Bug 1236431
| Summary: | SELinux is preventing /usr/sbin/lldpad from 'associate' accesses on the shared memory Unknown. | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Jeff Buhrt <buhrt> |
| Component: | lldpad | Assignee: | Chris Leech <cleech> |
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 22 | CC: | cleech, dominick.grift, dwalsh, lvrabec, mgrepl, plautrba |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | i686 | ||
| OS: | Unspecified | ||
| Whiteboard: | abrt_hash:2ff3e2426ffa74410ce6dadd4576c3651fca6c971e3e7a9172e8627f1e0040c3 | ||
| Fixed In Version: | lldpad-1.0.1-2.git986eb2e.fc23 lldpad-1.0.1-2.git986eb2e.fc22 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2015-11-12 23:27:59 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
lldpad's selinux policy issue also seems to affect RHEL 6.6 per https://bugzilla.redhat.com/show_bug.cgi?id=1085477 selinux policy changes are already in place, I'll push an updated lldpad that includes the shm changes lldpad-1.0.1-2.git986eb2e.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2015-fce70b3c70 lldpad-1.0.1-2.git986eb2e.fc22 has been submitted as an update to Fedora 22. https://bodhi.fedoraproject.org/updates/FEDORA-2015-8da7317e5a lldpad-1.0.1-2.git986eb2e.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with $ su -c 'dnf --enablerepo=updates-testing update lldpad' You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2015-fce70b3c70 lldpad-1.0.1-2.git986eb2e.fc22 has been pushed to the Fedora 22 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with $ su -c 'dnf --enablerepo=updates-testing update lldpad' You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2015-8da7317e5a lldpad-1.0.1-2.git986eb2e.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report. lldpad-1.0.1-2.git986eb2e.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report. |
Description of problem: Fedora 22 (after FedUp'ing from 21 this afternoon) has been logging continuosly since the update: fcoemon[1239]: error 111 Connection refused fcoemon[1239]: Failed to connect to lldpad You can't remove it... so I assume it just needs to be allowed to run. rpm --erase fcoe-utils lldpad error: Failed dependencies: fcoe-utils >= 1.0.12-3.20100323git is needed by (installed) anaconda-core-22.20.13-1.fc22.i686 SELinux is preventing /usr/sbin/lldpad from 'associate' accesses on the shared memory Unknown. ***** Plugin associate (99.5 confidence) suggests ************************* If you want to change the label of Unknown to lldpad_t, you are not allowed to since it is not a valid file type. Then you must pick a valid file label. Do select a valid file type. List valid file labels by executing: # seinfo -afile_type -x ***** Plugin catchall (1.49 confidence) suggests ************************** If you believe that lldpad should be allowed associate access on the Unknown shm by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep lldpad /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:lldpad_t:s0 Target Context system_u:system_r:kernel_t:s0 Target Objects Unknown [ shm ] Source lldpad Source Path /usr/sbin/lldpad Port <Unknown> Host (removed) Source RPM Packages lldpad-0.9.46-8.git48a5f38.fc22.i686 Target RPM Packages Policy RPM selinux-policy-3.13.1-128.2.fc22.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 4.0.6-300.fc22.i686+PAE #1 SMP Tue Jun 23 14:22:22 UTC 2015 i686 i686 Alert Count 2 First Seen 2015-06-28 14:35:28 EDT Last Seen 2015-06-28 18:59:57 EDT Local ID 4731d2d0-79f3-4ed7-9203-8f003ee6ebb2 Raw Audit Messages type=AVC msg=audit(1435532397.782:763): avc: denied { associate } for pid=7728 comm="lldpad" key=1819043126 scontext=system_u:system_r:lldpad_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=shm permissive=0 type=SYSCALL msg=audit(1435532397.782:763): arch=i386 syscall=ipc success=no exit=EACCES a0=17 a1=6c6c6536 a2=1000 a3=0 items=0 ppid=1 pid=7728 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=lldpad exe=/usr/sbin/lldpad subj=system_u:system_r:lldpad_t:s0 key=(null) Hash: lldpad,lldpad_t,kernel_t,shm,associate Version-Release number of selected component: selinux-policy-3.13.1-128.2.fc22.noarch Additional info: reporter: libreport-2.6.0 hashmarkername: setroubleshoot kernel: 4.0.6-300.fc22.i686+PAE type: libreport