Bug 860604
| Summary: | selinux-policy-minimum prevent work bluetoothd, sedispatch, and cupsd | ||||||
|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Sergey <lis82> | ||||
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> | ||||
| Status: | CLOSED NOTABUG | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||
| Severity: | unspecified | Docs Contact: | |||||
| Priority: | unspecified | ||||||
| Version: | 17 | CC: | dominick.grift, dwalsh, lis82, mgrepl | ||||
| Target Milestone: | --- | ||||||
| Target Release: | --- | ||||||
| Hardware: | i686 | ||||||
| OS: | Linux | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2012-10-17 07:58:56 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Attachments: |
|
||||||
|
Description
Sergey
2012-09-26 09:33:11 UTC
Could you attach AVC msgs? Thank you. if selinux policy enforced - in the /var/log/messages falls thousands of messages:
Sep 26 10:27:04 f17-32-01 sedispatch: Connection Error (Failed to connect to socket /var/run/dbus/system_bus_socket: Permission denied): AVC Will be dropped
DETAILS FOR cupsd:
SELinux is preventing /usr/sbin/cupsd from connectto access on the unix_stream_socket /run/dbus/system_bus_socket.
***** Plugin catchall (100. confidence) suggests ***************************
If you believe that cupsd should be allowed connectto access on the system_bus_socket unix_stream_socket by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep cupsd /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
Additional Information:
Source Context system_u:system_r:cupsd_t:s0-s0:c0.c1023
Target Context system_u:system_r:init_t:s0-s0:c0.c1023
Target Objects /run/dbus/system_bus_socket [ unix_stream_socket ]
Source cupsd
Source Path /usr/sbin/cupsd
Port <Unknown>
Host f17-32-01.corp.zapdvin.by
Source RPM Packages cups-1.5.4-2.fc17.i686
Target RPM Packages
Policy RPM selinux-policy-3.10.0-149.fc17.noarch
Selinux Enabled True
Policy Type minimum
Enforcing Mode Permissive
Host Name f17-32-01.corp.zapdvin.by
Platform Linux f17-32-01.corp.zapdvin.by 3.5.4-1.fc17.i686
#1 SMP Mon Sep 17 15:41:12 UTC 2012 i686 i686
Alert Count 1
First Seen 2012-09-27 08:10:54 FET
Last Seen 2012-09-27 08:10:54 FET
Local ID cc665fa4-9489-4a5d-b843-07bd59a2b91b
Raw Audit Messages
type=AVC msg=audit(1348722654.123:100): avc: denied { connectto } for pid=1070 comm="cupsd" path="/run/dbus/system_bus_socket" scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:init_t:s0-s0:c0.c1023 tclass=unix_stream_socket
type=SYSCALL msg=audit(1348722654.123:100): arch=i386 syscall=socketcall success=yes exit=0 a0=3 a1=bff781a0 a2=b74adff4 a3=bff78330 items=0 ppid=1 pid=1070 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=cupsd exe=/usr/sbin/cupsd subj=system_u:system_r:cupsd_t:s0-s0:c0.c1023 key=(null)
Hash: cupsd,cupsd_t,init_t,unix_stream_socket,connectto
audit2allow
#============= cupsd_t ==============
allow cupsd_t init_t:unix_stream_socket connectto;
audit2allow -R
#============= cupsd_t ==============
allow cupsd_t init_t:unix_stream_socket connectto;
For the bluetoothd:
SELinux is preventing /usr/sbin/bluetoothd from connectto access on the unix_stream_socket /run/dbus/system_bus_socket.
***** Plugin catchall (100. confidence) suggests ***************************
If you believe that bluetoothd should be allowed connectto access on the system_bus_socket unix_stream_socket by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep bluetoothd /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
Additional Information:
Source Context system_u:system_r:bluetooth_t:s0
Target Context system_u:system_r:init_t:s0-s0:c0.c1023
Target Objects /run/dbus/system_bus_socket [ unix_stream_socket ]
Source bluetoothd
Source Path /usr/sbin/bluetoothd
Port <Unknown>
Host f17-32-01.corp.zapdvin.by
Source RPM Packages bluez-4.99-2.fc17.i686
Target RPM Packages
Policy RPM selinux-policy-3.10.0-149.fc17.noarch
Selinux Enabled True
Policy Type minimum
Enforcing Mode Permissive
Host Name f17-32-01.corp.zapdvin.by
Platform Linux f17-32-01.corp.zapdvin.by 3.5.4-1.fc17.i686
#1 SMP Mon Sep 17 15:41:12 UTC 2012 i686 i686
Alert Count 1
First Seen 2012-09-27 08:09:33 FET
Last Seen 2012-09-27 08:09:33 FET
Local ID 3302669e-b352-48d3-993f-272a6adb73db
Raw Audit Messages
type=AVC msg=audit(1348722573.582:47): avc: denied { connectto } for pid=549 comm="bluetoothd" path="/run/dbus/system_bus_socket" scontext=system_u:system_r:bluetooth_t:s0 tcontext=system_u:system_r:init_t:s0-s0:c0.c1023 tclass=unix_stream_socket
type=SYSCALL msg=audit(1348722573.582:47): arch=i386 syscall=socketcall success=yes exit=0 a0=3 a1=bfb00fd0 a2=b75d9ff4 a3=bfb01160 items=0 ppid=1 pid=549 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=bluetoothd exe=/usr/sbin/bluetoothd subj=system_u:system_r:bluetooth_t:s0 key=(null)
Hash: bluetoothd,bluetooth_t,init_t,unix_stream_socket,connectto
audit2allow
#============= bluetooth_t ==============
allow bluetooth_t init_t:unix_stream_socket connectto;
audit2allow -R
#============= bluetooth_t ==============
allow bluetooth_t init_t:unix_stream_socket connectto;
For sedispatch:
SELinux is preventing sedispatch from connectto access on the unix_stream_socket /run/dbus/system_bus_socket.
***** Plugin catchall (100. confidence) suggests ***************************
If you believe that sedispatch should be allowed connectto access on the system_bus_socket unix_stream_socket by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep sedispatch /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
Additional Information:
Source Context system_u:system_r:audisp_t:s0
Target Context system_u:system_r:init_t:s0-s0:c0.c1023
Target Objects /run/dbus/system_bus_socket [ unix_stream_socket ]
Source sedispatch
Source Path sedispatch
Port <Unknown>
Host f17-32-01.corp.zapdvin.by
Source RPM Packages
Target RPM Packages
Policy RPM selinux-policy-3.10.0-149.fc17.noarch
Selinux Enabled True
Policy Type minimum
Enforcing Mode Permissive
Host Name f17-32-01.corp.zapdvin.by
Platform Linux f17-32-01.corp.zapdvin.by 3.5.4-1.fc17.i686
#1 SMP Mon Sep 17 15:41:12 UTC 2012 i686 i686
Alert Count 1
First Seen 2012-09-27 08:09:33 FET
Last Seen 2012-09-27 08:09:33 FET
Local ID 0c7d0c6b-850b-4750-b999-cfef2dd32bd0
Raw Audit Messages
type=AVC msg=audit(1348722573.537:45): avc: denied { connectto } for pid=423 comm="sedispatch" path="/run/dbus/system_bus_socket" scontext=system_u:system_r:audisp_t:s0 tcontext=system_u:system_r:init_t:s0-s0:c0.c1023 tclass=unix_stream_socket
Hash: sedispatch,audisp_t,init_t,unix_stream_socket,connectto
audit2allow
#============= audisp_t ==============
allow audisp_t init_t:unix_stream_socket connectto;
audit2allow -R
#============= audisp_t ==============
allow audisp_t init_t:unix_stream_socket connectto;
And also not descripted above:
The source process: systemd-journal
Attempted this access: getattr
On this directory: /sys/fs/cgroup
SELinux is preventing systemd-journal from getattr access on the directory /sys/fs/cgroup.
***** Plugin catchall (100. confidence) suggests ***************************
If you believe that systemd-journal should be allowed getattr access on the cgroup directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep systemd-journal /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
Additional Information:
Source Context system_u:system_r:syslogd_t:s0
Target Context system_u:object_r:cgroup_t:s0
Target Objects /sys/fs/cgroup [ dir ]
Source systemd-journal
Source Path systemd-journal
Port <Unknown>
Host f17-32-01.corp.zapdvin.by
Source RPM Packages
Target RPM Packages
Policy RPM selinux-policy-3.10.0-149.fc17.noarch
Selinux Enabled True
Policy Type minimum
Enforcing Mode Permissive
Host Name f17-32-01.corp.zapdvin.by
Platform Linux f17-32-01.corp.zapdvin.by 3.5.4-1.fc17.i686
#1 SMP Mon Sep 17 15:41:12 UTC 2012 i686 i686
Alert Count 2
First Seen 2012-09-26 12:37:19 FET
Last Seen 2012-09-27 08:20:38 FET
Local ID f15c3f1a-0c45-457f-bc61-1bc8f1b76af7
Raw Audit Messages
type=AVC msg=audit(1348723238.897:113): avc: denied { getattr } for pid=283 comm="systemd-journal" path="/sys/fs/cgroup" dev="tmpfs" ino=7281 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=dir
Hash: systemd-journal,syslogd_t,cgroup_t,dir,getattr
audit2allow
#============= syslogd_t ==============
#!!!! This avc can be allowed using the boolean 'init_systemd'
allow syslogd_t cgroup_t:dir getattr;
audit2allow -R
#============= syslogd_t ==============
#!!!! This avc can be allowed using the boolean 'init_systemd'
allow syslogd_t cgroup_t:dir getattr;
And also:
The source process: systemd-journal
Attempted this access: search
On this directory: /sys/fs/cgroup
SELinux is preventing systemd-journal from search access on the directory /sys/fs/cgroup.
***** Plugin catchall (100. confidence) suggests ***************************
If you believe that systemd-journal should be allowed search access on the cgroup directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep systemd-journal /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
Additional Information:
Source Context system_u:system_r:syslogd_t:s0
Target Context system_u:object_r:cgroup_t:s0
Target Objects /sys/fs/cgroup [ dir ]
Source systemd-journal
Source Path systemd-journal
Port <Unknown>
Host f17-32-01.corp.zapdvin.by
Source RPM Packages
Target RPM Packages
Policy RPM selinux-policy-3.10.0-149.fc17.noarch
Selinux Enabled True
Policy Type minimum
Enforcing Mode Permissive
Host Name f17-32-01.corp.zapdvin.by
Platform Linux f17-32-01.corp.zapdvin.by 3.5.4-1.fc17.i686
#1 SMP Mon Sep 17 15:41:12 UTC 2012 i686 i686
Alert Count 1
First Seen 2012-09-27 08:20:38 FET
Last Seen 2012-09-27 08:20:38 FET
Local ID ae0b2f5f-9c91-448b-9b1a-dad74d1ccb2e
Raw Audit Messages
type=AVC msg=audit(1348723238.897:114): avc: denied { search } for pid=283 comm="systemd-journal" name="/" dev="tmpfs" ino=7281 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=dir
Hash: systemd-journal,syslogd_t,cgroup_t,dir,search
audit2allow
#============= syslogd_t ==============
#!!!! This avc can be allowed using the boolean 'init_systemd'
allow syslogd_t cgroup_t:dir search;
audit2allow -R
#============= syslogd_t ==============
#!!!! This avc can be allowed using the boolean 'init_systemd'
allow syslogd_t cgroup_t:dir search;
Looks like dbus should be moved into the base required policy for minimum. init_systemd boolean should definitely be turned on in Fedora 17 Well this is pretty hard to do it with the dbus module. Sergey, how does look your output of # semodule -l > /tmp/miminum could you attach this minimum file? Thank you. Created attachment 618423 [details]
/tmp/minimum
# semodule -l > /tmp/minimum
Did you turn off this boolean? If you execute # setsebool -P init_systemd 1 then it should work. |