Bug 1460244 - Some processes are denied send_msg to dbus by selinux
Some processes are denied send_msg to dbus by selinux
Status: ASSIGNED
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
27
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Lukas Vrabec
Ben Levenson
: Reopened
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2017-06-09 09:11 EDT by David Hill
Modified: 2018-01-18 05:04 EST (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2017-11-28 18:54:20 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description David Hill 2017-06-09 09:11:23 EDT
Description of problem:
Some processes are denied send_msg to dbus by selinux

type=USER_AVC msg=audit(1494603889.524:9388): pid=1108 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=error error_name=org.freedesktop.systemd1.NoSuchDynamicUser dest=:1.1992 spid=1 tpid=11277 scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:unconfined_r:rpm_script_t:s0-s0:c0.c1023 tclass=dbus  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(1494603889.531:9390): pid=1108 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_call interface=org.freedesktop.systemd1.Manager member=LookupDynamicUserByName dest=org.freedesktop.systemd1 spid=11278 tpid=1 scontext=unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:init_t:s0 tclass=dbus  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(1494603889.531:9391): pid=1108 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=error error_name=org.freedesktop.systemd1.NoSuchDynamicUser dest=:1.1993 spid=1 tpid=11278 scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 tclass=dbus  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(1494603889.609:9395): pid=1108 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_call interface=org.freedesktop.systemd1.Manager member=LookupDynamicUserByName dest=org.freedesktop.systemd1 spid=11283 tpid=1 scontext=unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:init_t:s0 tclass=dbus  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(1494603889.610:9396): pid=1108 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=error error_name=org.freedesktop.systemd1.NoSuchDynamicUser dest=:1.1995 spid=1 tpid=11283 scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 tclass=dbus  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(1495114002.668:11678): pid=1108 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_call interface=org.freedesktop.DBus.Peer member=Ping dest=org.freedesktop.Avahi spid=29152 tpid=1071 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:avahi_t:s0 tclass=dbus  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(1495114002.669:11679): pid=1108 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_return dest=:1.2375 spid=1071 tpid=29152 scontext=system_u:system_r:avahi_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=dbus  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(1495351921.712:12735): pid=1108 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_call interface=org.freedesktop.DBus.Peer member=Ping dest=org.freedesktop.Avahi spid=9451 tpid=1071 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:avahi_t:s0 tclass=dbus  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(1495351921.713:12736): pid=1108 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_return dest=:1.2573 spid=1071 tpid=9451 scontext=system_u:system_r:avahi_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=dbus  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(1495547440.369:14846): pid=1108 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_call interface=org.freedesktop.DBus.Peer member=Ping dest=org.freedesktop.Avahi spid=1997 tpid=1071 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:avahi_t:s0 tclass=dbus  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(1495547440.369:14847): pid=1108 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_return dest=:1.2665 spid=1071 tpid=1997 scontext=system_u:system_r:avahi_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=dbus  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(1496931062.479:161): pid=1220 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_call interface=org.freedesktop.DBus.Peer member=Ping dest=org.freedesktop.Avahi spid=2010 tpid=1257 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:avahi_t:s0 tclass=dbus  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(1496931062.479:162): pid=1220 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_return dest=:1.20 spid=1257 tpid=2010 scontext=system_u:system_r:avahi_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=dbus  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'


Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
1. Updated to latest
2. Set selinux in permissive
3. Reboot
4. Look at denied logs

Actual results:
Denied

Expected results:
Allowed or hidden

Additional info:
Comment 1 Jan Kurik 2017-08-15 05:00:58 EDT
This bug appears to have been reported against 'rawhide' during the Fedora 27 development cycle.
Changing version to '27'.
Comment 2 bence 2017-08-23 05:54:33 EDT
Fedora 26 WorkStation is also affected.

audit[1075]: USER_AVC pid=1075 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_call interface=org.freedesktop.systemd1.Manager member=LookupDynamicUserByName dest=org.freedesktop.systemd1 spid=3663 tpid=1 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:init_t:s0 tclass=dbus
                                              exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
Comment 3 Michael Cronenworth 2017-11-03 09:17:45 EDT
This is still an issue. Any update on this?
Comment 4 Fedora Update System 2017-11-22 03:56:15 EST
selinux-policy-3.13.1-283.17.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2017-d05b1a2ab9
Comment 5 Fedora Update System 2017-11-22 16:41:55 EST
selinux-policy-3.13.1-283.17.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-d05b1a2ab9
Comment 6 Michael Cronenworth 2017-11-22 16:57:44 EST
Not fixed for F26 or F27.

selinux-policy-3.13.1-260.17.fc26
selinux-policy-3.13.1-283.17.fc27
Comment 7 Fedora Update System 2017-11-28 18:54:20 EST
selinux-policy-3.13.1-283.17.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.
Comment 8 Michael Cronenworth 2017-12-19 12:51:09 EST
I'm getting thousands of these a day so I've written up a type enforcement file that allows, and silences, these audit messages.
---

module my-dbus 1.0;

require {
	type system_dbusd_var_run_t;
	type init_t;
	type sshd_t;
	type postfix_master_t;
	type ftpd_t;
	type saslauthd_t;
	class dbus send_msg;
	class sock_file write;
}

#============= ftpd_t ==============
allow ftpd_t init_t:dbus send_msg;

#============= postfix_master_t ==============
allow postfix_master_t system_dbusd_var_run_t:sock_file write;

#============= saslauthd_t ==============
allow saslauthd_t init_t:dbus send_msg;

#============= sshd_t ==============
allow sshd_t init_t:dbus send_msg;
Comment 9 Laurent Jacquot 2018-01-14 14:10:02 EST
I Have also denied accesses to dbus:
module local 1.0;

require {
	type avahi_t;
	type init_t;
	type saslauthd_t;
	type smbd_t;
	class dbus send_msg;
}

#============= saslauthd_t ==============
allow saslauthd_t init_t:dbus send_msg;

#============= smbd_t ==============
allow smbd_t avahi_t:dbus send_msg;
Comment 10 Laurent Jacquot 2018-01-14 14:11:43 EST
To give some context: I have relabeled the file system this morning and upgraded to f27 a week or so.
selinux-policy-targeted-3.13.1-283.21.fc27.noarch

Note You need to log in before you can comment on or make changes to this bug.