Bug 178702

Summary: daemon fails to start
Product: [Fedora] Fedora Reporter: Gary Anderson <lgalosha>
Component: selinux-policy-targetedAssignee: Daniel Walsh <dwalsh>
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: rawhideCC: bojan, botond.kardos, jvdias
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: 2.2.4-1 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2006-03-21 01:40:54 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Gary Anderson 2006-01-23 16:48:47 UTC 
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8) Gecko/20051111 Firefox/1.5

Description of problem:
output from /var/log/messages

rawhide avahi-daemon: Found user 'avahi' (UID 70) and group avahi (GID 70).
rawhide avahi-daemon: Successfully dropped root priviledges.
rawhide avahi-daemon: avahi-daemon 0.6.4 starting up.
rawhide avahi-daemon: dbus_bus_get(): Failed to connect to socket /var/run/dbus/system_bus_socket: Permission denied.

Version-Release number of selected component (if applicable):
avahi-0.6.4-3

How reproducible:
Always

Steps to Reproduce:
1.install FC5T2 (everything)
2.yum update
3.
  

Actual Results:  avahi-daemon fails to start

Expected Results:  daemon should start

Additional info:
Comment 1 Bojan Smojver 2006-01-23 19:05:29 UTC 
Audit log from my box (SELinux policy targeted enforcing):

---------------------------------
type=AVC msg=audit(1138042749.943:5): avc:  denied  { connectto } for  pid=1768 
comm="avahi-daemon" name="system_bus_socket" scontext=system_u:system_r:avahi_t:
s0 tcontext=system_u:system_r:initrc_t:s0 tclass=unix_stream_socket
type=SYSCALL msg=audit(1138042749.943:5): arch=40000003 syscall=102 success=no e
xit=-13 a0=3 a1=bfc63340 a2=3ed5d4 a3=1f items=1 pid=1768 auid=4294967295 uid=70
 gid=70 euid=70 suid=70 fsuid=70 egid=70 sgid=70 fsgid=70 comm="avahi-daemon" ex
e="/usr/sbin/avahi-daemon"
type=AVC_PATH msg=audit(1138042749.943:5):  path="/var/run/dbus/system_bus_socke
t"
---------------------------------

And /var/log/messages shows:

---------------------------------
Jan 24 05:59:09 coyote avahi-daemon[1768]: Found user 'avahi' (UID 70) and group
 'avahi' (GID 70).
Jan 24 05:59:09 coyote avahi-daemon[1768]: Successfully dropped root privileges.
Jan 24 05:59:09 coyote avahi-daemon[1768]: avahi-daemon 0.6.4 starting up.
Jan 24 05:59:09 coyote avahi-daemon[1768]: dbus_bus_get(): Failed to connect to 
socket /var/run/dbus/system_bus_socket: Permission denied
---------------------------------

The socket is:

---------------------------------
[root@coyote ~]# ls -lZ /var/run/dbus/system_bus_socket 
srwxrwxrwx  root     root     system_u:object_r:system_dbusd_var_run_t
/var/run/dbus/system_bus_socket
---------------------------------

BTW, I cannot do this, but this should be filed against devel, not fc5test2.
Comment 2 Bojan Smojver 2006-01-23 19:18:30 UTC 
Gary, do you have SELinux enabled on your box? On my box, it happily starts if I
do setenforce 0...
Comment 3 Bojan Smojver 2006-01-23 19:19:19 UTC 
Ah, forgot one more - my system is an i686, so the arch can be set to all.
Comment 4 Jason Vas Dias 2006-01-23 20:09:54 UTC 
Yes, this is because dbus-0.6 changed the location of dbus-daemon from 
/usr/bin/dbus-daemon, where it gets the correct selinux context: 
  $ ls -Z /usr/bin/dbus-daemon
-rwxr-xr-x  root     root     system_u:object_r:system_dbusd_exec_t
/usr/bin/dbus-daemon
to /bin/dbus-daemon, where it does not:
  $ ls -lZ /bin/dbus-daemon
-rwxr-xr-x  root     root     system_u:object_r:bin_t          /bin/dbus-daemon

Just temporarily moving /bin/dbus-daemon to /usr/bin should rectify the problem
until selinux-policy-targeted is updated to take account of the new location.
Comment 5 Jason Vas Dias 2006-01-24 16:53:09 UTC 
With selinux-policy-{,targeted}-2.2.4-1, avahi-daemon, hald, and named are still
unable to connect to the system D-BUS - I get these AVCs after each boot-up
of kernel-2.6.15-1.1871_FC5:

allow avahi_t initrc_t:unix_stream_socket connectto;
allow cupsd_config_t initrc_t:unix_stream_socket connectto;
allow cupsd_config_t tmp_t:lnk_file read;
allow cupsd_t print_spool_t:lnk_file read;
allow hald_t initrc_t:unix_stream_socket connectto;
allow hald_t src_t:dir getattr;
allow hald_t system_dbusd_var_run_t:dir getattr;
allow named_t initrc_t:unix_stream_socket connectto;
allow readahead_t ramfs_t:file read;

This is because /bin/dbus-daemon, from dbus-0.6-7, still has the wrong context:
  -rwxr-xr-x  root  root    system_u:object_r:bin_t    /bin/dbus-daemon

Either moving /bin/dbus-daemon to /usr/bin, or doing:
  # chcon system_u:object_r:system_dbusd_exec_t /bin/dbus-daemon
allows avahi-daemon, haldaemon and named to start up and connect to D-BUS.
Comment 6 Gary Anderson 2006-01-24 18:20:04 UTC 
Update ... this only happens with selinux set to enforcing (my oops...). With
selinux set to permissive avahi (as well as hal) connect just fine.
Comment 7 Bojan Smojver 2006-01-24 23:12:41 UTC 
Workarounds presented here also fix:

http://www.redhat.com/archives/fedora-devel-list/2006-January/msg01203.html
Comment 8 Daniel Walsh 2006-01-25 16:32:55 UTC 
Fixed in selinux-policy-2.2.4-1
Comment 9 Jason Vas Dias 2006-02-06 15:14:39 UTC 
*** Bug 180160 has been marked as a duplicate of this bug. ***