Bug 966110

Summary: Permission attach_queue in class tun_socket not defined in policy
Product: [Fedora] Fedora Reporter: Matthieu Saulnier <casper>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED NOTABUG QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 18CC: casper, dominick.grift, dwalsh, mgrepl, moez.roy
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-06-03 19:20:51 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Matthieu Saulnier 2013-05-22 14:00:16 UTC 
Description of problem:
When I install a new module or disable an old one, getting this log in /var/log/messages:

May 22 15:08:04 localhost kernel: [  556.998115] SELinux:  Permission attach_queue in class tun_socket not defined in policy.
May 22 15:08:04 localhost kernel: [  556.998121] SELinux: the above unknown classes and permissions will be allowed
May 22 15:08:04 localhost dbus-daemon[548]: dbus[548]: avc:  received policyload notice (seqno=3)
May 22 15:08:04 localhost dbus[548]: avc:  received policyload notice (seqno=3)
May 22 15:08:04 localhost dbus-daemon[548]: dbus[548]: [system] Reloaded configuration
May 22 15:08:04 localhost dbus[548]: [system] Reloaded configuration


Version-Release number of selected component (if applicable):
selinux-policy-3.11.1-95.fc18.noarch


How reproducible:
Always


Steps to Reproduce:
1. semodule -d old_module_name
OR
semodule -i new_module.pp
2.
3.

Actual results:


Expected results:


Additional info:
Comment 1 Daniel Walsh 2013-05-23 14:54:57 UTC 
If you rebuild new_module.pp does the problem go away?  Is this a policy built on a newer system being installed on an older system?
Comment 2 Matthieu Saulnier 2013-05-24 09:07:37 UTC 
(In reply to Daniel Walsh from comment #1)
> If you rebuild new_module.pp does the problem go away?
nope

> Is this a policy
> built on a newer system being installed on an older system?
no, it was a policy to allow postfix cleanup on my f18 server, policy has been built and installed on my f18 server

In fact this message is appeared the first time just after update to selinux-policy-3.11.1-95:



May 22 01:30:02 localhost dbus-daemon[532]: dbus[532]: [system] Activating service name='org.freedesktop.PackageKit' (using servicehelper)
May 22 01:30:02 localhost dbus[532]: [system] Activating service name='org.freedesktop.PackageKit' (using servicehelper)
May 22 01:30:02 localhost dbus-daemon[532]: dbus[532]: [system] Successfully activated service 'org.freedesktop.PackageKit'
May 22 01:30:02 localhost dbus[532]: [system] Successfully activated service 'org.freedesktop.PackageKit'
May 22 01:31:57 localhost yum[6031]: Updated: selinux-policy-3.11.1-95.fc18.noarch
May 22 01:31:58 localhost yum[6031]: Updated: 1:perl-parent-0.225-243.fc18.noarch
May 22 01:31:58 localhost yum[6031]: Updated: 1:perl-Pod-Escapes-1.04-244.fc18.noarch
May 22 01:31:59 localhost yum[6031]: Updated: perl-Pod-Perldoc-3.17.00-244.fc18.noarch
May 22 01:31:59 localhost yum[6031]: Updated: perl-threads-shared-1.40-244.fc18.x86_64
May 22 01:32:00 localhost yum[6031]: Updated: perl-Scalar-List-Utils-1.25-244.fc18.x86_64
May 22 01:32:00 localhost yum[6031]: Updated: perl-PathTools-3.39.2-244.fc18.x86_64
May 22 01:32:01 localhost yum[6031]: Updated: 1:perl-Pod-Simple-3.20-244.fc18.noarch
May 22 01:32:01 localhost yum[6031]: Updated: perl-Carp-1.26-243.fc18.noarch
May 22 01:32:02 localhost yum[6031]: Updated: 4:perl-macros-5.16.3-244.fc18.x86_64
May 22 01:32:03 localhost yum[6031]: Updated: 4:perl-libs-5.16.3-244.fc18.x86_64
May 22 01:32:03 localhost yum[6031]: Updated: 1:perl-Module-Pluggable-4.00-244.fc18.noarch
May 22 01:32:04 localhost yum[6031]: Updated: perl-threads-1.86-243.fc18.x86_64
May 22 01:32:04 localhost yum[6031]: Updated: perl-Pod-Parser-1.51-244.fc18.noarch
May 22 01:32:10 localhost yum[6031]: Updated: 4:perl-5.16.3-244.fc18.x86_64
May 22 01:32:11 localhost yum[6031]: Updated: perl-Data-Dumper-2.135.06-244.fc18.x86_64
May 22 01:32:11 localhost yum[6031]: Updated: perl-Test-Harness-3.23-244.fc18.noarch
May 22 01:32:12 localhost yum[6031]: Updated: perl-HTTP-Tiny-0.017-244.fc18.noarch
May 22 01:32:12 localhost yum[6031]: Updated: perl-Digest-1.17-244.fc18.noarch
May 22 01:32:13 localhost yum[6031]: Updated: perl-ExtUtils-Manifest-1.61-243.fc18.noarch
May 22 01:32:13 localhost yum[6031]: Updated: perl-ExtUtils-Install-1.58-244.fc18.noarch
May 22 01:32:14 localhost yum[6031]: Updated: 1:perl-ExtUtils-ParseXS-3.16-244.fc18.noarch
May 22 01:32:14 localhost yum[6031]: Updated: 4:perl-devel-5.16.3-244.fc18.x86_64
May 22 01:32:15 localhost yum[6031]: Updated: perl-ExtUtils-MakeMaker-6.63.2-244.fc18.noarch
May 22 01:32:16 localhost yum[6031]: Updated: krb5-libs-1.10.3-17.fc18.x86_64
May 22 01:32:17 localhost yum[6031]: Updated: krb5-workstation-1.10.3-17.fc18.x86_64
May 22 01:32:18 localhost yum[6031]: Updated: perl-CPAN-1.9800-244.fc18.noarch
May 22 01:32:18 localhost yum[6031]: Updated: perl-Test-Simple-0.98-243.fc18.noarch
May 22 01:32:19 localhost yum[6031]: Updated: perl-Digest-MD5-2.51-244.fc18.x86_64
May 22 01:32:19 localhost yum[6031]: Updated: 3:perl-version-0.99-244.fc18.noarch
May 22 01:32:19 localhost yum[6031]: Updated: 1:perl-Package-Constants-0.02-244.fc18.noarch
May 22 01:32:20 localhost yum[6031]: Updated: 1:perl-IO-Zlib-1.10-244.fc18.noarch
May 22 01:32:49 localhost kernel: [242928.681217] SELinux:  Permission attach_queue in class tun_socket not defined in policy.
May 22 01:32:49 localhost kernel: [242928.681223] SELinux: the above unknown classes and permissions will be allowed
May 22 01:32:49 localhost dbus-daemon[532]: dbus[532]: avc:  received policyload notice (seqno=2)
May 22 01:32:49 localhost dbus[532]: avc:  received policyload notice (seqno=2)
May 22 01:32:50 localhost dbus-daemon[532]: dbus[532]: [system] Reloaded configuration
May 22 01:32:50 localhost dbus[532]: [system] Reloaded configuration
May 22 01:32:50 localhost yum[6031]: Updated: selinux-policy-targeted-3.11.1-95.fc18.noarch
May 22 01:32:52 localhost yum[6031]: Updated: selinux-policy-doc-3.11.1-95.fc18.noarch
May 22 01:33:19 localhost yum[6031]: Updated: selinux-policy-devel-3.11.1-95.fc18.noarch
May 22 01:33:20 localhost yum[6031]: Updated: openldap-2.4.35-4.fc18.1.x86_64
May 22 01:33:21 localhost yum[6031]: Updated: python-lxml-3.2.1-1.fc18.x86_64
May 22 01:33:39 localhost dbus-daemon[532]: dbus[532]: [system] Activating service name='org.freedesktop.PackageKit' (using servicehelper)
May 22 01:33:39 localhost dbus[532]: [system] Activating service name='org.freedesktop.PackageKit' (using servicehelper)
May 22 01:33:39 localhost dbus-daemon[532]: dbus[532]: [system] Successfully activated service 'org.freedesktop.PackageKit'
May 22 01:33:39 localhost dbus[532]: [system] Successfully activated service 'org.freedesktop.PackageKit'


However it appeared after update to selinux-policy-3.11.1-96 too:


May 24 10:33:52 localhost yum[15265]: Updated: systemd-201-2.fc18.7.x86_64
May 24 10:33:52 localhost yum[15265]: Updated: selinux-policy-3.11.1-96.fc18.noarch
May 24 10:34:19 localhost yum[15265]: Updated: selinux-policy-devel-3.11.1-96.fc18.noarch
May 24 10:34:21 localhost yum[15265]: Updated: selinux-policy-doc-3.11.1-96.fc18.noarch
May 24 10:34:50 localhost kernel: [156879.558713] SELinux:  Permission attach_queue in class tun_socket not defined in policy.
May 24 10:34:50 localhost kernel: [156879.558718] SELinux: the above unknown classes and permissions will be allowed
May 24 10:34:50 localhost dbus-daemon[548]: dbus[548]: avc:  received policyload notice (seqno=9)
May 24 10:34:50 localhost dbus[548]: avc:  received policyload notice (seqno=9)
May 24 10:34:50 localhost dbus-daemon[548]: dbus[548]: [system] Reloaded configuration
May 24 10:34:50 localhost dbus[548]: [system] Reloaded configuration
Comment 3 Miroslav Grepl 2013-05-28 10:18:32 UTC 
Could you remove this local policy and try to reinstall selinux-policy-targeted

# semodule -r <custom_policy>
# yum reinstall selinux-policy-targeted
Comment 4 Matthieu Saulnier 2013-05-29 17:17:02 UTC 
(In reply to Miroslav Grepl from comment #3)
> Could you remove this local policy and try to reinstall
> selinux-policy-targeted
> 
> # semodule -r <custom_policy>
> # yum reinstall selinux-policy-targeted

Thanks a lot, that solved the problem:


May 29 18:56:25 lancaster dbus-daemon[541]: dbus[541]: [system] Activating service name='org.freedesktop.PackageKit' (using servicehelper)
May 29 18:56:25 lancaster dbus[541]: [system] Activating service name='org.freedesktop.PackageKit' (using servicehelper)
May 29 18:56:25 lancaster dbus-daemon[541]: dbus[541]: [system] Successfully activated service 'org.freedesktop.PackageKit'
May 29 18:56:25 lancaster dbus[541]: [system] Successfully activated service 'org.freedesktop.PackageKit'
May 29 18:59:29 lancaster kernel: [99776.690162] SELinux:  Permission attach_queue in class tun_socket not defined in policy.
May 29 18:59:29 lancaster kernel: [99776.690169] SELinux: the above unknown classes and permissions will be allowed
May 29 18:59:29 lancaster kernel: [99777.932112] [sched_delayed] sched: RT throttling activated
May 29 18:59:29 lancaster dbus-daemon[541]: dbus[541]: avc:  received policyload notice (seqno=7)
May 29 18:59:29 lancaster dbus[541]: avc:  received policyload notice (seqno=7)
May 29 18:59:29 lancaster dbus-daemon[541]: dbus[541]: [system] Reloaded configuration
May 29 18:59:29 lancaster dbus[541]: [system] Reloaded configuration
May 29 18:59:31 lancaster yum[31025]: Installed: selinux-policy-targeted-3.11.1-96.fc18.noarch
May 29 18:59:31 lancaster dbus-daemon[541]: dbus[541]: [system] Activating service name='org.freedesktop.PackageKit' (using servicehelper)
May 29 18:59:31 lancaster dbus[541]: [system] Activating service name='org.freedesktop.PackageKit' (using servicehelper)
May 29 18:59:31 lancaster dbus-daemon[541]: dbus[541]: [system] Successfully activated service 'org.freedesktop.PackageKit'
May 29 18:59:31 lancaster dbus[541]: [system] Successfully activated service 'org.freedesktop.PackageKit'
Comment 5 Miroslav Grepl 2013-06-03 19:20:51 UTC 
Great.