Bug 441405 - AVC denial at opening configure services
Summary: AVC denial at opening configure services
Keywords:
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: rawhide
Hardware: i386
OS: Linux
low
low
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2008-04-07 21:11 UTC by Rafael Levi
Modified: 2008-04-08 14:05 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2008-04-08 14:05:39 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)

Description Rafael Levi 2008-04-07 21:11:20 UTC
Description of problem:
When I open service configuration SElinux sends the following message:
SELinux is preventing gam_server (gamin_t) "sys_ptrace" to <Unknown> (gamin_t). 

could not fix with 

audit2allow -m local -l -i /var/log/messages > local.te

Version-Release number of selected component (if applicable):


How reproducible:

reproducible
Steps to Reproduce:
1.open service configuration
2.
3.
  
Actual results:
AVC denial

Expected results:


Additional info:

Comment 1 Daniel Walsh 2008-04-08 02:37:02 UTC
Please attach the AVC messages.


Comment 2 Rafael Levi 2008-04-08 07:24:18 UTC
SummarySELinux is preventing gam_server (gamin_t) "sys_ptrace" to <Unknown>
(gamin_t). Detailed 
DescriptionSELinux denied access requested by gam_server. It is not expected
that this access is required by gam_server and this access may signal an
intrusion attempt. It is also possible that the specific version or
configuration of the application is causing it to require additional access.
Allowing AccessYou can generate a local policy module to allow this access - see
FAQ Or you can disable SELinux protection altogether. Disabling SELinux
protection is not recommended. Please file a bug report against this package. 
Additional Information
Source Context:  system_u:system_r:gamin_t:s0
Target Context:  system_u:system_r:gamin_t:s0
Target Objects:  None [ capability ]
Source:  gam_server
Source Path:  /usr/libexec/gam_server
Port:  <Unknown>
Host:  buoySource 
RPM Packages:  gamin-0.1.9-5.fc9
Target RPM Packages:  
Policy RPM:  selinux-policy-3.3.1-28.fc9
Selinux Enabled:  
TruePolicy Type:  targeted
MLS Enabled:  True
Enforcing Mode:  
Enforcing
Plugin Name:  catchall
Host Name:  buoy
Platform:  Linux buoy 2.6.25-0.195.rc8.git1.fc9.i686 #1 
SMP Thu Apr 3 09:42:34 EDT 2008 i686 i686
Alert Count:  2838
First Seen:  Sun 06 Apr 2008 10:27:16 PM 
CESTLast Seen:  Tue 08 Apr 2008 09:17:43 AM 
CESTLocal ID:  fd3ca823-e0e2-4101-bc28-cb410b7938dd
Line Numbers:  
Raw Audit Messages :
host=buoy type=AVC msg=audit(1207639063.815:2330): avc: denied { sys_ptrace }
for pid=2848 comm="gam_server" capability=19
scontext=system_u:system_r:gamin_t:s0 tcontext=system_u:system_r:gamin_t:s0
tclass=capability

host=buoy type=SYSCALL msg=audit(1207639063.815:2330): arch=40000003 syscall=195
success=no exit=-13 a0=81d4ab0 a1=bfc6a2a0 a2=4ceff4 a3=bfc6a43c items=0 ppid=1
pid=2848 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=(none) ses=4294967295 comm="gam_server" exe="/usr/libexec/gam_server"
subj=system_u:system_r:gamin_t:s0 key=(null) 


Comment 3 Daniel Walsh 2008-04-08 14:05:39 UTC
You can allow this for now by executing 

# audit2allow -M mypol -i /var/log/audit/audit.log 
# semodule -i mypol.pp

Fixed in selinux-policy-3.3.1-29.fc9


Note You need to log in before you can comment on or make changes to this bug.