Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 1319459 - SELinux is preventing accounts-daemon from 'write' accesses on the directory /root.
Summary: SELinux is preventing accounts-daemon from 'write' accesses on the directory ...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 24
Hardware: x86_64
OS: Unspecified
medium
medium
Target Milestone: ---
Assignee: Lukas Vrabec
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: abrt_hash:aa8dff3211f69a6999a3bdb1152...
: 1325803 1337748 1337955 1341543 1341911 1349374 1349595 1350052 1350956 1352655 1353017 1354042 1357163 1357373 1359895 1360942 1361260 1361370 1364548 1364589 1365084 1366192 1366407 1368794 1368802 1369200 1370330 1370448 1370559 1372478 1376553 1376652 1387228 1387930 1392211 1397445 1397855 1403544 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-03-20 10:13 UTC by Joachim Frieben
Modified: 2016-12-11 09:10 UTC (History)
61 users (show)

Fixed In Version: selinux-policy-3.13.1-191.16.fc24
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-09-22 00:23:42 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)

Description Joachim Frieben 2016-03-20 10:13:52 UTC
Description of problem:
SELinux is preventing accounts-daemon from 'write' accesses on the directory /root.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that accounts-daemon should be allowed write access on the root directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep accounts-daemon /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:accountsd_t:s0
Target Context                system_u:object_r:admin_home_t:s0
Target Objects                /root [ dir ]
Source                        accounts-daemon
Source Path                   accounts-daemon
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           filesystem-3.2-37.fc24.x86_64
Policy RPM                    selinux-policy-3.13.1-179.fc24.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 4.5.0-0.rc7.git0.2.fc24.x86_64 #1
                              SMP Tue Mar 8 02:20:08 UTC 2016 x86_64 x86_64
Alert Count                   1
First Seen                    2016-03-20 11:09:19 CET
Last Seen                     2016-03-20 11:09:19 CET
Local ID                      ece385de-d2dd-4c0d-8747-6c6d8d5b1f52

Raw Audit Messages
type=AVC msg=audit(1458468559.774:106): avc:  denied  { write } for  pid=939 comm="accounts-daemon" name="root" dev="dm-0" ino=262146 scontext=system_u:system_r:accountsd_t:s0 tcontext=system_u:object_r:admin_home_t:s0 tclass=dir permissive=0


Hash: accounts-daemon,accountsd_t,admin_home_t,dir,write

Version-Release number of selected component:
selinux-policy-3.13.1-179.fc24.noarch

Additional info:
reporter:       libreport-2.6.4
hashmarkername: setroubleshoot
kernel:         4.5.0-0.rc7.git0.2.fc24.x86_64
type:           libreport

Comment 1 Richard J. Turner 2016-04-11 09:06:18 UTC
*** Bug 1325803 has been marked as a duplicate of this bug. ***

Comment 2 Giulio 'juliuxpigface' 2016-04-21 17:36:52 UTC
Description of problem:
I launched a live of Fedora 24 Mate 20160419, opened SELinux Troubleshooter and then found this alert.

Version-Release number of selected component:
selinux-policy-3.13.1-180.fc24.noarch

Additional info:
reporter:       libreport-2.7.0
hashmarkername: setroubleshoot
kernel:         4.5.1-300.fc24.x86_64
reproducible:   Not sure how to reproduce the problem
type:           libreport

Comment 3 DeanYao 2016-05-20 01:29:37 UTC
*** Bug 1337748 has been marked as a duplicate of this bug. ***

Comment 4 DeanYao 2016-05-20 01:39:16 UTC
Maybe, to create a new user account is a right way to fix it

Comment 5 GuL 2016-05-20 14:28:14 UTC
*** Bug 1337955 has been marked as a duplicate of this bug. ***

Comment 6 asidorov95 2016-06-01 09:30:38 UTC
*** Bug 1341543 has been marked as a duplicate of this bug. ***

Comment 7 Ryan Sipes 2016-06-02 02:37:13 UTC
*** Bug 1341911 has been marked as a duplicate of this bug. ***

Comment 8 Giulio 'juliuxpigface' 2016-06-03 21:18:54 UTC
This looks like the same bug as 1319459.
I'm closing this, since the other has been proposed as blocker for F24 Final.

Feel free to reopen this one if I'm wrong.

*** This bug has been marked as a duplicate of bug 1331926 ***

Comment 9 alsoijw 2016-06-23 10:50:25 UTC
*** Bug 1349374 has been marked as a duplicate of this bug. ***

Comment 10 ricardobr 2016-06-23 18:33:24 UTC
*** Bug 1349595 has been marked as a duplicate of this bug. ***

Comment 11 Giuseppe Pignataro 2016-06-24 23:13:33 UTC
*** Bug 1350052 has been marked as a duplicate of this bug. ***

Comment 12 Paulim_hed 2016-06-28 20:08:41 UTC
*** Bug 1350956 has been marked as a duplicate of this bug. ***

Comment 13 Joachim Frieben 2016-06-30 14:33:24 UTC
As of accountsservice-0.6.40-4.fc24, directory /root/.cache does get created upon reboot every time it has been removed, and this action does trigger an AVC as reported in /var/log/audit/audit.log but currently -not- by the SELinux Troubleshooter utility.
This behaviour contradicts the changelog of package accountsservice which states:

* Tue May 31 2016 Ray Strode <rstrode redhat com> - 0.6.40-4
- Don't create /root/.cache at startup
  Resolves: #1331926

Comment 14 Geoffrey Marr 2016-07-01 03:00:14 UTC
Description of problem:
1. Install F24 Cinammon Spin as a virtual machine in Parallels Version 11.2.0 (32581) on OSX 10.11.5
2. Boot said install
3. SELinux denial appears

Version-Release number of selected component:
selinux-policy-3.13.1-190.fc24.noarch

Additional info:
reporter:       libreport-2.7.1
hashmarkername: setroubleshoot
kernel:         4.5.5-300.fc24.x86_64
reproducible:   Not sure how to reproduce the problem
type:           libreport

Comment 15 thorenator2 2016-07-04 15:15:59 UTC
*** Bug 1352655 has been marked as a duplicate of this bug. ***

Comment 16 Larry Kraemer 2016-07-05 19:06:50 UTC
*** Bug 1353017 has been marked as a duplicate of this bug. ***

Comment 17 Hemi Antebi 2016-07-08 19:17:44 UTC
*** Bug 1354042 has been marked as a duplicate of this bug. ***

Comment 18 Water Force 2016-07-15 23:38:10 UTC
*** Bug 1357163 has been marked as a duplicate of this bug. ***

Comment 19 lc5180 2016-07-18 05:49:33 UTC
*** Bug 1357373 has been marked as a duplicate of this bug. ***

Comment 20 Wilf 2016-07-20 07:31:04 UTC
Description of problem:
I'm not sure what caused the problem but it seems it ocurred 20 seconds into the first boot of the system

Version-Release number of selected component:
selinux-policy-3.13.1-190.fc24.noarch

Additional info:
reporter:       libreport-2.7.1
hashmarkername: setroubleshoot
kernel:         4.6.3-300.fc24.x86_64
reproducible:   Not sure how to reproduce the problem
type:           libreport

Comment 21 daniele.marsella95 2016-07-20 15:11:58 UTC
Description of problem:
Ho eseguito un update con dnf e al riavvio si è presentato questo errore notificato da SELinux

Version-Release number of selected component:
selinux-policy-3.13.1-190.fc24.noarch

Additional info:
reporter:       libreport-2.7.1
hashmarkername: setroubleshoot
kernel:         4.6.4-301.fc24.x86_64
reproducible:   Not sure how to reproduce the problem
type:           libreport

Comment 22 New 2016-07-25 16:24:52 UTC
*** Bug 1359895 has been marked as a duplicate of this bug. ***

Comment 23 Sergey 2016-07-27 23:46:51 UTC
*** Bug 1360942 has been marked as a duplicate of this bug. ***

Comment 24 Michał 2016-07-28 15:44:48 UTC
*** Bug 1361260 has been marked as a duplicate of this bug. ***

Comment 25 Lewie 2016-07-29 00:29:30 UTC
*** Bug 1361370 has been marked as a duplicate of this bug. ***

Comment 26 Giuseppe Bonomelli 2016-08-05 16:50:17 UTC
*** Bug 1364548 has been marked as a duplicate of this bug. ***

Comment 27 Dmitrtiy 2016-08-05 20:36:24 UTC
*** Bug 1364589 has been marked as a duplicate of this bug. ***

Comment 28 fred 2016-08-08 12:21:19 UTC
*** Bug 1365084 has been marked as a duplicate of this bug. ***

Comment 29 Chris Murphy 2016-08-10 17:31:09 UTC
Still a problem in Fedora 25 and appears when booting/autologin from Fedora-Workstation-Live-x86_64-25-20160810.n.0.iso in qemu-kvm VM.

Target RPM Packages           filesystem-3.2-37.fc24.x86_64
Policy RPM                    selinux-policy-3.13.1-207.fc25.noarch
Platform                      Linux localhost 4.8.0-0.rc1.git0.1.fc25.x86_64 #1

time->Wed Aug 10 17:21:03 2016
type=AVC msg=audit(1470864063.941:101): avc:  denied  { write } for  pid=972 comm="accounts-daemon" name="root" dev="dm-0" ino=262659 scontext=system_u:system_r:accountsd_t:s0 tcontext=system_u:object_r:admin_home_t:s0 tclass=dir permissive=0

Comment 30 walter.cisco 2016-08-11 09:32:04 UTC
*** Bug 1366192 has been marked as a duplicate of this bug. ***

Comment 31 Bhushan 2016-08-11 22:24:48 UTC
*** Bug 1366407 has been marked as a duplicate of this bug. ***

Comment 32 Amiri Houssem 2016-08-21 12:59:11 UTC
*** Bug 1368794 has been marked as a duplicate of this bug. ***

Comment 33 Ajay Taware 2016-08-21 13:27:26 UTC
*** Bug 1368802 has been marked as a duplicate of this bug. ***

Comment 34 santiago 2016-08-22 16:14:02 UTC
*** Bug 1369200 has been marked as a duplicate of this bug. ***

Comment 35 Lukas Vrabec 2016-08-24 13:27:14 UTC
AVC will be dontaudited

Comment 36 Cambria Thompson 2016-08-26 01:28:48 UTC
*** Bug 1370330 has been marked as a duplicate of this bug. ***

Comment 37 Ilya Danilov 2016-08-26 10:54:29 UTC
*** Bug 1370448 has been marked as a duplicate of this bug. ***

Comment 38 rockdeworld 2016-08-26 15:14:58 UTC
*** Bug 1370559 has been marked as a duplicate of this bug. ***

Comment 39 Dustin Moen 2016-09-01 21:18:54 UTC
*** Bug 1372478 has been marked as a duplicate of this bug. ***

Comment 40 Chris Murphy 2016-09-10 00:38:40 UTC
This is still a problem with the most recent Fedora 25 workstation nightly, 20160909.n.0, which has selinux-policy-3.13.1-208.fc25.noarch.

SELinux is preventing accounts-daemon from write access on the directory root.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that accounts-daemon should be allowed write access on the root directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'accounts-daemon' --raw | audit2allow -M my-accountsdaemon
# semodule -X 300 -i my-accountsdaemon.pp

Additional Information:
Source Context                system_u:system_r:accountsd_t:s0
Target Context                system_u:object_r:admin_home_t:s0
Target Objects                root [ dir ]
Source                        accounts-daemon
Source Path                   accounts-daemon
Port                          <Unknown>
Host                          localhost
Source RPM Packages           
Target RPM Packages           filesystem-3.2-37.fc24.x86_64
Policy RPM                    selinux-policy-3.13.1-208.fc25.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     localhost.localdomain
Platform                      Linux localhost.localdomain
                              4.8.0-0.rc4.git0.1.fc25.x86_64 #1 SMP Mon Aug 29
                              19:28:01 UTC 2016 x86_64 x86_64
Alert Count                   1
First Seen                    2016-09-10 00:30:30 EDT
Last Seen                     2016-09-10 00:30:30 EDT
Local ID                      f3507fe1-16bb-4700-bb8d-453926171505

Raw Audit Messages
type=AVC msg=audit(1473481830.438:113): avc:  denied  { write } for  pid=1152 comm="accounts-daemon" name="root" dev="dm-0" ino=12 scontext=system_u:system_r:accountsd_t:s0 tcontext=system_u:object_r:admin_home_t:s0 tclass=dir permissive=0


Hash: accounts-daemon,accountsd_t,admin_home_t,dir,write

Comment 41 Varun Singh 2016-09-15 17:06:07 UTC
*** Bug 1376553 has been marked as a duplicate of this bug. ***

Comment 42 Fedora Update System 2016-09-16 00:52:51 UTC
selinux-policy-3.13.1-191.16.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-fe39b806b6

Comment 43 Lorne Grimmer 2016-09-16 05:03:07 UTC
*** Bug 1376652 has been marked as a duplicate of this bug. ***

Comment 44 Fedora Update System 2016-09-22 00:23:42 UTC
selinux-policy-3.13.1-191.16.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.

Comment 45 rane parkkari 2016-10-20 11:44:34 UTC
*** Bug 1387228 has been marked as a duplicate of this bug. ***

Comment 46 Alessandro 2016-10-23 21:53:23 UTC
*** Bug 1387930 has been marked as a duplicate of this bug. ***

Comment 47 Suitablename 2016-11-06 10:34:50 UTC
*** Bug 1392211 has been marked as a duplicate of this bug. ***

Comment 48 Arjun16 2016-11-22 14:31:34 UTC
*** Bug 1397445 has been marked as a duplicate of this bug. ***

Comment 49 jaber kaoukab 2016-11-23 13:18:01 UTC
*** Bug 1397855 has been marked as a duplicate of this bug. ***

Comment 50 heliogabalo 2016-12-11 09:10:30 UTC
*** Bug 1403544 has been marked as a duplicate of this bug. ***


Note You need to log in before you can comment on or make changes to this bug.