1227110 – SELinux is preventing ibus-x11 from 'connectto' accesses on the unix_stream_socket @/tmp/dbus-xWGLPDBLvH.

Bug 1227110 - SELinux is preventing ibus-x11 from 'connectto' accesses on the unix_stream_socket @/tmp/dbus-xWGLPDBLvH.

Summary: SELinux is preventing ibus-x11 from 'connectto' accesses on the unix_stream_s...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	22
Hardware:	x86_64
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Miroslav Grepl
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:	abrt_hash:0b3e1dd4fca75cb3d20173068ce...
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2015-06-01 23:16 UTC by ruben e quintero
Modified:	2015-07-28 13:44 UTC (History)
CC List:	6 users (show)
Fixed In Version:	selinux-policy-3.13.1-128.1.fc22
Clone Of:
Environment:
Last Closed:	2015-06-11 18:38:02 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description ruben e quintero 2015-06-01 23:16:58 UTC

Description of problem:
SELinux is preventing ibus-x11 from 'connectto' accesses on the unix_stream_socket @/tmp/dbus-xWGLPDBLvH.

*****  Plugin catchall (100. confidence) suggests   **************************

If cree que de manera predeterminada, ibus-x11 debería permitir acceso connectto sobre  dbus-xWGLPDBLvH unix_stream_socket.     
Then debería reportar esto como un error.
Puede generar un módulo de política local para permitir este acceso.
Do
permita el acceso momentáneamente executando:
# grep ibus-x11 /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:xdm_t:s0-s0:c0.c1023
Target Context                unconfined_u:unconfined_r:unconfined_dbusd_t:s0-s0
                              :c0.c1023
Target Objects                @/tmp/dbus-xWGLPDBLvH [ unix_stream_socket ]
Source                        ibus-x11
Source Path                   ibus-x11
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-105.13.fc21.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 3.19.5-200.fc21.x86_64 #1 SMP Mon
                              Apr 20 19:51:56 UTC 2015 x86_64 x86_64
Alert Count                   1
First Seen                    2015-05-14 07:15:48 VET
Last Seen                     2015-05-14 07:15:48 VET
Local ID                      ccc56742-9c3d-49c9-9139-491799581956

Raw Audit Messages
type=AVC msg=audit(1431603948.614:424): avc:  denied  { connectto } for  pid=1640 comm="ibus-x11" path=002F746D702F646275732D7857474C5044424C7648 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_dbusd_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=0


Hash: ibus-x11,xdm_t,unconfined_dbusd_t,unix_stream_socket,connectto

Version-Release number of selected component:
selinux-policy-3.13.1-105.13.fc21.noarch

Additional info:
reporter:       libreport-2.5.1
hashmarkername: setroubleshoot
kernel:         4.0.4-301.fc22.x86_64
type:           libreport

Potential duplicate: bug 1054407

Comment 1 Miroslav Grepl 2015-06-02 15:20:56 UTC

commit 2e37bec53a953c5aa0220609debf6086ab32d108
Author: Miroslav Grepl <mgrepl>
Date:   Tue Jun 2 17:09:29 2015 +0200

    Allow ibus-x11 running as xdm_t to connect uder session buses. We already allow to connect to userdomains over unix_stream_socket. BZ(1054407)

Comment 2 Fedora Update System 2015-06-09 14:39:32 UTC

selinux-policy-3.13.1-128.1.fc22 has been submitted as an update for Fedora 22.
https://admin.fedoraproject.org/updates/selinux-policy-3.13.1-128.1.fc22

Comment 3 Fedora Update System 2015-06-10 19:11:17 UTC

Package selinux-policy-3.13.1-128.1.fc22:
* should fix your issue,
* was pushed to the Fedora 22 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.13.1-128.1.fc22'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2015-9714/selinux-policy-3.13.1-128.1.fc22
then log in and leave karma (feedback).

Comment 4 Fedora Update System 2015-06-11 18:38:02 UTC

selinux-policy-3.13.1-128.1.fc22 has been pushed to the Fedora 22 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 5 Mirek Svoboda 2015-07-22 18:06:54 UTC

Description of problem:
Just booted FC22. The FC22 has been upgraded from clean install of FC21 using fedup.

Version-Release number of selected component:
selinux-policy-3.13.1-105.13.fc21.noarch

Additional info:
reporter:       libreport-2.5.1
hashmarkername: setroubleshoot
kernel:         4.0.4-202.fc21.x86_64
type:           libreport

Comment 6 Mirek Svoboda 2015-07-22 18:18:01 UTC

The issue persists.

rpm -q selinux-policy
selinux-policy-3.13.1-122.fc22.noarch

Should you need additional information please let me know.

Comment 7 Lukas Vrabec 2015-07-28 13:18:54 UTC

$ audit2allow -i avc 


#============= xdm_t ==============

#!!!! This avc is allowed in the current policy
allow xdm_t unconfined_dbusd_t:unix_stream_socket connectto;


lvrabec:~
$ rpm -q selinux-policy
selinux-policy-3.13.1-128.8.fc22.noarch

Comment 8 Mirek Svoboda 2015-07-28 13:44:20 UTC

You're right, I overlooked the target version.

Note You need to log in before you can comment on or make changes to this bug.