Bug 1733100 - SELinux is preventing 64636F6E6620776F726B6572 from 'connectto' accesses on the unix_stream_socket /run/dbus/system_bus_socket.
Summary: SELinux is preventing 64636F6E6620776F726B6572 from 'connectto' accesses on t...
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 30
Hardware: x86_64
OS: Unspecified
medium
medium
Target Milestone: ---
Assignee: Lukas Vrabec
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: abrt_hash:9e7dedf0b18109c774fb3b19ae8...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-07-25 08:23 UTC by Andreas Schöneck
Modified: 2019-10-23 09:49 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-07-26 09:27:45 UTC
as.maps: needinfo-

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Andreas Schöneck 2019-07-25 08:23:23 UTC 
Description of problem:
SELinux is preventing 64636F6E6620776F726B6572 from 'connectto' accesses on the unix_stream_socket /run/dbus/system_bus_socket.

*****  Plugin catchall (100. confidence) suggests   **************************

Wenn Sie denken, dass es 64636F6E6620776F726B6572 standardmäßig erlaubt sein sollte, connectto Zugriff auf system_bus_socket unix_stream_socket zu erhalten.
Then sie sollten dies als Fehler melden.
Um diesen Zugriff zu erlauben, können Sie ein lokales Richtlinien-Modul erstellen.
Do
zugriff jetzt erlauben, indem Sie die nachfolgenden Befehle ausführen:
# ausearch -c '64636F6E6620776F726B6572' --raw | audit2allow -M my-64636F6E6620776F726B6572
# semodule -X 300 -i my-64636F6E6620776F726B6572.pp

Additional Information:
Source Context                unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023
Target Context                system_u:system_r:system_dbusd_t:s0-s0:c0.c1023
Target Objects                /run/dbus/system_bus_socket [ unix_stream_socket ]
Source                        64636F6E6620776F726B6572
Source Path                   64636F6E6620776F726B6572
Port                          <Unbekannt>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.14.3-41.fc30.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 5.1.19-300.fc30.x86_64 #1 SMP Mon
                              Jul 22 16:32:45 UTC 2019 x86_64 x86_64
Alert Count                   2
First Seen                    2019-07-25 10:19:16 CEST
Last Seen                     2019-07-25 10:20:55 CEST
Local ID                      4393adf3-a4ac-41ac-b30c-c6c2b401f1db

Raw Audit Messages
type=AVC msg=audit(1564042855.698:410): avc:  denied  { connectto } for  pid=12500 comm=64636F6E6620776F726B6572 path="/run/dbus/system_bus_socket" scontext=unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023 tcontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=0


Hash: 64636F6E6620776F726B6572,thumb_t,system_dbusd_t,unix_stream_socket,connectto

Version-Release number of selected component:
selinux-policy-3.14.3-41.fc30.noarch

Additional info:
component:      selinux-policy
reporter:       libreport-2.10.1
hashmarkername: setroubleshoot
kernel:         5.1.19-300.fc30.x86_64
type:           libreport
Comment 1 Lukas Vrabec 2019-07-25 14:42:44 UTC 
Hi, 

Are you able to reproduce it? Could you attach also steps to reproduce it? 

Thanks,
Lukas.
Comment 2 Andreas Schöneck 2019-07-26 07:35:30 UTC 
@Lukas, currently I cannot. I will however pay close attention for what I did once it arises again.

Only yesterday I found myself somewhat spammed with that warning, so I went to reposting it.
Comment 3 Lukas Vrabec 2019-07-26 09:27:45 UTC 
Hi Andreas, 

Thanks for update. I close this bug becuase we don't have reproducer, if you catch it again, please re-open this ticket. 

Thanks,
Lukas.
Note You need to log in before you can comment on or make changes to this bug.