Bug 192556 - dbus-daemon AVC with nss_ldap
dbus-daemon AVC with nss_ldap
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
i686 Linux
medium Severity low
: ---
: ---
Assigned To: Daniel Walsh
: SELinux
Depends On:
Blocks: 192555
  Show dependency treegraph
Reported: 2006-05-20 12:17 EDT by Ian Pilcher
Modified: 2008-08-02 19:40 EDT (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2006-08-03 08:45:38 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Ian Pilcher 2006-05-20 12:17:51 EDT
Description of problem:

When nss_ldap is enabled, dbus-daemon generates the following AVC at startup:

type=AVC msg=audit(1148140854.825:57): avc:  denied  { create } for  pid=2799
    comm="dbus-daemon" scontext=root:system_r:system_dbusd_t:s0
    tcontext=root:system_r:system_dbusd_t:s0 tclass=netlink_route_socket
type=SYSCALL msg=audit(1148140854.825:57): arch=40000003 syscall=102
    success=no exit=-13 a0=1 a1=bfbd11f4 a2=abcff4 a3=8d25bd8 items=0 pid=2799
    auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
    comm="dbus-daemon" exe="/bin/dbus-daemon"
type=SOCKETCALL msg=audit(1148140854.825:57): nargs=3 a0=10 a1=3 a2=0

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.  Enable nss_ldap and the SELinux targeted policy
2.  service start messagebus
Actual results:

AVC denial.

Expected results:

No AVC denial.

Additional info:
Comment 1 Ian Pilcher 2006-05-20 12:25:26 EDT
An almost identical AVC denial occurs when the haldaemon service is started.
Comment 2 Daniel Walsh 2006-06-15 22:18:32 EDT
Fixed in selinux-policy-2.2.47-3
Comment 3 Joachim Selke 2006-08-03 04:29:15 EDT
I can confirm dbus-daemon to work fine here, using
selinux-policy-targeted-2.3.3-8.fc5. Thanks.

Note You need to log in before you can comment on or make changes to this bug.