Bug 178702 - daemon fails to start
daemon fails to start
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
rawhide
All Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
:
: 180160 (view as bug list)
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2006-01-23 11:48 EST by Gary Anderson
Modified: 2007-11-30 17:11 EST (History)
3 users (show)

See Also:
Fixed In Version: 2.2.4-1
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-03-20 20:40:54 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Gary Anderson 2006-01-23 11:48:47 EST
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8) Gecko/20051111 Firefox/1.5

Description of problem:
output from /var/log/messages

rawhide avahi-daemon: Found user 'avahi' (UID 70) and group avahi (GID 70).
rawhide avahi-daemon: Successfully dropped root priviledges.
rawhide avahi-daemon: avahi-daemon 0.6.4 starting up.
rawhide avahi-daemon: dbus_bus_get(): Failed to connect to socket /var/run/dbus/system_bus_socket: Permission denied.

Version-Release number of selected component (if applicable):
avahi-0.6.4-3

How reproducible:
Always

Steps to Reproduce:
1.install FC5T2 (everything)
2.yum update
3.
  

Actual Results:  avahi-daemon fails to start

Expected Results:  daemon should start

Additional info:
Comment 1 Bojan Smojver 2006-01-23 14:05:29 EST
Audit log from my box (SELinux policy targeted enforcing):

---------------------------------
type=AVC msg=audit(1138042749.943:5): avc:  denied  { connectto } for  pid=1768 
comm="avahi-daemon" name="system_bus_socket" scontext=system_u:system_r:avahi_t:
s0 tcontext=system_u:system_r:initrc_t:s0 tclass=unix_stream_socket
type=SYSCALL msg=audit(1138042749.943:5): arch=40000003 syscall=102 success=no e
xit=-13 a0=3 a1=bfc63340 a2=3ed5d4 a3=1f items=1 pid=1768 auid=4294967295 uid=70
 gid=70 euid=70 suid=70 fsuid=70 egid=70 sgid=70 fsgid=70 comm="avahi-daemon" ex
e="/usr/sbin/avahi-daemon"
type=AVC_PATH msg=audit(1138042749.943:5):  path="/var/run/dbus/system_bus_socke
t"
---------------------------------

And /var/log/messages shows:

---------------------------------
Jan 24 05:59:09 coyote avahi-daemon[1768]: Found user 'avahi' (UID 70) and group
 'avahi' (GID 70).
Jan 24 05:59:09 coyote avahi-daemon[1768]: Successfully dropped root privileges.
Jan 24 05:59:09 coyote avahi-daemon[1768]: avahi-daemon 0.6.4 starting up.
Jan 24 05:59:09 coyote avahi-daemon[1768]: dbus_bus_get(): Failed to connect to 
socket /var/run/dbus/system_bus_socket: Permission denied
---------------------------------

The socket is:

---------------------------------
[root@coyote ~]# ls -lZ /var/run/dbus/system_bus_socket 
srwxrwxrwx  root     root     system_u:object_r:system_dbusd_var_run_t
/var/run/dbus/system_bus_socket
---------------------------------

BTW, I cannot do this, but this should be filed against devel, not fc5test2.
Comment 2 Bojan Smojver 2006-01-23 14:18:30 EST
Gary, do you have SELinux enabled on your box? On my box, it happily starts if I
do setenforce 0...
Comment 3 Bojan Smojver 2006-01-23 14:19:19 EST
Ah, forgot one more - my system is an i686, so the arch can be set to all.
Comment 4 Jason Vas Dias 2006-01-23 15:09:54 EST
Yes, this is because dbus-0.6 changed the location of dbus-daemon from 
/usr/bin/dbus-daemon, where it gets the correct selinux context: 
  $ ls -Z /usr/bin/dbus-daemon
-rwxr-xr-x  root     root     system_u:object_r:system_dbusd_exec_t
/usr/bin/dbus-daemon
to /bin/dbus-daemon, where it does not:
  $ ls -lZ /bin/dbus-daemon
-rwxr-xr-x  root     root     system_u:object_r:bin_t          /bin/dbus-daemon

Just temporarily moving /bin/dbus-daemon to /usr/bin should rectify the problem
until selinux-policy-targeted is updated to take account of the new location.
Comment 5 Jason Vas Dias 2006-01-24 11:53:09 EST
With selinux-policy-{,targeted}-2.2.4-1, avahi-daemon, hald, and named are still
unable to connect to the system D-BUS - I get these AVCs after each boot-up
of kernel-2.6.15-1.1871_FC5:

allow avahi_t initrc_t:unix_stream_socket connectto;
allow cupsd_config_t initrc_t:unix_stream_socket connectto;
allow cupsd_config_t tmp_t:lnk_file read;
allow cupsd_t print_spool_t:lnk_file read;
allow hald_t initrc_t:unix_stream_socket connectto;
allow hald_t src_t:dir getattr;
allow hald_t system_dbusd_var_run_t:dir getattr;
allow named_t initrc_t:unix_stream_socket connectto;
allow readahead_t ramfs_t:file read;

This is because /bin/dbus-daemon, from dbus-0.6-7, still has the wrong context:
  -rwxr-xr-x  root  root    system_u:object_r:bin_t    /bin/dbus-daemon

Either moving /bin/dbus-daemon to /usr/bin, or doing:
  # chcon system_u:object_r:system_dbusd_exec_t /bin/dbus-daemon
allows avahi-daemon, haldaemon and named to start up and connect to D-BUS.
Comment 6 Gary Anderson 2006-01-24 13:20:04 EST
Update ... this only happens with selinux set to enforcing (my oops...). With
selinux set to permissive avahi (as well as hal) connect just fine.
Comment 7 Bojan Smojver 2006-01-24 18:12:41 EST
Workarounds presented here also fix:

http://www.redhat.com/archives/fedora-devel-list/2006-January/msg01203.html
Comment 8 Daniel Walsh 2006-01-25 11:32:55 EST
Fixed in selinux-policy-2.2.4-1
Comment 9 Jason Vas Dias 2006-02-06 10:14:39 EST
*** Bug 180160 has been marked as a duplicate of this bug. ***

Note You need to log in before you can comment on or make changes to this bug.