Bug 1442572 - SELinux is preventing useradd from write access on the sock_file system_bus_socket
Summary: SELinux is preventing useradd from write access on the sock_file system_bus_s...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 26
Hardware: x86_64
OS: Linux
unspecified
low
Target Milestone: ---
Assignee: Lukas Vrabec
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-04-15 18:42 UTC by Rubén
Modified: 2017-05-09 21:20 UTC (History)
7 users (show)

Fixed In Version: selinux-policy-3.13.1-251.fc26
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-05-09 21:20:33 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)
SELinux problem assistant does nothing (671.12 KB, image/png)
2017-04-15 18:42 UTC, Rubén 		no flags Details
View All

Description Rubén 2017-04-15 18:42:50 UTC 
Created attachment 1271832 [details]
SELinux problem assistant does nothing

Description of problem:
1. After installing samba, samba-winbind, samba-client and samba-common-tools packages, selinux reports the following warning

   SELinux is preventing useradd from write access on the sock_file 
   system_bus_socket.

2. SELinux problem assistant (sealert) does nothing when clicking on "Report error" (see attachment)

Version-Release number of selected component (if applicable):
samba-client-4.6.2-0.fc26.x86_64
samba-winbind-4.6.2-0.fc26.x86_64
samba-libs-4.6.2-0.fc26.x86_64
samba-client-libs-4.6.2-0.fc26.x86_64
samba-common-libs-4.6.2-0.fc26.x86_64
samba-winbind-modules-4.6.2-0.fc26.x86_64
samba-common-4.6.2-0.fc26.noarch
samba-4.6.2-0.fc26.x86_64
samba-common-tools-4.6.2-0.fc26.x86_64

Steps to Reproduce:
1. Install samba and related packages

Actual results:
Unexpected warning. Log:
SELinux is preventing useradd from write access on the sock_file system_bus_socket.

*****  Plugin catchall (100. confidence) suggests   **************************

If cree que de manera predeterminada, useradd debería permitir acceso write sobre system_bus_socket sock_file.     
Then debería reportar esto como un error.
Puede generar un módulo de política local para permitir este acceso.
Do
allow this access for now by executing:
# ausearch -c 'useradd' --raw | audit2allow -M my-useradd
# semodule -X 300 -i my-useradd.pp

Additional Information:
Source Context                system_u:system_r:useradd_t:s0
Target Context                system_u:object_r:system_dbusd_var_run_t:s0
Target Objects                system_bus_socket [ sock_file ]
Source                        useradd
Source Path                   useradd
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-249.fc26.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux localhost.localdomain
                              4.11.0-0.rc5.git0.1.fc26.x86_64 #1 SMP Mon Apr 3
                              17:54:15 UTC 2017 x86_64 x86_64
Alert Count                   7
First Seen                    2017-04-13 22:59:34 CEST
Last Seen                     2017-04-13 22:59:34 CEST
Local ID                      cca7d680-6648-42bb-b398-b2159ec4e9a2

Raw Audit Messages
type=AVC msg=audit(1492117174.837:262): avc:  denied  { write } for  pid=2146 comm="useradd" name="system_bus_socket" dev="tmpfs" ino=17241 scontext=system_u:system_r:useradd_t:s0 tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=sock_file permissive=0


Hash: useradd,useradd_t,system_dbusd_var_run_t,sock_file,write


Expected results:
No warning, silent installation of samba.

Additional info:
Comment 1 Fedora Update System 2017-04-19 20:37:27 UTC 
selinux-policy-3.13.1-251.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2017-f36794dd98
Comment 2 Fedora Update System 2017-04-20 20:22:44 UTC 
selinux-policy-3.13.1-251.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-f36794dd98
Comment 3 Rubén 2017-04-20 23:05:42 UTC 
(In reply to Fedora Update System from comment #2)
> selinux-policy-3.13.1-251.fc26 has been pushed to the Fedora 26 testing
> repository. If problems still persist, please make note of it in this bug
> report.
> See https://fedoraproject.org/wiki/QA:Updates_Testing for
> instructions on how to install test updates.
> You can provide feedback for this update here:
> https://bodhi.fedoraproject.org/updates/FEDORA-2017-f36794dd98

Solved. No SELinux warning anymore. However, SELinux problem assistant (sealert) does nothing yet when clicking on "Report error". Anyway this is a less important issue.

Thanks.
Comment 4 Rubén 2017-04-20 23:06:15 UTC 
(In reply to Rubén Lledó from comment #3)
> (In reply to Fedora Update System from comment #2)
> > selinux-policy-3.13.1-251.fc26 has been pushed to the Fedora 26 testing
> > repository. If problems still persist, please make note of it in this bug
> > report.
> > See https://fedoraproject.org/wiki/QA:Updates_Testing for
> > instructions on how to install test updates.
> > You can provide feedback for this update here:
> > https://bodhi.fedoraproject.org/updates/FEDORA-2017-f36794dd98
> 
> Solved. No SELinux warning anymore. However, SELinux problem assistant
> (sealert) does nothing yet when clicking on "Report error". Anyway this is a
> less important issue.
> 
> Thanks.

+1 at Bodhi.
Comment 5 Fedora Update System 2017-05-09 21:20:33 UTC 
selinux-policy-3.13.1-251.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.