Bug 441405 - AVC denial at opening configure services
AVC denial at opening configure services
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
i386 Linux
low Severity low
: ---
: ---
Assigned To: Daniel Walsh
Fedora Extras Quality Assurance
Depends On:
  Show dependency treegraph
Reported: 2008-04-07 17:11 EDT by Rafael Levi
Modified: 2008-04-08 10:05 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2008-04-08 10:05:39 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Rafael Levi 2008-04-07 17:11:20 EDT
Description of problem:
When I open service configuration SElinux sends the following message:
SELinux is preventing gam_server (gamin_t) "sys_ptrace" to <Unknown> (gamin_t). 

could not fix with 

audit2allow -m local -l -i /var/log/messages > local.te

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1.open service configuration
Actual results:
AVC denial

Expected results:

Additional info:
Comment 1 Daniel Walsh 2008-04-07 22:37:02 EDT
Please attach the AVC messages.
Comment 2 Rafael Levi 2008-04-08 03:24:18 EDT
SummarySELinux is preventing gam_server (gamin_t) "sys_ptrace" to <Unknown>
(gamin_t). Detailed 
DescriptionSELinux denied access requested by gam_server. It is not expected
that this access is required by gam_server and this access may signal an
intrusion attempt. It is also possible that the specific version or
configuration of the application is causing it to require additional access.
Allowing AccessYou can generate a local policy module to allow this access - see
FAQ Or you can disable SELinux protection altogether. Disabling SELinux
protection is not recommended. Please file a bug report against this package. 
Additional Information
Source Context:  system_u:system_r:gamin_t:s0
Target Context:  system_u:system_r:gamin_t:s0
Target Objects:  None [ capability ]
Source:  gam_server
Source Path:  /usr/libexec/gam_server
Port:  <Unknown>
Host:  buoySource 
RPM Packages:  gamin-0.1.9-5.fc9
Target RPM Packages:  
Policy RPM:  selinux-policy-3.3.1-28.fc9
Selinux Enabled:  
TruePolicy Type:  targeted
MLS Enabled:  True
Enforcing Mode:  
Plugin Name:  catchall
Host Name:  buoy
Platform:  Linux buoy 2.6.25-0.195.rc8.git1.fc9.i686 #1 
SMP Thu Apr 3 09:42:34 EDT 2008 i686 i686
Alert Count:  2838
First Seen:  Sun 06 Apr 2008 10:27:16 PM 
CESTLast Seen:  Tue 08 Apr 2008 09:17:43 AM 
CESTLocal ID:  fd3ca823-e0e2-4101-bc28-cb410b7938dd
Line Numbers:  
Raw Audit Messages :
host=buoy type=AVC msg=audit(1207639063.815:2330): avc: denied { sys_ptrace }
for pid=2848 comm="gam_server" capability=19
scontext=system_u:system_r:gamin_t:s0 tcontext=system_u:system_r:gamin_t:s0

host=buoy type=SYSCALL msg=audit(1207639063.815:2330): arch=40000003 syscall=195
success=no exit=-13 a0=81d4ab0 a1=bfc6a2a0 a2=4ceff4 a3=bfc6a43c items=0 ppid=1
pid=2848 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=(none) ses=4294967295 comm="gam_server" exe="/usr/libexec/gam_server"
subj=system_u:system_r:gamin_t:s0 key=(null) 
Comment 3 Daniel Walsh 2008-04-08 10:05:39 EDT
You can allow this for now by executing 

# audit2allow -M mypol -i /var/log/audit/audit.log 
# semodule -i mypol.pp

Fixed in selinux-policy-3.3.1-29.fc9

Note You need to log in before you can comment on or make changes to this bug.