Bug 428704

Summary: selinux preventing apache mod_dnssd operation
Product: [Fedora] Fedora Reporter: Mace Moneta <moneta.mace>
Component: selinux-policy-targetedAssignee: Daniel Walsh <dwalsh>
Status: CLOSED CURRENTRELEASE QA Contact: Ben Levenson <benl>
Severity: low Docs Contact:
Priority: low    
Version: 8   
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Current Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-03-05 22:17:27 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Mace Moneta 2008-01-14 18:47:19 UTC 
Description of problem:

I installed package mod_dnssd for apache.  Enabled the httpd_dbus_avahi boolean:

$ getsebool -a | grep -i dbus
allow_httpd_dbus_avahi --> on

Restarted the server (service httpd restart).

The log shows:

[error] avahi_client_new() failed: Access denied

audit2allow reports:

#============= httpd_t ==============
allow httpd_t system_dbusd_t:dbus send_msg;

However, attempting to add the local policy statement reports:

local.te:56:ERROR 'unknown class dbus used in rule' at token ';' on line 3240:
#============= httpd_t ==============
allow httpd_t system_dbusd_t:dbus send_msg;

(types httpd_t and system_dbusd_t have been added to the require).

If selinux is set permissive, apache starts correctly and advertises itself via
avahi (using avahi-discover to verify).


Version-Release number of selected component (if applicable):

avahi-0.6.21-8.fc8
avahi-compat-libdns_sd-0.6.21-8.fc8
avahi-glib-0.6.21-8.fc8
avahi-qt3-0.6.21-8.fc8
avahi-tools-0.6.21-8.fc8
kdnssd-avahi-0.1.3-0.2.20060713svn.fc8
libselinux-2.0.43-1.fc8
libselinux-devel-2.0.43-1.fc8
libselinux-python-2.0.43-1.fc8
mod_dnssd-0.5-5.fc8
selinux-policy-3.0.8-73.fc8
selinux-policy-devel-3.0.8-73.fc8
selinux-policy-targeted-3.0.8-73.fc8


How reproducible:

Every time.

Steps to Reproduce:
1. yum install mod_dnssd
2. setsebool -P allow_httpd_dbus_avahi on
3. service httpd restart
  
Actual results:

Failure to advertise web server via avahi

Expected results:

Web server known to avahi.

Additional info:
Comment 1 Daniel Walsh 2008-01-14 19:20:33 UTC 
You need to add 

gen_requires(`
class dbus;
')
to get your policy to work.

Fixed in selinux-policy-3.0.8-76.fc8
Comment 2 Mace Moneta 2008-01-14 20:50:44 UTC 
OK, what I actually needed to do in my local policy, in case anyone runs into
this is:

policy_module(local, 1.0)

require {
   class dbus { send_msg };
   type httpd_t;
   type system_dbusd_t;
}

#============= httpd_t ==============
allow httpd_t system_dbusd_t:dbus send_msg;
Comment 3 Daniel Walsh 2008-03-05 22:17:27 UTC 
Bugs have been in modified for over one month.  Closing as fixed in current
release please reopen if the problem still persists.