Description of problem: Summary SELinux is preventing /usr/bin/mugshot (user_mugshot_t) "connectto" to <Unknown> (user_dbusd_t). Detailed Description SELinux denied access requested by /usr/bin/mugshot. It is not expected that this access is required by /usr/bin/mugshot and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access You can generate a local policy module to allow this access - see http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package. Additional Information Source Context user2_u:user_r:user_mugshot_t:s0 Target Context user2_u:user_r:user_dbusd_t:s0 Target Objects None [ unix_stream_socket ] Affected RPM Packages mugshot-1.1.56-1.fc8 [application] Policy RPM selinux-policy-3.0.8-24.fc8 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name plugins.catchall Host Name localhost.localdomain Platform Linux localhost.localdomain 2.6.23.1-23.fc8 #1 SMP Wed Oct 17 18:12:05 EDT 2007 i686 i686 Alert Count 15 First Seen Thu Oct 18 14:30:43 2007 Last Seen Fri Oct 19 12:42:30 2007 Local ID 8c6eb477-1516-4653-b770-babec800d894 Line Numbers Raw Audit Messages avc: denied { connectto } for comm=mugshot egid=512 euid=511 exe=/usr/bin/mugshot exit=-13 fsgid=512 fsuid=511 gid=512 items=0 path=002F746D702F646275732D6A443559614E50647141 pid=8464 scontext=user2_u:user_r:user_mugshot_t:s0 sgid=512 subj=user2_u:user_r:user_mugshot_t:s0 suid=511 tclass=unix_stream_socket tcontext=user2_u:user_r:user_dbusd_t:s0 tty=(none) uid=511 Was caused by: Missing or disabled TE allow rule. Allow rules may exist but be disabled by boolean settings; check boolean settings. You can see the necessary allow rules by running audit2allow with this audit message as input. How reproducible: Create a policy for a domain that uses dbus. Run the confined domain as user_r. Steps to Reproduce: 1. Create a policy for a application domain that uses dbus. 2. Run the domain as user_r Actual results: Cannot connect to session bus Expected results: Not sure. I hoped that these domains would run for a user in the user_r space, Additional info: allow user_mugshot_t user_dbusd_t:unix_stream_socket connectto; will not allow this access. mono_t is also not able to do this when you run mono_t as user_r.
Your policy is wrong. You need a line like this in your per role instantiation. dbus_user_bus_client_template($1, $1_mugshot, $1_mugshot_t)