Hide Forgot
Description of problem: SELinux is preventing dbus-daemon-lau from 'connectto' accesses on the unix_stream_socket /var/lib/sss/pipes/nss. ***** Plugin catchall (100. confidence) suggests ************************** If вы считаете, что dbus-daemon-lau следует разрешить доступ connectto к nss unix_stream_socket по умолчанию. Then рекомендуется создать отчет об ошибке. Чтобы разрешить доступ, можно создать локальный модуль политики. Do allow this access for now by executing: # ausearch -c 'dbus-daemon-lau' --raw | audit2allow -M my-dbusdaemonlau # semodule -X 300 -i my-dbusdaemonlau.pp Additional Information: Source Context system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 Target Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1 023 Target Objects /var/lib/sss/pipes/nss [ unix_stream_socket ] Source dbus-daemon-lau Source Path dbus-daemon-lau Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-224.fc25.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 4.8.8-300.fc25.x86_64 #1 SMP Tue Nov 15 18:10:06 UTC 2016 x86_64 x86_64 Alert Count 2 First Seen 2016-11-26 05:08:16 MSK Last Seen 2016-11-26 05:08:54 MSK Local ID f932cf93-a66f-4aca-ad79-04b279739615 Raw Audit Messages type=AVC msg=audit(1480126134.990:445): avc: denied { connectto } for pid=14273 comm="dbus-daemon-lau" path="/var/lib/sss/pipes/nss" scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=0 Hash: dbus-daemon-lau,system_dbusd_t,unconfined_t,unix_stream_socket,connectto Version-Release number of selected component: selinux-policy-3.13.1-224.fc25.noarch Additional info: reporter: libreport-2.8.0 hashmarkername: setroubleshoot kernel: 4.8.10-300.fc25.x86_64 type: libreport Potential duplicate: bug 963533
Bedny, Did you upgrade fedora recently? Could you attach output of: # ps -efZ | grep unconfined_t Thanks.
*** Bug 1401127 has been marked as a duplicate of this bug. ***
The system was installed from USB image and it is up to date. ps -efZ | grep unconfined_t unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 gdm 1054 1 0 дек07 ? 00:00:00 /usr/lib/systemd/systemd --user unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 gdm 1377 1054 0 дек07 ? 00:00:00 /usr/libexec/at-spi-bus-launcher unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 gdm 1389 1054 0 дек07 ? 00:00:00 /usr/libexec/at-spi2-registryd --use-gnome-session unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 gdm 1444 1054 0 дек07 ? 00:00:00 /usr/libexec/xdg-permission-store unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 Sergey 1637 1 0 дек07 ? 00:00:00 /usr/lib/systemd/systemd --user unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 Sergey 1650 1 0 дек07 ? 00:00:49 /usr/bin/gnome-keyring-daemon --daemonize --login unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 Sergey 1653 1628 0 дек07 tty2 00:00:00 /usr/libexec/gdm-wayland-session gnome-session unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 Sergey 1658 1653 0 дек07 tty2 00:00:00 /usr/libexec/gnome-session-binary unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 Sergey 1672 1637 0 дек07 ? 00:00:00 /usr/libexec/gvfsd unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 Sergey 1677 1637 0 дек07 ? 00:00:00 /usr/libexec/gvfsd-fuse /run/user/1000/gvfs -f -o big_writes unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 Sergey 1700 1658 2 дек07 tty2 01:24:24 /usr/bin/gnome-shell unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 Sergey 1708 1700 0 дек07 tty2 00:13:01 /usr/bin/Xwayland :0 -rootless -noreset -listen 4 -listen 5 -displayfd 6 unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 Sergey 1713 1637 0 дек07 ? 00:00:00 /usr/libexec/at-spi-bus-launcher unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 Sergey 1721 1637 0 дек07 ? 00:00:03 /usr/libexec/at-spi2-registryd --use-gnome-session unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 Sergey 1727 1 0 дек07 ? 00:02:55 /usr/bin/pulseaudio --start --log-target=syslog unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 Sergey 1743 1637 0 дек07 ? 00:00:00 /usr/libexec/gnome-shell-calendar-server unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 Sergey 1744 1700 0 дек07 tty2 00:00:02 ibus-daemon --xim --panel disable unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 Sergey 1748 1744 0 дек07 tty2 00:00:00 /usr/libexec/ibus-dconf unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 Sergey 1750 1 0 дек07 tty2 00:00:00 /usr/libexec/ibus-x11 --kill-daemon unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 Sergey 1755 1637 0 дек07 ? 00:00:00 /usr/libexec/xdg-permission-store unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 Sergey 1768 1637 0 дек07 ? 00:00:25 /usr/libexec/evolution-source-registry unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 Sergey 1772 1637 0 дек07 ? 00:00:07 /usr/libexec/gvfs-udisks2-volume-monitor unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 Sergey 1786 1637 2 дек07 ? 01:25:33 /usr/libexec/goa-daemon unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 Sergey 1789 1637 0 дек07 ? 00:00:00 /usr/libexec/gvfs-afc-volume-monitor unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 Sergey 1794 1637 0 дек07 ? 00:00:00 /usr/libexec/gvfs-mtp-volume-monitor unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 Sergey 1805 1637 0 дек07 ? 00:00:00 /usr/libexec/gvfs-goa-volume-monitor unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 Sergey 1806 1637 0 дек07 ? 00:00:05 /usr/libexec/goa-identity-service unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 Sergey 1811 1637 0 дек07 ? 00:00:00 /usr/libexec/dconf-service unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 Sergey 1813 1637 0 дек07 ? 00:00:00 /usr/libexec/gvfs-gphoto2-volume-monitor unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 Sergey 1828 1658 0 дек07 tty2 00:00:16 /usr/libexec/gnome-settings-daemon unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 Sergey 1835 1637 0 дек07 ? 00:00:01 /usr/libexec/gvfsd-metadata unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 Sergey 1845 1637 0 дек07 ? 00:00:00 /usr/libexec/evolution-calendar-factory unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 Sergey 1857 1744 0 дек07 tty2 00:00:00 /usr/libexec/ibus-engine-simple unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 Sergey 1862 1845 0 дек07 ? 00:00:15 /usr/libexec/evolution-calendar-factory-subprocess --factory caldav --bus-name org.gnome.evolution.dataserver.Subprocess.Backend.Calendarx1845x2 --own-path /org/gnome/evolution/dataserver/Subprocess/Backend/Calendar/1845/2 unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 Sergey 1914 1845 0 дек07 ? 00:00:06 /usr/libexec/evolution-calendar-factory-subprocess --factory contacts --bus-name org.gnome.evolution.dataserver.Subprocess.Backend.Calendarx1845x3 --own-path /org/gnome/evolution/dataserver/Subprocess/Backend/Calendar/1845/3 unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 Sergey 1928 1637 0 дек07 ? 00:00:00 /usr/libexec/evolution-addressbook-factory unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 Sergey 1930 1845 0 дек07 ? 00:00:06 /usr/libexec/evolution-calendar-factory-subprocess --factory local --bus-name org.gnome.evolution.dataserver.Subprocess.Backend.Calendarx1845x4 --own-path /org/gnome/evolution/dataserver/Subprocess/Backend/Calendar/1845/4 unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 Sergey 1933 1658 0 дек07 tty2 00:00:00 /usr/libexec/tracker-miner-user-guides unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 Sergey 1940 1658 0 дек07 tty2 00:00:00 /usr/bin/seapplet unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 Sergey 1942 1637 0 дек07 ? 00:00:00 /usr/libexec/tracker-store unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 Sergey 1954 1658 0 дек07 tty2 00:00:00 /usr/libexec/evolution/evolution-alarm-notify unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 Sergey 1961 1658 0 дек07 tty2 00:00:25 /usr/bin/gnome-software --gapplication-service unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 Sergey 1981 1658 0 дек07 tty2 00:00:05 abrt-applet unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 Sergey 1985 1928 0 дек07 ? 00:00:06 /usr/libexec/evolution-addressbook-factory-subprocess --factory local --bus-name org.gnome.evolution.dataserver.Subprocess.Backend.AddressBookx1928x2 --own-path /org/gnome/evolution/dataserver/Subprocess/Backend/AddressBook/1928/2 unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 Sergey 1995 1658 0 дек07 tty2 00:00:00 /usr/libexec/tracker-extract unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 Sergey 2002 1658 0 дек07 tty2 00:00:00 /usr/libexec/tracker-miner-apps unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 Sergey 2003 1658 0 дек07 tty2 00:00:00 /usr/libexec/tracker-miner-fs unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 Sergey 2056 1 0 дек07 tty2 00:00:00 /usr/libexec/gsd-printer unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 Sergey 2200 1845 0 дек07 ? 00:00:09 /usr/libexec/evolution-calendar-factory-subprocess --factory gtasks --bus-name org.gnome.evolution.dataserver.Subprocess.Backend.Calendarx1845x5 --own-path /org/gnome/evolution/dataserver/Subprocess/Backend/Calendar/1845/5 unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 Sergey 2569 1637 0 дек07 ? 00:00:00 /usr/libexec/gvfsd-trash --spawner :1.11 /org/gtk/gvfs/exec_spaw/0 unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 Sergey 2591 1637 0 дек07 ? 00:00:00 /usr/libexec/gvfsd-network --spawner :1.11 /org/gtk/gvfs/exec_spaw/3 unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 Sergey 2657 1637 0 дек07 ? 00:00:00 /usr/libexec/gvfsd-dnssd --spawner :1.11 /org/gtk/gvfs/exec_spaw/13 unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 Sergey 2678 1 2 дек07 tty2 01:34:52 qbittorrent unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 Sergey 2731 1 0 дек07 ? 00:01:31 /home/Sergey/.dropbox-dist/dropbox-lnx.x86_64-15.4.22/dropbox unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 Sergey 8030 1637 0 дек07 ? 00:00:00 /usr/libexec/gvfsd-http --spawner :1.11 /org/gtk/gvfs/exec_spaw/14 unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 Sergey 8082 1637 0 дек07 ? 00:00:00 /usr/libexec/gconfd-2 unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 Sergey 31294 1 4 11:20 tty2 00:00:30 evolution unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 Sergey 31327 1 0 11:20 tty2 00:00:00 /usr/libexec/webkit2gtk-4.0/WebKitNetworkProcess 43 unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 Sergey 31330 1 1 11:20 tty2 00:00:08 /usr/libexec/webkit2gtk-4.0/WebKitWebProcess 46 unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 Sergey 32198 1 34 11:31 tty2 00:00:14 /usr/lib64/firefox/firefox https://bugzilla.redhat.com/show_bug.cgi?id=1401125 unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 Sergey 32352 1637 3 11:32 ? 00:00:00 /usr/libexec/gnome-terminal-server unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 Sergey 32358 32352 0 11:32 pts/0 00:00:00 bash unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 Sergey 32395 32358 0 11:32 pts/0 00:00:00 ps -efZ unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 Sergey 32396 32358 0 11:32 pts/0 00:00:00 grep --color=auto unconfined_t
There seems to be problem that sssd unix pipes has wrong SELinux context. Maybe SELinux context was not properly restored after installation from USB. I would recommend to relabel whole system http://fedoraproject.org/wiki/SELinux/Troubleshooting/AVCDecisions#file_t_.7C_unlabeled_t sh# touch /.autorelabel sh# reboot Could you confirm that it help? Or Are you still able to reproduce this AVC?
This message is a reminder that Fedora 25 is nearing its end of life. Approximately 4 (four) weeks from now Fedora will stop maintaining and issuing updates for Fedora 25. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a Fedora 'version' of '25'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora 25 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior this bug is closed as described in the policy above. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete.
Fedora 25 changed to end-of-life (EOL) status on 2017-12-12. Fedora 25 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora please feel free to reopen this bug against that version. If you are unable to reopen this bug, please file a new report against the current release. If you experience problems, please add a comment to this bug. Thank you for reporting this bug and we are sorry it could not be fixed.