Description of problem: setroubleshootd is blocked from starting by SELinux on my notebook. I am quite sure, that I haven't made changes in the policies which should affect it (I don't even know how I would do it). See attached audit.log. Audit2allow generated for me this module which made setroubleshootd work again: module newsetroubleshoot 1.0; require { type system_dbusd_var_run_t; type user_home_t; type setroubleshootd_t; type system_dbusd_t; class sock_file write; class unix_stream_socket connectto; class lnk_file read; class dbus { acquire_svc send_msg }; } #============= setroubleshootd_t ============== allow setroubleshootd_t system_dbusd_t:dbus { acquire_svc send_msg }; allow setroubleshootd_t system_dbusd_t:unix_stream_socket connectto; allow setroubleshootd_t system_dbusd_var_run_t:sock_file write; allow setroubleshootd_t user_home_t:lnk_file read; Version-Release number of selected component (if applicable): setroubleshoot-server-1.10.1-1.fc7 setroubleshoot-1.10.1-1.fc7 setroubleshoot-plugins-1.10.1-1.fc7 selinux-policy-targeted-2.6.4-42.fc7 selinux-policy-2.6.4-42.fc7 How reproducible: 100% Steps to Reproduce: 1.just restart the computer 2. 3. Actual results: no alerts on AVC denials Expected results: there should be Additional info:
Created attachment 194701 [details] audit-log
The setroubleshoot package needs a newer version of the selinux policy. Upgrading to policy version 3.0.7-10 or higher should fix the problem. I'm adding a requires to the setroubleshoot spec to enforce this. If upgrading your policy fixes the problem please close this bug, thank you.
*** Bug 284031 has been marked as a duplicate of this bug. ***
*** Bug 283101 has been marked as a duplicate of this bug. ***
Where could I get 3.0 policy for F7?
Ping. The latest selinux-policy available for F7 is 2.6.4-43.fc7 (2.6.4-44.fc7 has been built but not yet pushed, though nothing in the changelog makes me think it'll fix this issue). If selinux-policy >= 3.0 is required, why is the setroubleshoot update in updates-testing? I don't see any signs that an selinux-policy update to >= 3.0 is imminent for F7. Is there a bug filed against selinux-policy about this? Would it be possible for Dan to put whatever dbus policy changes are needed into selinux-policy-2.6.4 and push it to F7? Otherwise, anyone who has enabled updates-testing has a broken setroubleshootd. (FWIW, dropping back to setroubleshoot-1.9.4-2.fc7 still works.)
selinux-policy > 3 is not going into F7. What change does setroubleshoot need? Please do not require the newer version. If you need setroubleshoot policy backported to F7, I will do it.
When trying to start setroubleshootd, I get these denials (in permissive mode): type=AVC msg=audit(1190818601.954:35): avc: denied { write } for pid=3913 comm="setroubleshootd" name="system_bus_socket" dev=sda2 ino=2413570 scontext=user_u:system_r:setroubleshootd_t:s0 tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=sock_file type=AVC msg=audit(1190818601.954:35): avc: denied { connectto } for pid=3913 comm="setroubleshootd" name="system_bus_socket" scontext=user_u:system_r:setroubleshootd_t:s0 tcontext=system_u:system_r:system_dbusd_t:s0 tclass=unix_stream_socket
Hi Dan, re comment #7, there is a version of setroubleshoot in f7 testing which uses system dbus, the policy changes you put in for F-8 are required. If you can backport the policy changes into F7 that would be great. I supose the other option would be to package the policy with the setroubleshoot rpm.
I updated to selinux-policy-2.6.4-45.fc7 from koji and along with the just built libselinux-2.0.14-9.fc7, setroubleshoot-1.10.1-1.fc7 seems to work nicely (as does the freshly built setroubleshoot-1.10.6-1.fc7). Thanks John and Dan!
selinux-policy-2.6.4-45.fc7 should be in testing shortly.
(In reply to comment #11) > selinux-policy-2.6.4-45.fc7 should be in testing shortly. Thanks Dan. One thing I noticed after installing it was that dbus (messagebus) needed a restart, along with what seemed to be numerous other services that depend on it - NetworkManager, ConsoleKit, avahi, and some others I'm likely forgetting. I ended up rebooting to ensure that all the pieces were restarted. I don't know if this was just a fluke or something odd about my system. I figured it's worth noting though, in case it's something you'll recognize and see an easy fix for. I'll also note this in bodhi when I see the update hit testing.
Works for me on F7 with the update (and has since the update was released). Can this be closed?