Bug 428704 - selinux preventing apache mod_dnssd operation
selinux preventing apache mod_dnssd operation
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
8
All Linux
low Severity low
: ---
: ---
Assigned To: Daniel Walsh
Ben Levenson
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-01-14 13:47 EST by Mace Moneta
Modified: 2008-03-05 17:17 EST (History)
0 users

See Also:
Fixed In Version: Current
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-03-05 17:17:27 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Mace Moneta 2008-01-14 13:47:19 EST
Description of problem:

I installed package mod_dnssd for apache.  Enabled the httpd_dbus_avahi boolean:

$ getsebool -a | grep -i dbus
allow_httpd_dbus_avahi --> on

Restarted the server (service httpd restart).

The log shows:

[error] avahi_client_new() failed: Access denied

audit2allow reports:

#============= httpd_t ==============
allow httpd_t system_dbusd_t:dbus send_msg;

However, attempting to add the local policy statement reports:

local.te:56:ERROR 'unknown class dbus used in rule' at token ';' on line 3240:
#============= httpd_t ==============
allow httpd_t system_dbusd_t:dbus send_msg;

(types httpd_t and system_dbusd_t have been added to the require).

If selinux is set permissive, apache starts correctly and advertises itself via
avahi (using avahi-discover to verify).


Version-Release number of selected component (if applicable):

avahi-0.6.21-8.fc8
avahi-compat-libdns_sd-0.6.21-8.fc8
avahi-glib-0.6.21-8.fc8
avahi-qt3-0.6.21-8.fc8
avahi-tools-0.6.21-8.fc8
kdnssd-avahi-0.1.3-0.2.20060713svn.fc8
libselinux-2.0.43-1.fc8
libselinux-devel-2.0.43-1.fc8
libselinux-python-2.0.43-1.fc8
mod_dnssd-0.5-5.fc8
selinux-policy-3.0.8-73.fc8
selinux-policy-devel-3.0.8-73.fc8
selinux-policy-targeted-3.0.8-73.fc8


How reproducible:

Every time.

Steps to Reproduce:
1. yum install mod_dnssd
2. setsebool -P allow_httpd_dbus_avahi on
3. service httpd restart
  
Actual results:

Failure to advertise web server via avahi

Expected results:

Web server known to avahi.

Additional info:
Comment 1 Daniel Walsh 2008-01-14 14:20:33 EST
You need to add 

gen_requires(`
class dbus;
')
to get your policy to work.

Fixed in selinux-policy-3.0.8-76.fc8
Comment 2 Mace Moneta 2008-01-14 15:50:44 EST
OK, what I actually needed to do in my local policy, in case anyone runs into
this is:

policy_module(local, 1.0)

require {
   class dbus { send_msg };
   type httpd_t;
   type system_dbusd_t;
}

#============= httpd_t ==============
allow httpd_t system_dbusd_t:dbus send_msg;

Comment 3 Daniel Walsh 2008-03-05 17:17:27 EST
Bugs have been in modified for over one month.  Closing as fixed in current
release please reopen if the problem still persists.

Note You need to log in before you can comment on or make changes to this bug.