Bug 598204

Summary: SELinux is preventing dbus-daemon-lau "connectto" access on /var/lib/sss/pipes/nss.
Product: [Fedora] Fedora Reporter: Natxo Asenjo <natxo>
Component: selinux-policyAssignee: Daniel Walsh <dwalsh>
Status: CLOSED DUPLICATE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: 13CC: dwalsh, mgrepl
Target Milestone: ---   
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard: setroubleshoot_trace_hash:2a45c9ba7a9673525358a7c02cd430b3b031587adc5157e5b4a9bee4de4e20b4
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-06-01 07:13:49 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Natxo Asenjo 2010-05-31 18:23:48 UTC 
Summary:

SELinux is preventing dbus-daemon-lau "connectto" access on
/var/lib/sss/pipes/nss.

Detailed Description:

SELinux denied access requested by dbus-daemon-lau. It is not expected that this
access is required by dbus-daemon-lau and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug
report.

Additional Information:

Source Context                system_u:system_r:system_dbusd_t:s0-s0:c0.c1023
Target Context                system_u:system_r:initrc_t:s0
Target Objects                /var/lib/sss/pipes/nss [ unix_stream_socket ]
Source                        dbus-daemon-lau
Source Path                   dbus-daemon-lau
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.7.19-21.fc13
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     (removed)
Platform                      Linux (removed)
                              2.6.33.3-85.fc13.i686 #1 SMP Thu May 6 18:44:12
                              UTC 2010 i686 i686
Alert Count                   28
First Seen                    Mon 31 May 2010 06:41:31 PM CEST
Last Seen                     Mon 31 May 2010 08:22:39 PM CEST
Local ID                      d3a97a92-322c-4d6a-a631-cf803c08a598
Line Numbers                  

Raw Audit Messages            

node=(removed) type=AVC msg=audit(1275330159.562:28791): avc:  denied  { connectto } for  pid=3430 comm="dbus-daemon-lau" path="/var/lib/sss/pipes/nss" scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:initrc_t:s0 tclass=unix_stream_socket



Hash String generated from  catchall,dbus-daemon-lau,system_dbusd_t,initrc_t,unix_stream_socket,connectto
audit2allow suggests:

#============= system_dbusd_t ==============
allow system_dbusd_t initrc_t:unix_stream_socket connectto;
Comment 1 Miroslav Grepl 2010-06-01 07:13:49 UTC 

*** This bug has been marked as a duplicate of bug 598191 ***