Bug 523031

Summary: setroubleshoot: SELinux is preventing /lib64/dbus-1/dbus-daemon-launch-helper from executing system-config-firewall-mechanism.py.
Product: [Fedora] Fedora Reporter: vinod <vinodkmar>
Component: selinux-policyAssignee: Daniel Walsh <dwalsh>
Status: CLOSED RAWHIDE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: rawhideCC: allinux4, dwalsh, fedora, flokip, jkubin, mgrepl, twoerner, vinodkmar
Target Milestone: ---Keywords: Reopened
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard: setroubleshoot_trace_hash:e787295e6e15b545ccc33ba17f20a2832268b4473ec276019b262334242a4e72
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-09-23 14:04:25 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description vinod 2009-09-13 14:26:19 UTC 
The following was filed automatically by setroubleshoot:

Summary:

SELinux is preventing /lib64/dbus-1/dbus-daemon-launch-helper from executing
system-config-firewall-mechanism.py.

Detailed Description:

SELinux has denied the dbus-daemon-lau from executing
system-config-firewall-mechanism.py. If dbus-daemon-lau is supposed to be able
to execute system-config-firewall-mechanism.py, this could be a labeling
problem. Most confined domains are allowed to execute files labeled bin_t. So
you could change the labeling on this file to bin_t and retry the application.
If this dbus-daemon-lau is not supposed to execute
system-config-firewall-mechanism.py, this could signal an intrusion attempt.

Allowing Access:

If you want to allow dbus-daemon-lau to execute
system-config-firewall-mechanism.py: chcon -t bin_t
'system-config-firewall-mechanism.py' If this fix works, please update the file
context on disk, with the following command: semanage fcontext -a -t bin_t
'system-config-firewall-mechanism.py' Please specify the full path to the
executable, Please file a bug report to make sure this becomes the default
labeling.

Additional Information:

Source Context                system_u:system_r:system_dbusd_t:s0-s0:c0.c1023
Target Context                system_u:object_r:usr_t:s0
Target Objects                system-config-firewall-mechanism.py [ file ]
Source                        dbus-daemon-lau
Source Path                   /lib64/dbus-1/dbus-daemon-launch-helper
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           dbus-1.2.16-5.fc12
Target RPM Packages           
Policy RPM                    selinux-policy-3.6.31-3.fc12
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   execute
Host Name                     (removed)
Platform                      Linux (removed) 2.6.31-2.fc12.x86_64
                              #1 SMP Thu Sep 10 00:25:40 EDT 2009 x86_64 x86_64
Alert Count                   2
First Seen                    Sun 13 Sep 2009 07:52:08 PM IST
Last Seen                     Sun 13 Sep 2009 07:53:03 PM IST
Local ID                      63605ca1-a376-48af-baf2-46c10e4c78d3
Line Numbers                  

Raw Audit Messages            

node=(removed) type=AVC msg=audit(1252851783.896:36): avc:  denied  { execute } for  pid=3088 comm="dbus-daemon-lau" name="system-config-firewall-mechanism.py" dev=sda5 ino=359 scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:usr_t:s0 tclass=file

node=(removed) type=SYSCALL msg=audit(1252851783.896:36): arch=c000003e syscall=59 success=no exit=-13 a0=1f7f9f0 a1=1f7f8f0 a2=1f7e010 a3=7fff73c1df70 items=0 ppid=3087 pid=3088 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="dbus-daemon-lau" exe="/lib64/dbus-1/dbus-daemon-launch-helper" subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 key=(null)


audit2allow suggests:

#============= system_dbusd_t ==============
allow system_dbusd_t usr_t:file execute;
Comment 1 vinod 2009-09-13 14:32:44 UTC 
When trying to configure firewall, A blank system-config-firewall window pops up and terminates after selinux alert. 

Not able to view/change firewall settings.
Comment 2 Thomas Woerner 2009-09-14 12:37:27 UTC 
*** Bug 523088 has been marked as a duplicate of this bug. ***
Comment 3 Thomas Woerner 2009-09-14 12:46:58 UTC 
Reassiginig to selinux-policy.

A new policy will be added for the dbus firewall backend.

As an interim solution set the type of the dbus backend context with "chcon -t
bin_t /usr/share/system-config-firewall/system-config-firewall-mechanism.py"
Comment 4 Daniel Walsh 2009-09-14 19:41:52 UTC 
Fixed in selinux-policy-3.6.31-4.fc12.noarch
Comment 5 Thomas Woerner 2009-09-18 08:06:31 UTC 
*** Bug 524157 has been marked as a duplicate of this bug. ***
Comment 6 Flóki Pálsson 2009-09-22 20:22:28 UTC 
Not working with
selinux-policy-3.6.32-7.fc12.noarch
Comment 7 Daniel Walsh 2009-09-23 00:46:23 UTC 
Floki, please explain.  What errors are you seeing?
Comment 8 Flóki Pálsson 2009-09-23 08:45:43 UTC 
I saw sealert after updating to  selinux-policy-3.6.32-7.fc12.noarch when starting s-c-f from menu.


starting system-config-firewall from menu works after using command in comment #3 (which has nasty line break) or after from SELinux Management using "Relable on next reboot". Then system-config-firewall-mechanism.py has  firewallgui_exec_t in SELinux Context.

PS.
I use f12 live snap 2 updated. Then SELinux Management was missing from menu, I thing it should be installed by defult.
Comment 9 Daniel Walsh 2009-09-23 14:04:25 UTC 
You relabelled and the system-config-firewall worked, indicating you had a labelling problem.

Open a bugzilla with live snap to add SELinux Management to their default install.

I am going to close this bugzilla since it seems that if you have proper labeling everything is working.