Bug 878354
| Summary: | CIM providers can't use cimxml.socket | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Radek Novacek <rnovacek> |
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 18 | CC: | dominick.grift, dwalsh, mgrepl, ovasik |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2012-12-07 04:32:08 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Fixed in selinux-policy-3.11.1-55.fc18 Thank you, -55 fixes the issue, but another problem appears once the previous one disappears:
type=SYSCALL msg=audit(1353684774.859:377): arch=c000003e syscall=42 success=no exit=-13 a0=7 a1=7f0e5f162eb0 a2=6e a3=20 items=0 ppid=1 pid=1164 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="cimprovagt" exe="/usr/sbin/cimprovagt" subj=system_u:system_r:pegasus_t:s0 key=(null)
type=AVC msg=audit(1353684774.859:377): avc: denied { connectto } for pid=1164 comm="cimprovagt" path="/run/tog-pegasus/cimxml.socket" scontext=system_u:system_r:pegasus_t:s0 tcontext=system_u:system_r:pegasus_t:s0 tclass=unix_stream_socket
Could you fix that too?
Radek, could you switch to permissive to see if you get more AVC msgs? Thanks for the tip, I'm also getting following two AVC messages:
time->Fri Nov 23 15:49:02 2012
type=SYSCALL msg=audit(1353682142.653:2375): arch=c000003e syscall=2 success=yes exit=31 a0=7f0e48014610 a1=241 a2=1b6 a3=238 items=0 ppid=1 pid=1164 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="cimprovagt" exe="/usr/sbin/cimprovagt" subj=system_u:system_r:pegasus_t:s0 key=(null)
type=AVC msg=audit(1353682142.653:2375): avc: denied { write } for pid=1164 comm="cimprovagt" name="flags" dev="sysfs" ino=11313 scontext=system_u:system_r:pegasus_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file
----
time->Fri Nov 23 15:49:02 2012
type=SYSCALL msg=audit(1353682142.653:2376): arch=c000003e syscall=1 success=yes exit=6 a0=1f a1=7f0e43fff000 a2=6 a3=22 items=0 ppid=1 pid=1164 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="cimprovagt" exe="/usr/sbin/cimprovagt" subj=system_u:system_r:pegasus_t:s0 key=(null)
type=AVC msg=audit(1353682142.653:2376): avc: denied { net_admin } for pid=1164 comm="cimprovagt" capability=12 scontext=system_u:system_r:pegasus_t:s0 tcontext=system_u:system_r:pegasus_t:s0 tclass=capability
The first one looks like selinux forbids the provider to write to /sys/class/net/<interface>/flags.
Fixed in selinux-policy-3.11.1-56.fc18
commit fbd5a98f8c9b2f822c3be3efe6bbc07e7d5c01ca
Author: Miroslav Grepl <mgrepl>
Date: Mon Nov 26 08:42:02 2012 +0100
Allow pegasus_t to have net_admin capability
Allow pegasus_t to write /sys/class/net/<interface>/flags
selinux-policy-3.11.1-57.fc18 has been submitted as an update for Fedora 18. https://admin.fedoraproject.org/updates/selinux-policy-3.11.1-57.fc18 Package selinux-policy-3.11.1-57.fc18: * should fix your issue, * was pushed to the Fedora 18 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.11.1-57.fc18' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2012-19374/selinux-policy-3.11.1-57.fc18 then log in and leave karma (feedback). Package selinux-policy-3.11.1-59.fc18: * should fix your issue, * was pushed to the Fedora 18 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.11.1-59.fc18' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2012-19374/selinux-policy-3.11.1-59.fc18 then log in and leave karma (feedback). Package selinux-policy-3.11.1-60.fc18: * should fix your issue, * was pushed to the Fedora 18 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.11.1-60.fc18' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2012-19374/selinux-policy-3.11.1-60.fc18 then log in and leave karma (feedback). selinux-policy-3.11.1-60.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report. |
I'm getting following AVC denial: time->Tue Nov 20 10:01:12 2012 type=SYSCALL msg=audit(1353402072.877:816): arch=c000003e syscall=42 success=no exit=-13 a0=7 a1=7f09c21aae80 a2=6e a3=20 items=0 ppid=1 pid=2069 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="cimprovagt" exe="/usr/sbin/cimprovagt" subj=system_u:system_r:pegasus_t:s0 key=(null) type=AVC msg=audit(1353402072.877:816): avc: denied { write } for pid=2069 comm="cimprovagt" name="cimxml.socket" dev="tmpfs" ino=20335 scontext=system_u:system_r:pegasus_t:s0 tcontext=system_u:object_r:pegasus_var_run_t:s0 tclass=sock_file This causes that CIM providers don't work at all. selinux-policy-3.11.1-54.fc18.noarch tog-pegasus-2.11.1-11.fc18.x86_64