Bug 463267

Summary: SELinux is preventing dbus-daemon-lau (system_dbusd_t) "execute_no_trans" to /lib/dbus-1/dbus-daemon-launch-helper (lib_t).
Product: Red Hat Enterprise Linux 5 Reporter: Jay Turner <jturner>
Component: selinux-policyAssignee: Daniel Walsh <dwalsh>
Status: CLOSED ERRATA QA Contact: BaseOS QE <qe-baseos-auto>
Severity: high Docs Contact:
Priority: medium    
Version: 5.3CC: dcbw, dwalsh, kwirth, mmalik, srevivo, syeghiay, zcerza
Target Milestone: beta   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-01-20 21:30:52 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jay Turner 2008-09-22 19:09:07 UTC 
Description of problem:
Getting the following from time to time on a fresh installation as well as a 'yum update'

# sealert -l 7d323053-21fe-498b-b952-0db027210767

Summary:

SELinux is preventing dbus-daemon-lau (system_dbusd_t) "execute_no_trans" to
/lib/dbus-1/dbus-daemon-launch-helper (lib_t).

Detailed Description:

[SELinux is in permissive mode, the operation would have been denied but was
permitted due to permissive mode.]

SELinux denied access requested by dbus-daemon-lau. It is not expected that this
access is required by dbus-daemon-lau and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.

Allowing Access:

Sometimes labeling problems can cause SELinux denials. You could try to restore
the default system file context for /lib/dbus-1/dbus-daemon-launch-helper,

restorecon -v '/lib/dbus-1/dbus-daemon-launch-helper'

If this does not work, there is currently no automatic way to allow this access.
Instead, you can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                system_u:system_r:system_dbusd_t
Target Context                system_u:object_r:lib_t
Target Objects                /lib/dbus-1/dbus-daemon-launch-helper [ file ]
Source                        dbus-daemon-lau
Source Path                   /lib/dbus-1/dbus-daemon-launch-helper
Port                          <Unknown>
Host                          haring.devel.redhat.com
Source RPM Packages           dbus-1.1.2-9.el5
Target RPM Packages           dbus-1.1.2-9.el5
Policy RPM                    selinux-policy-2.4.6-158.el5
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Permissive
Plugin Name                   catchall_file
Host Name                     haring.devel.redhat.com
Platform                      Linux haring.devel.redhat.com 2.6.18-116.el5 #1
                              SMP Thu Sep 18 18:12:38 EDT 2008 i686 i686
Alert Count                   13
First Seen                    Mon Sep 22 12:34:34 2008
Last Seen                     Mon Sep 22 14:35:44 2008
Local ID                      7d323053-21fe-498b-b952-0db027210767
Line Numbers                  

Raw Audit Messages            

host=haring.devel.redhat.com type=AVC msg=audit(1222108544.386:44): avc:  denied  { execute_no_trans } for  pid=3991 comm="dbus-daemon" path="/lib/dbus-1/dbus-daemon-launch-helper" dev=dm-0 ino=2221724 scontext=system_u:system_r:system_dbusd_t:s0 tcontext=system_u:object_r:lib_t:s0 tclass=file

host=haring.devel.redhat.com type=SYSCALL msg=audit(1222108544.386:44): arch=40000003 syscall=11 success=yes exit=0 a0=9247780 a1=9245db8 a2=92478b8 a3=9244b90 items=0 ppid=3990 pid=3991 auid=4294967295 uid=81 gid=81 euid=0 suid=0 fsuid=0 egid=81 sgid=81 fsgid=81 tty=(none) ses=4294967295 comm="dbus-daemon-lau" exe="/lib/dbus-1/dbus-daemon-launch-helper" subj=system_u:system_r:system_dbusd_t:s0 key=(null)

Version-Release number of selected component (if applicable):
1.1.2-9.el5

How reproducible:
Always
Comment 2 Daniel Walsh 2008-09-23 15:26:15 UTC 
Fixed in selinux-policy-2.4.6-159.el5
Comment 4 Jay Turner 2008-09-23 17:11:39 UTC 
This issue does appear to be resolved with the update to selinux-policy-2.4.6-159.el5, however there were more grimlins awaiting, as detailed in bug 463480.
Comment 5 Jay Turner 2008-10-01 12:23:45 UTC 
Fix confirmed with 2.4.6-160.el5, but that version hasn't been tagged for inclusion in the 5.3 trees.
Comment 6 Daniel Walsh 2008-10-01 12:26:57 UTC 
161 was just updated on the errata.
Comment 7 Zack Cerza 2008-10-07 17:26:35 UTC 
I'm seeing the same avc denial over here with -162. Granted, it's the 64-bit version of dbus-daemon-launch-helper, but it is execute_no_trans and the target context is identical.
Comment 8 Daniel Walsh 2008-10-08 21:48:07 UTC 
Please attach the avc messages
Comment 9 Daniel Walsh 2008-10-08 21:49:27 UTC 
Also restorecon -R -v /lib64
Comment 11 Zack Cerza 2008-10-14 19:56:16 UTC 
# restorecon -v -R /usr/lib64/
#
Comment 12 Daniel Walsh 2008-10-15 01:03:57 UTC 
# matchpathcon /lib64/dbus-1/dbus-daemon-launch-helper
/lib64/dbus-1/dbus-daemon-launch-helper	system_u:object_r:system_dbusd_exec_t


# rpm -q selinux-policy-targeted
selinux-policy-targeted-2.4.6-163.el5.noarch

It certainly is labeled correctly for me.
Comment 13 Daniel Walsh 2008-10-15 01:07:32 UTC 
I said to 

# restorecon -R -v /lib64

You did 

# restorecon -v -R /usr/lib64/
Comment 15 Zack Cerza 2008-10-15 13:54:36 UTC 
Oops! I'll try the correct one shortly.
Comment 16 Zack Cerza 2008-10-16 17:04:13 UTC 
Weird... I did restorecon -R -v /lib64, which didn't output anything. But the context is in fact system_u:object_r:system_dbusd_exec_t now...
Comment 19 errata-xmlrpc 2009-01-20 21:30:52 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2009-0163.html