Bug 367821

Summary: selinux-policy breaks "ping host.local" by disallowing connections to avahi
Product: [Fedora] Fedora Reporter: Jim Radford <radford>
Component: selinux-policyAssignee: Daniel Walsh <dwalsh>
Status: CLOSED NOTABUG QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: 8   
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-11-19 17:40:15 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jim Radford 2007-11-06 02:29:14 UTC 
selinux-policy-3.0.8-44.fc8

# strace -e connect ping myhostname.local
connect(4, {sa_family=AF_FILE, path="/var/run/avahi-daemon/socket"}, 110) = -1
EACCES (Permission denied)

type=AVC msg=audit(1194315948.216:41): avc:  denied  { search } for  pid=3919
comm="ping" name="avahi-daemon" dev=sda4 ino=27034150
scontext=system_u:system_r:ping_t:s0
tcontext=system_u:object_r:avahi_var_run_t:s0 tclass=dir
type=SYSCALL msg=audit(1194315948.216:41): arch=c000003e syscall=42 success=no
exit=-13 a0=4 a1=7fff42e72980 a2=6e a3=0 items=0 ppid=3917 pid=3919 auid=500
uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 comm="ping"
exe="/bin/ping" subj=system_u:system_r:ping_t:s0 key=(null)

#============= ping_t ==============
allow ping_t avahi_var_run_t:dir search;
Comment 1 Daniel Walsh 2007-11-10 13:08:33 UTC 
Fixed in selinux-policy-3.0.8-51.fc8
Comment 2 Jim Radford 2007-11-19 17:40:15 UTC 
Verified.  Thanks.