Bug 480943

Summary: SELinux is preventing nm-system-setti after update to 5.3
Product: Red Hat Enterprise Linux 5 Reporter: Sergey Smirnov <ssmirnov>
Component: selinux-policyAssignee: Daniel Walsh <dwalsh>
Status: CLOSED ERRATA QA Contact: BaseOS QE <qe-baseos-auto>
Severity: medium Docs Contact:
Priority: low    
Version: 5.3CC: adrian.fischli, aleksey, cward, hslredhat, mmalik, ohudlick, tao
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-09-02 07:59:15 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Sergey Smirnov 2009-01-21 14:21:47 UTC
Description of problem:
After update to RHEL 5.3, there is SELinux denial for nm-system-setti

Summary:

SELinux is preventing nm-system-setti (system_dbusd_t) "getsched" to <Unknown>
(system_dbusd_t).

Version-Release number of selected component (if applicable):
selinux-policy-2.4.6-203.el5

How reproducible:
Update RHEL5.2 to 5.3


Additional info:
Source Context                system_u:system_r:system_dbusd_t
Target Context                system_u:system_r:system_dbusd_t
Target Objects                None [ process ]
Source                        nm-system-setti
Source Path                   /usr/sbin/nm-system-settings
Port                          <Unknown>
Host                          ...
Source RPM Packages           NetworkManager-0.7.0-3.el5
Target RPM Packages            
Policy RPM                    selinux-policy-2.4.6-203.el5
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     ...
Platform                      Linux ... 2.6.18-128.el5
                             #1 SMP Wed Dec 17 11:42:39 EST 2008 i686 i686
Alert Count                   2
First Seen                    Wed 21 Jan 2009 11:08:00 AM MSK
Last Seen                     Wed 21 Jan 2009 11:08:00 AM MSK
Local ID                      ...
Line Numbers                  

Raw Audit Messages            

host=... type=AVC msg=audit(1232525280.355:16): avc:  denied  { getsched } for  pid=3318 comm="nm-system-setti" scontext=system_u:system_r:system_dbusd_t:s0 tcontext=system_u:system_r:system_dbusd_t:s0 tclass=process

host=... type=SYSCALL msg=audit(1232525280.355:16): arch=40000003 syscall=157 success=no exit=-13 a0=cf6 a1=ffffff94 a2=ceeff4 a3=b7fd7700 items=0 ppid=1 pid=3318 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="nm-system-setti" exe="/usr/sbin/nm-system-settings" subj=system_u:system_r:system_dbusd_t:s0 key=(null)

Comment 1 Daniel Walsh 2009-02-07 12:14:01 UTC
Fixed in selinux-policy-2.4.6-207.el5
Preview to U4 policy is available on 
http://people.redhat.com/dwalsh/SElinux/RHEL5

Comment 5 Aleksey Nogin 2009-04-01 17:45:10 UTC
Comment #1 appears to have a type in the URL. I am guessing the correct URL is http://people.redhat.com/dwalsh/SELinux/RHEL5/ (note the capital "L" in "SELinux").

Comment 6 hslredhat 2009-06-17 12:50:18 UTC
Daniel,

Can you please let me know how to resolve this fix in my installation. A new installation of Red Hat 5 here also came up with these errors following installation and then after completion of several software updates.

Regards,

John.
hslredhat.uk

Comment 7 Daniel Walsh 2009-06-17 14:04:10 UTC
You can add your own custom policy to add just this rule.  by executing

# grep dbus /var/log/audit/audit.log | audit2allow -M mydbus
# semodule -i mydbus.pp

This will modify policy on your machine to allow the access that is being denied.  

You could also just downlog the policy on http://people.redhat.com/dwalsh/SELinux/RHEL5/

And install it, which should work fine on your machine.  When RHEL5.4 comes out it will still update your policy if a newer version has been released.

Comment 9 Chris Ward 2009-07-03 18:21:39 UTC
~~ Attention - RHEL 5.4 Beta Released! ~~

RHEL 5.4 Beta has been released! There should be a fix present in the Beta release that addresses this particular request. Please test and report back results here, at your earliest convenience. RHEL 5.4 General Availability release is just around the corner!

If you encounter any issues while testing Beta, please describe the issues you have encountered and set the bug into NEED_INFO. If you encounter new issues, please clone this bug to open a new issue and request it be reviewed for inclusion in RHEL 5.4 or a later update, if it is not of urgent severity.

Please do not flip the bug status to VERIFIED. Only post your verification results, and if available, update Verified field with the appropriate value.

Questions can be posted to this bug or your customer or partner representative.

Comment 13 errata-xmlrpc 2009-09-02 07:59:15 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2009-1242.html