit Messages
node=localhost.localdomain type=AVC msg=audit(1245159370.605:31): avc: denied { read } for pid=2250 comm="gnome-clock-app" path="inotify" dev=inotifyfs ino=1 scontext=system_u:system_r:gnomeclock_t:s0-s0:c0.c1023 tcontext=system_u:object_r:inotifyfs_t:s0 tclass=dir
node=localhost.localdomain type=SYSCALL msg=audit(1245159370.605:31): arch=40000003 syscall=11 success=yes exit=0 a0=9a9fe28 a1=9a9fce8 a2=9a9f008 a3=9aa22a8 items=0 ppid=2249 pid=2250 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="gnome-clock-app" exe="/usr/libexec/gnome-clock-applet-mechanism" subj=system_u:system_r:gnomeclock_t:s0-s0:c0.c1023 key=(null)
Summary:
SELinux is preventing devkit-disks-da (devicekit_disk_t) "getattr" inotifyfs_t.
Detailed Description:
SELinux denied access requested by devkit-disks-da. It is not expected that this
access is required by devkit-disks-da and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.
Allowing Access:
You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.
Additional Information:
Source Context system_u:system_r:devicekit_disk_t:SystemLow-
SystemHigh
Target Context system_u:object_r:inotifyfs_t:SystemLow
Target Objects inotify [ dir ]
Source devkit-disks-da
Source Path /usr/libexec/devkit-disks-daemon
Port<Unknown>
Host localhost.localdomain
Source RPM Packages DeviceKit-disks-004-3.fc12
Target RPM Packages
Policy RPM selinux-policy-3.6.15-1.fc12
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name catchall
Host Name localhost.localdomain
Platform Linux localhost.localdomain 2.6.30-6.fc12.i586 #1
SMP Fri Jun 12 11:36:06 EDT 2009 i686 i686
Alert Count 1
First Seen Tue 16 Jun 2009 08:35:52 AM CDT
Last Seen Tue 16 Jun 2009 08:35:52 AM CDT
Local ID 8b03ae67-6d8b-49ea-821b-c78a2b4e715e
Line Numbers
Raw Audit Messages
node=localhost.localdomain type=AVC msg=audit(1245159352.360:30): avc: denied { getattr } for pid=2214 comm="devkit-disks-da" path="inotify" dev=inotifyfs ino=1 scontext=system_u:system_r:devicekit_disk_t:s0-s0:c0.c1023 tcontext=system_u:object_r:inotifyfs_t:s0 tclass=dir
node=localhost.localdomain type=SYSCALL msg=audit(1245159352.360:30): arch=40000003 syscall=197 success=yes exit=0 a0=7 a1=bfd94d00 a2=5ddff4 a3=95f8510 items=0 ppid=1 pid=2214 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="devkit-disks-da" exe="/usr/libexec/devkit-disks-daemon" subj=system_u:system_r:devicekit_disk_t:s0-s0:c0.c1023 key=(null)
Summary:
SELinux is preventing devkit-disks-da (devicekit_disk_t) "read" inotifyfs_t.
Detailed Description:
SELinux denied access requested by devkit-disks-da. It is not expected that this
access is required by devkit-disks-da and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.
Allowing Access:
You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.
Additional Information:
Source Context system_u:system_r:devicekit_disk_t:SystemLow-
SystemHigh
Target Context system_u:object_r:inotifyfs_t:SystemLow
Target Objects inotify [ dir ]
Source devkit-disks-da
Source Path /usr/libexec/devkit-disks-daemon
Port<Unknown>
Host localhost.localdomain
Source RPM Packages DeviceKit-disks-004-3.fc12
Target RPM Packages
Policy RPM selinux-policy-3.6.15-1.fc12
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name catchall
Host Name localhost.localdomain
Platform Linux localhost.localdomain 2.6.30-6.fc12.i586 #1
SMP Fri Jun 12 11:36:06 EDT 2009 i686 i686
Alert Count 8
First Seen Tue 16 Jun 2009 07:21:24 AM CDT
Last Seen Tue 16 Jun 2009 08:35:51 AM CDT
Local ID 0ecb0348-2ba7-401d-a917-9c0f74a7f61d
Line Numbers
Raw Audit Messages
node=localhost.localdomain type=AVC msg=audit(1245159351.885:29): avc: denied { read } for pid=2214 comm="devkit-disks-da" path="inotify" dev=inotifyfs ino=1 scontext=system_u:system_r:devicekit_disk_t:s0-s0:c0.c1023 tcontext=system_u:object_r:inotifyfs_t:s0 tclass=dir
node=localhost.localdomain type=SYSCALL msg=audit(1245159351.885:29): arch=40000003 syscall=11 success=yes exit=0 a0=87bbe50 a1=87be290 a2=87bb008 a3=87bbd90 items=0 ppid=2213 pid=2214 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="devkit-disks-da" exe="/usr/libexec/devkit-disks-daemon" subj=system_u:system_r:devicekit_disk_t:s0-s0:c0.c1023 key=(null)
Summary:
SELinux is preventing devkit-power-da (devicekit_power_t) "getattr" inotifyfs_t.
Detailed Description:
SELinux denied access requested by devkit-power-da. It is not expected that this
access is required by devkit-power-da and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.
Allowing Access:
You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.
Additional Information:
Source Context system_u:system_r:devicekit_power_t:SystemLow-
SystemHigh
Target Context system_u:object_r:inotifyfs_t:SystemLow
Target Objects inotify [ dir ]
Source devkit-power-da
Source Path /usr/libexec/devkit-power-daemon
Port<Unknown>
Host localhost.localdomain
Source RPM Packages DeviceKit-power-008-1.fc12
Target RPM Packages
Policy RPM selinux-policy-3.6.15-1.fc12
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name catchall
Host Name localhost.localdomain
Platform Linux localhost.localdomain 2.6.30-6.fc12.i586 #1
SMP Fri Jun 12 11:36:06 EDT 2009 i686 i686
Alert Count 1
First Seen Tue 16 Jun 2009 08:35:45 AM CDT
Last Seen Tue 16 Jun 2009 08:35:45 AM CDT
Local ID 48abf8a4-c9fb-4129-abd3-35ed578349eb
Line Numbers
Raw Audit Messages
node=localhost.localdomain type=AVC msg=audit(1245159345.55:27): avc: denied { getattr } for pid=2174 comm="devkit-power-da" path="inotify" dev=inotifyfs ino=1 scontext=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 tcontext=system_u:object_r:inotifyfs_t:s0 tclass=dir
node=localhost.localdomain type=SYSCALL msg=audit(1245159345.55:27): arch=40000003 syscall=197 success=yes exit=0 a0=5 a1=bfeb5e40 a2=5ddff4 a3=90cc030 items=0 ppid=1 pid=2174 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="devkit-power-da" exe="/usr/libexec/devkit-power-daemon" subj=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 key=(null)
Summary:
SELinux is preventing devkit-daemon (devicekit_t) "read" inotifyfs_t.
Detailed Description:
SELinux denied access requested by devkit-daemon. It is not expected that this
access is required by devkit-daemon and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.
Allowing Access:
You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.
Additional Information:
Source Context system_u:system_r:devicekit_t:SystemLow-SystemHigh
Target Context system_u:object_r:inotifyfs_t:SystemLow
Target Objects inotify [ dir ]
Source devkit-daemon
Source Path /usr/libexec/devkit-daemon
Port<Unknown>
Host localhost.localdomain
Source RPM Packages DeviceKit-003-1
Target RPM Packages
Policy RPM selinux-policy-3.6.15-1.fc12
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name catchall
Host Name localhost.localdomain
Platform Linux localhost.localdomain 2.6.30-6.fc12.i586 #1
SMP Fri Jun 12 11:36:06 EDT 2009 i686 i686
Alert Count 1
First Seen Tue 16 Jun 2009 08:35:45 AM CDT
Last Seen Tue 16 Jun 2009 08:35:45 AM CDT
Local ID a1417ce4-b120-4778-9802-f21888673601
Line Numbers
Raw Audit Messages
node=localhost.localdomain type=AVC msg=audit(1245159345.63:28): avc: denied { read } for pid=2178 comm="devkit-daemon" path="inotify" dev=inotifyfs ino=1 scontext=system_u:system_r:devicekit_t:s0-s0:c0.c1023 tcontext=system_u:object_r:inotifyfs_t:s0 tclass=dir
node=localhost.localdomain type=SYSCALL msg=audit(1245159345.63:28): arch=40000003 syscall=11 success=yes exit=0 a0=8fe4e10 a1=8fe4d98 a2=8fe4008 a3=8fe7358 items=0 ppid=2177 pid=2178 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="devkit-daemon" exe="/usr/libexec/devkit-daemon" subj=system_u:system_r:devicekit_t:s0-s0:c0.c1023 key=(null)
Summary:
SELinux is preventing devkit-power-da (devicekit_power_t) "read" inotifyfs_t.
Detailed Description:
SELinux denied access requested by devkit-power-da. It is not expected that this
access is required by devkit-power-da and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.
Allowing Access:
You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.
Additional Information:
Source Context system_u:system_r:devicekit_power_t:SystemLow-
SystemHigh
Target Context system_u:object_r:inotifyfs_t:SystemLow
Target Objects inotify [ dir ]
Source devkit-power-da
Source Path /usr/libexec/devkit-power-daemon
Port<Unknown>
Host localhost.localdomain
Source RPM Packages DeviceKit-power-008-1.fc12
Target RPM Packages
Policy RPM selinux-policy-3.6.15-1.fc12
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name catchall
Host Name localhost.localdomain
Platform Linux localhost.localdomain 2.6.30-6.fc12.i586 #1
SMP Fri Jun 12 11:36:06 EDT 2009 i686 i686
Alert Count 9
First Seen Tue 16 Jun 2009 07:21:24 AM CDT
Last Seen Tue 16 Jun 2009 08:35:44 AM CDT
Local ID a3306212-15db-4b4b-a00a-d2c310e28d4f
Line Numbers
Raw Audit Messages
node=localhost.localdomain type=AVC msg=audit(1245159344.629:26): avc: denied { read } for pid=2174 comm="devkit-power-da" path="inotify" dev=inotifyfs ino=1 scontext=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 tcontext=system_u:object_r:inotifyfs_t:s0 tclass=dir
node=localhost.localdomain type=SYSCALL msg=audit(1245159344.629:26): arch=40000003 syscall=11 success=yes exit=0 a0=9147e50 a1=914a290 a2=9147008 a3=9147d90 items=0 ppid=2173 pid=2174 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="devkit-power-da" exe="/usr/libexec/devkit-power-daemon" subj=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 key=(null)
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
This is a leak in dbus that we are trying to get cleaned up. I posted
an patch but they have not been updated yet.
We have found leaks in dbus and cron that were causing lots of domains
to request this access, so we want to clean up these tools and then see
what domains really need this access.
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
