Bug 1874491
Summary: | SELinux prevents the fapolicyd process from writing to /run/dbus/system_bus_socket | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Milos Malik <mmalik> |
Component: | fapolicyd | Assignee: | Radovan Sroka <rsroka> |
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 33 | CC: | rsroka, sgrubb |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | x86_64 | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | fapolicyd-1.0.1-1.fc34 fapolicyd-1.0.1-1.eln105 fapolicyd-1.0.1-1.fc32 fapolicyd-1.0.1-1.fc33 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2020-11-17 08:51:49 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Milos Malik
2020-09-01 13:39:29 UTC
Following SELinux denials appeared in permissive mode: ---- type=PROCTITLE msg=audit(09/01/2020 15:40:12.676:2532) : proctitle=/usr/sbin/fapolicyd type=PATH msg=audit(09/01/2020 15:40:12.676:2532) : item=0 name=/run/dbus/system_bus_socket inode=24817 dev=00:19 mode=socket,666 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:system_dbusd_var_run_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD msg=audit(09/01/2020 15:40:12.676:2532) : cwd=/ type=SOCKADDR msg=audit(09/01/2020 15:40:12.676:2532) : saddr={ saddr_fam=local path=/run/dbus/system_bus_socket } type=SYSCALL msg=audit(09/01/2020 15:40:12.676:2532) : arch=x86_64 syscall=connect success=yes exit=0 a0=0xa a1=0x5621e70666f0 a2=0x1e a3=0x7ffc37010fe4 items=1 ppid=1 pid=21273 auid=unset uid=fapolicyd gid=fapolicyd euid=fapolicyd suid=fapolicyd fsuid=fapolicyd egid=fapolicyd sgid=fapolicyd fsgid=fapolicyd tty=(none) ses=unset comm=fapolicyd exe=/usr/sbin/fapolicyd subj=system_u:system_r:fapolicyd_t:s0 key=(null) type=AVC msg=audit(09/01/2020 15:40:12.676:2532) : avc: denied { connectto } for pid=21273 comm=fapolicyd path=/run/dbus/system_bus_socket scontext=system_u:system_r:fapolicyd_t:s0 tcontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=1 type=AVC msg=audit(09/01/2020 15:40:12.676:2532) : avc: denied { write } for pid=21273 comm=fapolicyd name=system_bus_socket dev="tmpfs" ino=24817 scontext=system_u:system_r:fapolicyd_t:s0 tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=sock_file permissive=1 ---- type=USER_AVC msg=audit(09/01/2020 15:40:12.677:2533) : pid=611 uid=dbus auid=unset ses=unset subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for scontext=system_u:system_r:fapolicyd_t:s0 tcontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tclass=dbus permissive=1 exe=/usr/bin/dbus-broker sauid=dbus hostname=? addr=? terminal=?' ---- Test coverage for this bug exists in a form of PR: * https://src.fedoraproject.org/tests/selinux/pull-request/117 The PR waits for review. FEDORA-2020-580dc8d3ba has been pushed to the Fedora 34 stable repository. If problem still persists, please make note of it in this bug report. FEDORA-2020-e2dc088972 has been submitted as an update to Fedora 33. https://bodhi.fedoraproject.org/updates/FEDORA-2020-e2dc088972 FEDORA-2020-165e765d4e has been pushed to the Fedora ELN stable repository. If problem still persists, please make note of it in this bug report. FEDORA-2020-daefd8b8f6 has been submitted as an update to Fedora 32. https://bodhi.fedoraproject.org/updates/FEDORA-2020-daefd8b8f6 FEDORA-2020-6323ce5fcf has been submitted as an update to Fedora 31. https://bodhi.fedoraproject.org/updates/FEDORA-2020-6323ce5fcf FEDORA-2020-e2dc088972 has been pushed to the Fedora 33 testing repository. In short time you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2020-e2dc088972` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-e2dc088972 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates. FEDORA-2020-daefd8b8f6 has been pushed to the Fedora 32 testing repository. In short time you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2020-daefd8b8f6` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-daefd8b8f6 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates. FEDORA-2020-6323ce5fcf has been pushed to the Fedora 31 testing repository. In short time you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2020-6323ce5fcf` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-6323ce5fcf See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates. FEDORA-2020-daefd8b8f6 has been pushed to the Fedora 32 stable repository. If problem still persists, please make note of it in this bug report. FEDORA-2020-e2dc088972 has been pushed to the Fedora 33 stable repository. If problem still persists, please make note of it in this bug report. |