| Summary: | SELinux is preventing krfcommd from 'write' accesses on the socket Unknown. | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | tuxor <acc-bugz-redhat> |
| Component: | selinux-policy | Assignee: | Eric Paris <eparis> |
| Status: | CLOSED WORKSFORME | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | medium | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 15 | CC: | dwalsh, jsmith.fedora, mgrepl, nigel.j.smith, orangesunny |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | setroubleshoot_trace_hash:c7e15a26179db6e9578cfa18e3922eaebeedba8f4eca9d2e8ef60af3c8b8d2af | ||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2011-03-26 10:37:00 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
The first time this occured, I did not want to file this bug, because I could not think of anything, that could have caused it. But then it occured two more times in completely different situations, so that I can confirm now, that this bug is at least not obviously related to something, I could influence. For example, the SELinux error came while skyping then another time while writing an email in Thunderbird and again when I was just browsing through the filesystem in a terminal... Looks like a kernel issue? Didn't appear for a long time now. I think it's solved. I can confirm that this bug still occurs with the latest version of Fedora 15 - it's triggered when attempting to perform an OBEX transfer to the host computer; in my case, from my phone to my desktop.
The SElinux troubleshooter suggests creating a new policy from the audit log, the entry for krfcommd being:
type=AVC msg=audit(1303522756.800:69): avc: denied { write } for pid=1059 comm="krfcommd" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=socket
Creating a policy using audit2allow fixes the problem and allows file transfers to occur normally.
I will add this allow for F15 if you have unconfined policy defined. |
SELinux is preventing krfcommd from 'write' accesses on the socket Unknown. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that krfcommd should be allowed write access on the Unknown socket by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep krfcommd /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:kernel_t:s0 Target Context system_u:object_r:unlabeled_t:s0 Target Objects Unknown [ socket ] Source krfcommd Source Path krfcommd Port <Unbekannt> Host (removed) Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.9.16-1.fc15 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 2.6.38-0.rc8.git0.1.fc15.x86_64 #1 SMP Tue Mar 8 08:22:15 UTC 2011 x86_64 x86_64 Alert Count 1 First Seen So 13 Mär 2011 22:19:12 CET Last Seen So 13 Mär 2011 22:19:12 CET Local ID 3b729af9-6467-4318-9ec4-1a17992b15b2 Raw Audit Messages type=AVC msg=audit(1300051152.917:100): avc: denied { write } for pid=2056 comm="krfcommd" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=socket Hash: krfcommd,kernel_t,unlabeled_t,socket,write audit2allow #============= kernel_t ============== allow kernel_t unlabeled_t:socket write; audit2allow -R #============= kernel_t ============== allow kernel_t unlabeled_t:socket write;