Bug 289371 - setroubleshootd is killed by SELinux?
setroubleshootd is killed by SELinux?
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: setroubleshoot (Show other bugs)
7
All Linux
medium Severity low
: ---
: ---
Assigned To: John Dennis
Fedora Extras Quality Assurance
: SELinux
: 283101 284031 (view as bug list)
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-09-13 11:03 EDT by Matěj Cepl
Modified: 2007-11-30 17:12 EST (History)
4 users (show)

See Also:
Fixed In Version: Current
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-10-08 17:43:20 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
audit-log (1.38 MB, text/plain)
2007-09-13 11:03 EDT, Matěj Cepl
no flags Details

  None (edit)
Description Matěj Cepl 2007-09-13 11:03:05 EDT
Description of problem:
setroubleshootd is blocked from starting by SELinux on my notebook. I am quite
sure, that I haven't made changes in the policies which should affect it (I
don't even know how I would do it). See attached audit.log. Audit2allow
generated for me this module which made setroubleshootd work again:

module newsetroubleshoot 1.0;

require {
        type system_dbusd_var_run_t;
        type user_home_t;
        type setroubleshootd_t;
        type system_dbusd_t;
        class sock_file write;
        class unix_stream_socket connectto;
        class lnk_file read;
        class dbus { acquire_svc send_msg };
}

#============= setroubleshootd_t ==============
allow setroubleshootd_t system_dbusd_t:dbus { acquire_svc send_msg };
allow setroubleshootd_t system_dbusd_t:unix_stream_socket connectto;
allow setroubleshootd_t system_dbusd_var_run_t:sock_file write;
allow setroubleshootd_t user_home_t:lnk_file read;

Version-Release number of selected component (if applicable):
setroubleshoot-server-1.10.1-1.fc7
setroubleshoot-1.10.1-1.fc7
setroubleshoot-plugins-1.10.1-1.fc7
selinux-policy-targeted-2.6.4-42.fc7
selinux-policy-2.6.4-42.fc7

How reproducible:
100%

Steps to Reproduce:
1.just restart the computer
2.
3.
  
Actual results:
no alerts on AVC denials

Expected results:
there should be

Additional info:
Comment 1 Matěj Cepl 2007-09-13 11:03:05 EDT
Created attachment 194701 [details]
audit-log
Comment 2 John Dennis 2007-09-15 12:28:38 EDT
The setroubleshoot package needs a newer version of the selinux policy.
Upgrading to policy version 3.0.7-10 or higher should fix the problem. I'm
adding a requires to the setroubleshoot spec to enforce this. 

If upgrading your policy fixes the problem please close this bug, thank you.
Comment 3 John Dennis 2007-09-15 13:11:05 EDT
*** Bug 284031 has been marked as a duplicate of this bug. ***
Comment 4 John Dennis 2007-09-15 13:16:09 EDT
*** Bug 283101 has been marked as a duplicate of this bug. ***
Comment 5 Matěj Cepl 2007-09-15 18:12:37 EDT
Where could I get 3.0 policy for F7?
Comment 6 Todd Zullinger 2007-09-25 22:34:28 EDT
Ping.  The latest selinux-policy available for F7 is 2.6.4-43.fc7 (2.6.4-44.fc7
has been built but not yet pushed, though nothing in the changelog makes me
think it'll fix this issue).

If selinux-policy >= 3.0 is required, why is the setroubleshoot update in
updates-testing?  I don't see any signs that an selinux-policy update to >= 3.0
is imminent for F7.

Is there a bug filed against selinux-policy about this?  Would it be possible
for Dan to put whatever dbus policy changes are needed into selinux-policy-2.6.4
and push it to F7?  Otherwise, anyone who has enabled updates-testing has a
broken setroubleshootd.

(FWIW, dropping back to setroubleshoot-1.9.4-2.fc7 still works.)
Comment 7 Daniel Walsh 2007-09-26 09:36:07 EDT
selinux-policy > 3 is not going into F7.  What change does setroubleshoot need?

Please do not require the newer version.  If you need setroubleshoot policy
backported to F7, I will do it.
Comment 8 Todd Zullinger 2007-09-26 11:01:50 EDT
When trying to start setroubleshootd, I get these denials (in permissive mode):

type=AVC msg=audit(1190818601.954:35): avc:  denied  { write } for  pid=3913
comm="setroubleshootd" name="system_bus_socket" dev=sda2 ino=2413570
scontext=user_u:system_r:setroubleshootd_t:s0
tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=sock_file
type=AVC msg=audit(1190818601.954:35): avc:  denied  { connectto } for  pid=3913
comm="setroubleshootd" name="system_bus_socket"
scontext=user_u:system_r:setroubleshootd_t:s0
tcontext=system_u:system_r:system_dbusd_t:s0 tclass=unix_stream_socket
Comment 9 John Dennis 2007-09-26 11:10:33 EDT
Hi Dan, re comment #7, there is a version of setroubleshoot in f7 testing which
uses system dbus, the policy changes you put in for F-8 are required.

If you can backport the policy changes into F7 that would be great. I supose the
other option would be to package the policy with the setroubleshoot rpm.
Comment 10 Todd Zullinger 2007-09-27 12:56:55 EDT
I updated to selinux-policy-2.6.4-45.fc7 from koji and along with the just built
libselinux-2.0.14-9.fc7, setroubleshoot-1.10.1-1.fc7 seems to work nicely (as
does the freshly built setroubleshoot-1.10.6-1.fc7).

Thanks John and Dan!
Comment 11 Daniel Walsh 2007-09-27 15:26:57 EDT
selinux-policy-2.6.4-45.fc7 should be in testing shortly.  
Comment 12 Todd Zullinger 2007-09-27 15:45:47 EDT
(In reply to comment #11)
> selinux-policy-2.6.4-45.fc7 should be in testing shortly.  

Thanks Dan.  One thing I noticed after installing it was that dbus (messagebus)
needed a restart, along with what seemed to be numerous other services that
depend on it - NetworkManager, ConsoleKit, avahi, and some others I'm likely
forgetting.  I ended up rebooting to ensure that all the pieces were restarted.
 I don't know if this was just a fluke or something odd about my system.  I
figured it's worth noting though, in case it's something you'll recognize and
see an easy fix for.  I'll also note this in bodhi when I see the update hit
testing.
Comment 13 Paul Jenner 2007-10-08 16:23:34 EDT
Works for me on F7 with the update (and has since the update was released). Can
this be closed?

Note You need to log in before you can comment on or make changes to this bug.