Bug 860604
Summary: | selinux-policy-minimum prevent work bluetoothd, sedispatch, and cupsd | ||||||
---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Sergey <lis82> | ||||
Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> | ||||
Status: | CLOSED NOTABUG | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||
Severity: | unspecified | Docs Contact: | |||||
Priority: | unspecified | ||||||
Version: | 17 | CC: | dominick.grift, dwalsh, lis82, mgrepl | ||||
Target Milestone: | --- | ||||||
Target Release: | --- | ||||||
Hardware: | i686 | ||||||
OS: | Linux | ||||||
Whiteboard: | |||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2012-10-17 07:58:56 UTC | Type: | Bug | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Attachments: |
|
Description
Sergey
2012-09-26 09:33:11 UTC
Could you attach AVC msgs? Thank you. if selinux policy enforced - in the /var/log/messages falls thousands of messages: Sep 26 10:27:04 f17-32-01 sedispatch: Connection Error (Failed to connect to socket /var/run/dbus/system_bus_socket: Permission denied): AVC Will be dropped DETAILS FOR cupsd: SELinux is preventing /usr/sbin/cupsd from connectto access on the unix_stream_socket /run/dbus/system_bus_socket. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that cupsd should be allowed connectto access on the system_bus_socket unix_stream_socket by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep cupsd /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:cupsd_t:s0-s0:c0.c1023 Target Context system_u:system_r:init_t:s0-s0:c0.c1023 Target Objects /run/dbus/system_bus_socket [ unix_stream_socket ] Source cupsd Source Path /usr/sbin/cupsd Port <Unknown> Host f17-32-01.corp.zapdvin.by Source RPM Packages cups-1.5.4-2.fc17.i686 Target RPM Packages Policy RPM selinux-policy-3.10.0-149.fc17.noarch Selinux Enabled True Policy Type minimum Enforcing Mode Permissive Host Name f17-32-01.corp.zapdvin.by Platform Linux f17-32-01.corp.zapdvin.by 3.5.4-1.fc17.i686 #1 SMP Mon Sep 17 15:41:12 UTC 2012 i686 i686 Alert Count 1 First Seen 2012-09-27 08:10:54 FET Last Seen 2012-09-27 08:10:54 FET Local ID cc665fa4-9489-4a5d-b843-07bd59a2b91b Raw Audit Messages type=AVC msg=audit(1348722654.123:100): avc: denied { connectto } for pid=1070 comm="cupsd" path="/run/dbus/system_bus_socket" scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:init_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=SYSCALL msg=audit(1348722654.123:100): arch=i386 syscall=socketcall success=yes exit=0 a0=3 a1=bff781a0 a2=b74adff4 a3=bff78330 items=0 ppid=1 pid=1070 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=cupsd exe=/usr/sbin/cupsd subj=system_u:system_r:cupsd_t:s0-s0:c0.c1023 key=(null) Hash: cupsd,cupsd_t,init_t,unix_stream_socket,connectto audit2allow #============= cupsd_t ============== allow cupsd_t init_t:unix_stream_socket connectto; audit2allow -R #============= cupsd_t ============== allow cupsd_t init_t:unix_stream_socket connectto; For the bluetoothd: SELinux is preventing /usr/sbin/bluetoothd from connectto access on the unix_stream_socket /run/dbus/system_bus_socket. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that bluetoothd should be allowed connectto access on the system_bus_socket unix_stream_socket by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep bluetoothd /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:bluetooth_t:s0 Target Context system_u:system_r:init_t:s0-s0:c0.c1023 Target Objects /run/dbus/system_bus_socket [ unix_stream_socket ] Source bluetoothd Source Path /usr/sbin/bluetoothd Port <Unknown> Host f17-32-01.corp.zapdvin.by Source RPM Packages bluez-4.99-2.fc17.i686 Target RPM Packages Policy RPM selinux-policy-3.10.0-149.fc17.noarch Selinux Enabled True Policy Type minimum Enforcing Mode Permissive Host Name f17-32-01.corp.zapdvin.by Platform Linux f17-32-01.corp.zapdvin.by 3.5.4-1.fc17.i686 #1 SMP Mon Sep 17 15:41:12 UTC 2012 i686 i686 Alert Count 1 First Seen 2012-09-27 08:09:33 FET Last Seen 2012-09-27 08:09:33 FET Local ID 3302669e-b352-48d3-993f-272a6adb73db Raw Audit Messages type=AVC msg=audit(1348722573.582:47): avc: denied { connectto } for pid=549 comm="bluetoothd" path="/run/dbus/system_bus_socket" scontext=system_u:system_r:bluetooth_t:s0 tcontext=system_u:system_r:init_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=SYSCALL msg=audit(1348722573.582:47): arch=i386 syscall=socketcall success=yes exit=0 a0=3 a1=bfb00fd0 a2=b75d9ff4 a3=bfb01160 items=0 ppid=1 pid=549 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=bluetoothd exe=/usr/sbin/bluetoothd subj=system_u:system_r:bluetooth_t:s0 key=(null) Hash: bluetoothd,bluetooth_t,init_t,unix_stream_socket,connectto audit2allow #============= bluetooth_t ============== allow bluetooth_t init_t:unix_stream_socket connectto; audit2allow -R #============= bluetooth_t ============== allow bluetooth_t init_t:unix_stream_socket connectto; For sedispatch: SELinux is preventing sedispatch from connectto access on the unix_stream_socket /run/dbus/system_bus_socket. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that sedispatch should be allowed connectto access on the system_bus_socket unix_stream_socket by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep sedispatch /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:audisp_t:s0 Target Context system_u:system_r:init_t:s0-s0:c0.c1023 Target Objects /run/dbus/system_bus_socket [ unix_stream_socket ] Source sedispatch Source Path sedispatch Port <Unknown> Host f17-32-01.corp.zapdvin.by Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.10.0-149.fc17.noarch Selinux Enabled True Policy Type minimum Enforcing Mode Permissive Host Name f17-32-01.corp.zapdvin.by Platform Linux f17-32-01.corp.zapdvin.by 3.5.4-1.fc17.i686 #1 SMP Mon Sep 17 15:41:12 UTC 2012 i686 i686 Alert Count 1 First Seen 2012-09-27 08:09:33 FET Last Seen 2012-09-27 08:09:33 FET Local ID 0c7d0c6b-850b-4750-b999-cfef2dd32bd0 Raw Audit Messages type=AVC msg=audit(1348722573.537:45): avc: denied { connectto } for pid=423 comm="sedispatch" path="/run/dbus/system_bus_socket" scontext=system_u:system_r:audisp_t:s0 tcontext=system_u:system_r:init_t:s0-s0:c0.c1023 tclass=unix_stream_socket Hash: sedispatch,audisp_t,init_t,unix_stream_socket,connectto audit2allow #============= audisp_t ============== allow audisp_t init_t:unix_stream_socket connectto; audit2allow -R #============= audisp_t ============== allow audisp_t init_t:unix_stream_socket connectto; And also not descripted above: The source process: systemd-journal Attempted this access: getattr On this directory: /sys/fs/cgroup SELinux is preventing systemd-journal from getattr access on the directory /sys/fs/cgroup. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that systemd-journal should be allowed getattr access on the cgroup directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep systemd-journal /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:syslogd_t:s0 Target Context system_u:object_r:cgroup_t:s0 Target Objects /sys/fs/cgroup [ dir ] Source systemd-journal Source Path systemd-journal Port <Unknown> Host f17-32-01.corp.zapdvin.by Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.10.0-149.fc17.noarch Selinux Enabled True Policy Type minimum Enforcing Mode Permissive Host Name f17-32-01.corp.zapdvin.by Platform Linux f17-32-01.corp.zapdvin.by 3.5.4-1.fc17.i686 #1 SMP Mon Sep 17 15:41:12 UTC 2012 i686 i686 Alert Count 2 First Seen 2012-09-26 12:37:19 FET Last Seen 2012-09-27 08:20:38 FET Local ID f15c3f1a-0c45-457f-bc61-1bc8f1b76af7 Raw Audit Messages type=AVC msg=audit(1348723238.897:113): avc: denied { getattr } for pid=283 comm="systemd-journal" path="/sys/fs/cgroup" dev="tmpfs" ino=7281 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=dir Hash: systemd-journal,syslogd_t,cgroup_t,dir,getattr audit2allow #============= syslogd_t ============== #!!!! This avc can be allowed using the boolean 'init_systemd' allow syslogd_t cgroup_t:dir getattr; audit2allow -R #============= syslogd_t ============== #!!!! This avc can be allowed using the boolean 'init_systemd' allow syslogd_t cgroup_t:dir getattr; And also: The source process: systemd-journal Attempted this access: search On this directory: /sys/fs/cgroup SELinux is preventing systemd-journal from search access on the directory /sys/fs/cgroup. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that systemd-journal should be allowed search access on the cgroup directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep systemd-journal /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:syslogd_t:s0 Target Context system_u:object_r:cgroup_t:s0 Target Objects /sys/fs/cgroup [ dir ] Source systemd-journal Source Path systemd-journal Port <Unknown> Host f17-32-01.corp.zapdvin.by Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.10.0-149.fc17.noarch Selinux Enabled True Policy Type minimum Enforcing Mode Permissive Host Name f17-32-01.corp.zapdvin.by Platform Linux f17-32-01.corp.zapdvin.by 3.5.4-1.fc17.i686 #1 SMP Mon Sep 17 15:41:12 UTC 2012 i686 i686 Alert Count 1 First Seen 2012-09-27 08:20:38 FET Last Seen 2012-09-27 08:20:38 FET Local ID ae0b2f5f-9c91-448b-9b1a-dad74d1ccb2e Raw Audit Messages type=AVC msg=audit(1348723238.897:114): avc: denied { search } for pid=283 comm="systemd-journal" name="/" dev="tmpfs" ino=7281 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=dir Hash: systemd-journal,syslogd_t,cgroup_t,dir,search audit2allow #============= syslogd_t ============== #!!!! This avc can be allowed using the boolean 'init_systemd' allow syslogd_t cgroup_t:dir search; audit2allow -R #============= syslogd_t ============== #!!!! This avc can be allowed using the boolean 'init_systemd' allow syslogd_t cgroup_t:dir search; Looks like dbus should be moved into the base required policy for minimum. init_systemd boolean should definitely be turned on in Fedora 17 Well this is pretty hard to do it with the dbus module. Sergey, how does look your output of # semodule -l > /tmp/miminum could you attach this minimum file? Thank you. Created attachment 618423 [details]
/tmp/minimum
# semodule -l > /tmp/minimum
Did you turn off this boolean? If you execute # setsebool -P init_systemd 1 then it should work. |