Bug 457088 - SELinux is preventing the 00-netreport (system_dbusd_t) from executing ./00-netreport
SELinux is preventing the 00-netreport (system_dbusd_t) from executing ./00-n...
Status: CLOSED DUPLICATE of bug 457051
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
9
All Linux
low Severity low
: ---
: ---
Assigned To: Daniel Walsh
Ben Levenson
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-07-29 11:31 EDT by Charlie Brady
Modified: 2008-07-29 14:46 EDT (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-07-29 14:46:42 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Charlie Brady 2008-07-29 11:31:09 EDT
FC9, fully updated, with FS relabelled at last boot, runnign in permissive mode.

[charlieb@localhost ~]$ sealert -l 50a8fb8a-3280-45ab-bee7-17b3f425476c

Summary:

SELinux is preventing the 00-netreport (system_dbusd_t) from executing
./00-netreport.

Detailed Description:

[SELinux is in permissive mode, the operation would have been denied but was
permitted due to permissive mode.]

SELinux has denied the 00-netreport from executing ./00-netreport. If
00-netreport is supposed to be able to execute ./00-netreport, this could be a
labeling problem. Most confined domains are allowed to execute files labeled
bin_t. So you could change the labeling on this file to bin_t and retry the
application. If this 00-netreport is not supposed to execute ./00-netreport,
this could signal a intrusion attempt.

Allowing Access:

If you want to allow 00-netreport to execute ./00-netreport: chcon -t bin_t
'./00-netreport' If this fix works, please update the file context on disk, with
the following command: semanage fcontext -a -t bin_t './00-netreport' Please
specify the full path to the executable, Please file a bug report
(http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this selinux-policy
to make sure this becomes the default labeling.

Additional Information:

Source Context                system_u:system_r:system_dbusd_t:s0
Target Context                system_u:object_r:etc_t:s0
Target Objects                ./00-netreport [ file ]
Source                        00-netreport
Source Path                   /bin/bash
Port                          <Unknown>
Host                          localhost.localdomain
Source RPM Packages           bash-3.2-22.fc9
Target RPM Packages           
Policy RPM                    selinux-policy-3.3.1-79.fc9
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Permissive
Plugin Name                   execute
Host Name                     localhost.localdomain
Platform                      Linux localhost.localdomain
                              2.6.25.11-97.fc9.x86_64 #1 SMP Mon Jul 21 01:09:10
                              EDT 2008 x86_64 x86_64
Alert Count                   101
First Seen                    Sun May 11 15:37:06 2008
Last Seen                     Tue Jul 29 09:14:00 2008
Local ID                      50a8fb8a-3280-45ab-bee7-17b3f425476c
Line Numbers                  

Raw Audit Messages            

host=localhost.localdomain type=AVC msg=audit(1217337240.290:181): avc:  denied
 { execute } for  pid=3104 comm="nm-dispatcher.a" name="00-netreport" dev=dm-0
ino=8880217 scontext=system_u:system_r:system_dbusd_t:s0
tcontext=system_u:object_r:etc_t:s0 tclass=file

host=localhost.localdomain type=AVC msg=audit(1217337240.290:181): avc:  denied
 { execute_no_trans } for  pid=3104 comm="nm-dispatcher.a"
path="/etc/NetworkManager/dispatcher.d/00-netreport" dev=dm-0 ino=8880217
scontext=system_u:system_r:system_dbusd_t:s0 tcontext=system_u:object_r:etc_t:s0
tclass=file

host=localhost.localdomain type=AVC msg=audit(1217337240.290:181): avc:  denied
 { execute } for  pid=3104 comm="nm-dispatcher.a" name="bash" dev=dm-0 ino=18611
scontext=system_u:system_r:system_dbusd_t:s0
tcontext=system_u:object_r:shell_exec_t:s0 tclass=file

host=localhost.localdomain type=AVC msg=audit(1217337240.290:181): avc:  denied
 { read } for  pid=3104 comm="nm-dispatcher.a" name="bash" dev=dm-0 ino=18611
scontext=system_u:system_r:system_dbusd_t:s0
tcontext=system_u:object_r:shell_exec_t:s0 tclass=file

host=localhost.localdomain type=SYSCALL msg=audit(1217337240.290:181):
arch=c000003e syscall=59 success=yes exit=0 a0=897640 a1=7fff84310610
a2=7fff84310580 a3=0 items=0 ppid=3103 pid=3104 auid=4294967295 uid=0 gid=0
euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295
comm="00-netreport" exe="/bin/bash" subj=system_u:system_r:system_dbusd_t:s0
key=(null)



[charlieb@localhost ~]$
Comment 1 Daniel Walsh 2008-07-29 14:46:42 EDT

*** This bug has been marked as a duplicate of 457051 ***

Note You need to log in before you can comment on or make changes to this bug.