Bug 483173 - SELinux prevents nm-system-setti (system_dbusd_t) "getsched"
Summary: SELinux prevents nm-system-setti (system_dbusd_t) "getsched"
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy-targeted
Version: 5.2
Hardware: x86_64
OS: Linux
low
medium
Target Milestone: rc
: ---
Assignee: Daniel Walsh
QA Contact: BaseOS QE
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-01-29 23:43 UTC by dennis.burian
Modified: 2012-10-15 13:51 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2009-09-02 07:59:31 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2009:1242 0 normal SHIPPED_LIVE selinux-policy bug fix update 2009-09-01 08:32:34 UTC

Description dennis.burian 2009-01-29 23:43:07 UTC 
Description of problem:  Below is the output from a setroubleshoot browser window.  This bug appeared after a system update I did today.
DB
-------------------------------------------------------------------------------





SELinux is preventing nm-system-setti (system_dbusd_t) "getsched" to <Unknown>
(system_dbusd_t).

Detailed Description:

SELinux denied access requested by nm-system-setti. It is not expected that this
access is required by nm-system-setti and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                system_u:system_r:system_dbusd_t
Target Context                system_u:system_r:system_dbusd_t
Target Objects                None [ process ]
Source                        nm-system-setti
Source Path                   /usr/sbin/nm-system-settings
Port                          <Unknown>
Host                          localhost.localdomain
Source RPM Packages           NetworkManager-0.7.0-3.el5
Target RPM Packages           
Policy RPM                    selinux-policy-2.4.6-203.el5
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     localhost.localdomain
Platform                      Linux localhost.localdomain 2.6.18-128.el5 #1 SMP
                              Wed Dec 17 11:41:38 EST 2008 x86_64 x86_64
Alert Count                   2
First Seen                    Thu 29 Jan 2009 10:29:54 AM CST
Last Seen                     Thu 29 Jan 2009 10:29:54 AM CST
Local ID                      8a9d7731-b706-4142-8a80-d9a076cc1cff
Line Numbers                  

Raw Audit Messages            

host=localhost.localdomain type=AVC msg=audit(1233246594.870:17): avc:  denied  { getsched } for  pid=4740 comm="nm-system-setti" scontext=system_u:system_r:system_dbusd_t:s0 tcontext=system_u:system_r:system_dbusd_t:s0 tclass=process

host=localhost.localdomain type=SYSCALL msg=audit(1233246594.870:17): arch=c000003e syscall=145 success=no exit=-13 a0=1284 a1=2af4ef28e1d0 a2=d a3=0 items=0 ppid=1 pid=4740 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="nm-system-setti" exe="/usr/sbin/nm-system-settings" subj=system_u:system_r:system_dbusd_t:s0 key=(null)
Comment 1 Daniel Walsh 2009-01-30 13:42:29 UTC 
You can add these rules for now using

# grep avc /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Fixed in selinux-policy-2.4.6-206.el5
Comment 8 errata-xmlrpc 2009-09-02 07:59:31 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2009-1242.html
Note You need to log in before you can comment on or make changes to this bug.