Bug 605890
| Summary: | SELinux is preventing /usr/sbin/aiccu "write" access . | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | atrias | ||||||||
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> | ||||||||
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||||||
| Severity: | medium | Docs Contact: | |||||||||
| Priority: | low | ||||||||||
| Version: | 13 | CC: | dwalsh, mgrepl, sjensen | ||||||||
| Target Milestone: | --- | ||||||||||
| Target Release: | --- | ||||||||||
| Hardware: | x86_64 | ||||||||||
| OS: | Linux | ||||||||||
| Whiteboard: | setroubleshoot_trace_hash:75fbd1069a824be97053c8bccbac0e673e4012b48596ccde79916aa76ac2b8cc | ||||||||||
| Fixed In Version: | selinux-policy-3.7.19-33.fc13 | Doc Type: | Bug Fix | ||||||||
| Doc Text: | Story Points: | --- | |||||||||
| Clone Of: | Environment: | ||||||||||
| Last Closed: | 2010-07-06 17:09:20 UTC | Type: | --- | ||||||||
| Regression: | --- | Mount Type: | --- | ||||||||
| Documentation: | --- | CRM: | |||||||||
| Verified Versions: | Category: | --- | |||||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||||
| Embargoed: | |||||||||||
| Attachments: |
|
||||||||||
|
Description
atrias
2010-06-19 07:13:07 UTC
Created attachment 425303 [details]
other alerts
Nothing is mentioned on the alert about /dev/net/tun as in bug 590481 and i also have a alter version of selinux policies which is supposed to solve the aiccu problems. I also get all the alerts that are shown on the screenshots just when i start the aiccu service Created attachment 425304 [details]
other alerts 2
It was fixed in selinux-policy-3.7.19-28.fc13. selinux-policy-3.7.19-28.fc13 has been pushed to the Fedora 13 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update selinux-policy'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/selinux-policy-3.7.19-28.fc13 thank you for the information how much time does it take for a package to go from testing to updates ? i googled that but i couldn't find a clear answer I Just updated me fedora and selinux-policy-3.7.19-28.fc13 was installed after restarting my PC i tried: [root@fedora ~]# /etc/init.d/aiccu start Starting AICCU (Automatic IPv6 Connectivity Configuration U[FAILED]services: the new bug is: SELinux is preventing /usr/sbin/aiccu "read" access on /etc/hosts. should I open a new bug report? Please attach the avc messages from /var/log/audit/audit.log Looks like we need sysnet_dns_name_resolve(aiccu_t) a made a copy of this log file and then (after trying to start aiccu) i made a diff between them
the lines that were added because of aiccu are these:
2753,2756d2752
< type=AVC msg=audit(1277492828.466:25568): avc: denied { read } for pid=8034 comm="aiccu" name="resolv.conf" dev=dm-0 ino=165 scontext=unconfined_u:system_r:aiccu_t:s0 tcontext=system_u:object_r:net_conf_t:s0 tclass=file
< type=SYSCALL msg=audit(1277492828.466:25568): arch=c000003e syscall=2 success=no exit=-13 a0=32fdd426db a1=0 a2=1b6 a3=2 items=0 ppid=8033 pid=8034 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="aiccu" exe="/usr/sbin/aiccu" subj=unconfined_u:system_r:aiccu_t:s0 key=(null)
< type=AVC msg=audit(1277492828.468:25569): avc: denied { read } for pid=8034 comm="aiccu" name="hosts" dev=dm-0 ino=126 scontext=unconfined_u:system_r:aiccu_t:s0 tcontext=system_u:object_r:net_conf_t:s0 tclass=file
< type=SYSCALL msg=audit(1277492828.468:25569): arch=c000003e syscall=2 success=no exit=-13 a0=7f402d86a2a6 a1=80000 a2=1b6 a3=0 items=0 ppid=8033 pid=8034 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="aiccu" exe="/usr/sbin/aiccu" subj=unconfined_u:system_r:aiccu_t:s0 key=(null)
Fixed in selinux-policy-3.7.19-32.fc13 selinux-policy-3.7.19-33.fc13 has been submitted as an update for Fedora 13. http://admin.fedoraproject.org/updates/selinux-policy-3.7.19-33.fc13 selinux-policy-3.7.19-33.fc13 has been pushed to the Fedora 13 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update selinux-policy'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/selinux-policy-3.7.19-33.fc13 seems to work OK now!! thank you very much! Confirming, solved all my problems with aiccu. Thank you! I know it is a little off-topic but does anyone know of a way to start aiccu automatically on startup? I used 'chkconfig aiccu on' but after reboot i got Starting AICCU (Automatic IPv6 Connectivity Configuration Utility) services: [FAILED] when i tried to start it manually it started ok any ideas? for anyone interested the solution is: 'chkconfig --del aiccu' and then 'chkconfig --add aiccu' and finally 'chkconfig aiccu on' Created attachment 429169 [details]
SELinux verhindert /bin/bash "sys_tty_config" Zugriff
Whoops, i was to fast. One last error apears for aiccu.
Best regards
Additional: If selinux is set to enforcing, aiccu is not able to be "verbose" on startup. So the Tunnel infomation are not displayed. /etc/aiccu.conf # Be verbose? (default: false) verbose true selinux-policy-3.7.19-33.fc13 has been pushed to the Fedora 13 stable repository. If problems still persist, please make note of it in this bug report. |