Bug 670730

Summary: sectool prevented from running tests
Product: [Fedora] Fedora Reporter: Michael Cronenworth <mike>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: 14CC: dwalsh, mgrepl
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.9.7-25.fc14 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-01-25 20:58:29 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Michael Cronenworth 2011-01-19 06:00:39 UTC 
Description of problem: I installed sectool and attempted to start tests. After I press "Start" I get a SELINUX security alert from setroubleshoot. The offending audit message:

type=AVC msg=audit(1295413041.638:3755): avc:  denied  { sendto } for  pid=13088 comm="sectool-mechani" path="/tmp/sectool/b959224a77ee494201138d522b03795cd604ea10" scontext=system_u:system_r:sectoolm_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_dgram_socket
type=SYSCALL msg=audit(1295413041.638:3755): arch=c000003e syscall=42 success=no exit=-13 a0=9 a1=7fff2b01ce70 a2=37 a3=ffffffff items=0 ppid=1 pid=13088 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sectool-mechani" exe="/usr/bin/python" subj=system_u:system_r:sectoolm_t:s0-s0:c0.c1023 key=(null)


Version-Release number of selected component (if applicable):
sectool-0.9.5-2.fc14.x86_64
selinux-policy-3.9.7-20.fc14.noarch
selinux-policy-targeted-3.9.7-20.fc14.noarch

How reproducible: Always


Steps to Reproduce:
1. Start sectool test
  
Actual results: Sectool appears to be hung, but you can stop the test attempt.


Expected results: Sectool runs tests.


Additional info:

I have generated my own policy to allow sectool to run and it is able to work with the custom policy in place.
Comment 1 Miroslav Grepl 2011-01-19 09:48:22 UTC 
We need to add

userdom_dgram_send(sectoolm)

We have it in F13 policy.
Comment 2 Miroslav Grepl 2011-01-19 10:24:28 UTC 
Fixed in selinux-policy-3.9.7-23.fc14
Comment 3 Fedora Update System 2011-01-20 16:04:14 UTC 
selinux-policy-3.9.7-25.fc14 has been submitted as an update for Fedora 14.
https://admin.fedoraproject.org/updates/selinux-policy-3.9.7-25.fc14
Comment 4 Fedora Update System 2011-01-20 19:54:39 UTC 
selinux-policy-3.9.7-25.fc14 has been pushed to the Fedora 14 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update selinux-policy'.  You can provide feedback for this update here: https://admin.fedoraproject.org/updates/selinux-policy-3.9.7-25.fc14
Comment 5 Fedora Update System 2011-01-25 20:57:39 UTC 
selinux-policy-3.9.7-25.fc14 has been pushed to the Fedora 14 stable repository.  If problems still persist, please make note of it in this bug report.