Bug 178702
Summary: | daemon fails to start | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Gary Anderson <lgalosha> |
Component: | selinux-policy-targeted | Assignee: | Daniel Walsh <dwalsh> |
Status: | CLOSED CURRENTRELEASE | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | rawhide | CC: | bojan, botond.kardos, jvdias |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | 2.2.4-1 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2006-03-21 01:40:54 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Gary Anderson
2006-01-23 16:48:47 UTC
Audit log from my box (SELinux policy targeted enforcing): --------------------------------- type=AVC msg=audit(1138042749.943:5): avc: denied { connectto } for pid=1768 comm="avahi-daemon" name="system_bus_socket" scontext=system_u:system_r:avahi_t: s0 tcontext=system_u:system_r:initrc_t:s0 tclass=unix_stream_socket type=SYSCALL msg=audit(1138042749.943:5): arch=40000003 syscall=102 success=no e xit=-13 a0=3 a1=bfc63340 a2=3ed5d4 a3=1f items=1 pid=1768 auid=4294967295 uid=70 gid=70 euid=70 suid=70 fsuid=70 egid=70 sgid=70 fsgid=70 comm="avahi-daemon" ex e="/usr/sbin/avahi-daemon" type=AVC_PATH msg=audit(1138042749.943:5): path="/var/run/dbus/system_bus_socke t" --------------------------------- And /var/log/messages shows: --------------------------------- Jan 24 05:59:09 coyote avahi-daemon[1768]: Found user 'avahi' (UID 70) and group 'avahi' (GID 70). Jan 24 05:59:09 coyote avahi-daemon[1768]: Successfully dropped root privileges. Jan 24 05:59:09 coyote avahi-daemon[1768]: avahi-daemon 0.6.4 starting up. Jan 24 05:59:09 coyote avahi-daemon[1768]: dbus_bus_get(): Failed to connect to socket /var/run/dbus/system_bus_socket: Permission denied --------------------------------- The socket is: --------------------------------- [root@coyote ~]# ls -lZ /var/run/dbus/system_bus_socket srwxrwxrwx root root system_u:object_r:system_dbusd_var_run_t /var/run/dbus/system_bus_socket --------------------------------- BTW, I cannot do this, but this should be filed against devel, not fc5test2. Gary, do you have SELinux enabled on your box? On my box, it happily starts if I do setenforce 0... Ah, forgot one more - my system is an i686, so the arch can be set to all. Yes, this is because dbus-0.6 changed the location of dbus-daemon from /usr/bin/dbus-daemon, where it gets the correct selinux context: $ ls -Z /usr/bin/dbus-daemon -rwxr-xr-x root root system_u:object_r:system_dbusd_exec_t /usr/bin/dbus-daemon to /bin/dbus-daemon, where it does not: $ ls -lZ /bin/dbus-daemon -rwxr-xr-x root root system_u:object_r:bin_t /bin/dbus-daemon Just temporarily moving /bin/dbus-daemon to /usr/bin should rectify the problem until selinux-policy-targeted is updated to take account of the new location. With selinux-policy-{,targeted}-2.2.4-1, avahi-daemon, hald, and named are still unable to connect to the system D-BUS - I get these AVCs after each boot-up of kernel-2.6.15-1.1871_FC5: allow avahi_t initrc_t:unix_stream_socket connectto; allow cupsd_config_t initrc_t:unix_stream_socket connectto; allow cupsd_config_t tmp_t:lnk_file read; allow cupsd_t print_spool_t:lnk_file read; allow hald_t initrc_t:unix_stream_socket connectto; allow hald_t src_t:dir getattr; allow hald_t system_dbusd_var_run_t:dir getattr; allow named_t initrc_t:unix_stream_socket connectto; allow readahead_t ramfs_t:file read; This is because /bin/dbus-daemon, from dbus-0.6-7, still has the wrong context: -rwxr-xr-x root root system_u:object_r:bin_t /bin/dbus-daemon Either moving /bin/dbus-daemon to /usr/bin, or doing: # chcon system_u:object_r:system_dbusd_exec_t /bin/dbus-daemon allows avahi-daemon, haldaemon and named to start up and connect to D-BUS. Update ... this only happens with selinux set to enforcing (my oops...). With selinux set to permissive avahi (as well as hal) connect just fine. Workarounds presented here also fix: http://www.redhat.com/archives/fedora-devel-list/2006-January/msg01203.html Fixed in selinux-policy-2.2.4-1 *** Bug 180160 has been marked as a duplicate of this bug. *** |