Bug 429678

Summary: SELinux is preventing /usr/sbin/semodule (semanage_t) "read write" to socket (unconfined_t)
Product: [Fedora] Fedora Reporter: Valent Turkovic <valent.turkovic>
Component: LiveCDAssignee: Jeremy Katz <katzj>
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: 10CC: anton, brad.longo, dcantrell
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-07-21 18:31:04 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Valent Turkovic 2008-01-22 12:45:32 UTC 
Description of problem:
Summary
    SELinux is preventing /usr/sbin/semodule (semanage_t) "read write" to socket
    (unconfined_t).

Detailed Description
    SELinux denied access requested by /usr/sbin/semodule. It is not expected
    that this access is required by /usr/sbin/semodule and this access may
    signal an intrusion attempt. It is also possible that the specific version
    or configuration of the application is causing it to require additional
    access.

Allowing Access
    You can generate a local policy module to allow this access - see
    http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can disable
    SELinux protection altogether. Disabling SELinux protection is not
    recommended. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi
    against this package.

Additional Information        

Source Context                system_u:system_r:semanage_t:s0
Target Context                system_u:system_r:unconfined_t:s0
Target Objects                socket [ tcp_socket ]
Affected RPM Packages         policycoreutils-2.0.33-3.fc8 [application]
Policy RPM                    selinux-policy-3.0.8-74.fc8
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   plugins.catchall
Host Name                     valent.oswireless
Platform                      Linux valent.oswireless 2.6.23.9-85.fc8 #1 SMP Fri
                              Dec 7 15:49:59 EST 2007 i686 i686
Alert Count                   1
First Seen                    Mon 21 Jan 2008 10:27:08 PM CET
Last Seen                     Mon 21 Jan 2008 10:27:08 PM CET
Local ID                      197495e2-243e-4d79-be89-ff8ac3bb38b6
Line Numbers                  

Raw Audit Messages            

avc: denied { read write } for comm=semodule dev=sockfs egid=0 euid=0
exe=/usr/sbin/semodule exit=0 fsgid=0 fsuid=0 gid=0 items=0 path=socket:[182383]
pid=605 scontext=system_u:system_r:semanage_t:s0 sgid=0
subj=system_u:system_r:semanage_t:s0 suid=0 tclass=tcp_socket
tcontext=system_u:system_r:unconfined_t:s0 tty=(none) uid=0



Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1. start fedora revisor and try to make live cd fased on F8 live cd
2.
3.
  
Actual results:


Expected results:


Additional info:
Comment 1 Daniel Walsh 2008-01-23 21:27:06 UTC 
Creating livecd images with SELinux in enforcing mode, does not currently work.
 The problem is you have a shared kernel and the act of creating the CD will
load a different policy then the machine you are creating it on.  

So currently when you create a livecd, you need to put the machine in permissive
mode, And will need to reboot when the machine is finished if you want to put
the machine back in enforcing mode.
Comment 2 Daniel Walsh 2008-01-23 21:27:48 UTC 
*** Bug 429682 has been marked as a duplicate of this bug. ***
Comment 3 Daniel Walsh 2008-01-23 21:28:52 UTC 
*** Bug 429684 has been marked as a duplicate of this bug. ***
Comment 4 Daniel Walsh 2008-01-23 21:29:53 UTC 
*** Bug 429685 has been marked as a duplicate of this bug. ***
Comment 5 Daniel Walsh 2008-01-23 21:30:26 UTC 
*** Bug 429686 has been marked as a duplicate of this bug. ***
Comment 6 Daniel Walsh 2008-01-23 21:30:50 UTC 
*** Bug 429687 has been marked as a duplicate of this bug. ***
Comment 7 Josef Kubin 2008-02-19 13:48:41 UTC 
*** Bug 429677 has been marked as a duplicate of this bug. ***
Comment 8 Josef Kubin 2008-02-19 13:50:37 UTC 
*** Bug 429683 has been marked as a duplicate of this bug. ***
Comment 9 Josef Kubin 2008-02-19 15:59:54 UTC 
I'll try create a fake SELinux policy - just for creation process of the live CD.
Comment 10 Josef Kubin 2008-02-20 13:33:05 UTC 
*** Bug 429676 has been marked as a duplicate of this bug. ***
Comment 11 Daniel Walsh 2008-07-02 20:06:53 UTC 
This is now working in Rawhide, and is back ported to Fedora 9.

With livecd from git repository

Policy works, we are waiting for livecd packaged in rawhide and f9.

Also requires -26 kernel for fedora 9.
Comment 12 Jeremy Katz 2008-07-03 00:40:37 UTC 
livecd-tools for F9 has been pushed and rawhide is in git -- testers from git
appreciated as more indicators to do a rawhide build.  Worst case, I'll be doing
one the end of next week for the alpha freeze
Comment 13 Brad Longo 2008-07-08 02:16:59 UTC 
I have the same issue.  When this happened I got all the error output from
livecd-creator and I also saved the error messages from selinux troubleshooter.
 Let me know if you want me to include the info.
Comment 14 Brad Longo 2008-07-08 03:05:15 UTC 
This is strange... the livecd works?!
Comment 15 Bug Zapper 2008-11-26 02:05:19 UTC 
This bug appears to have been reported against 'rawhide' during the Fedora 10 development cycle.
Changing version to '10'.

More information and reason for this action is here:
http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Comment 16 Jeremy Katz 2009-07-21 18:31:04 UTC 
Closing out bug that's been in MODIFIED for a while.