Description of problem: System-config-services for F10 is made to use of PolicyKit to separate UI from code that needs privileges. If started with SELinux/targeted enforcing, the system dbus-daemon fails to start the associated privileged dbus service/mechanism (/usr/share/system-config-services/system-config-services-mechanism.py). If started in permissive mode, there are a lot more AVC alerts related to how the mechanism monitors the services, starts/stops/enables/disables them. Version-Release number of selected component (if applicable): selinux-policy-targeted-3.5.1-4.fc10.noarch system-config-services-0.99.21-1.fc10.noarch How reproducible: Reproducible. Steps to Reproduce: 1. "setenforce 1" 2. Start "system-config-services" from the command line 3. "setenforce 0", then repeat Actual results: In enforcing mode, it fails to start completely (see attached error message). In permissive mode, a lot of AVC alerts are logged (see attached ausearch and audit2allow output). Expected results: No error messages, system-config-services is running without generating AVC alerts. Additional info: The mechanism used needs to read/monitor files in /etc/{init.d,rc?.d,xinetd.d}, /var/lock/subsys, /proc/<pids>, ... as well as chkconfig/so the mechnism may need an SELinux type/role of its own (not sure about the nomenclature).
Created attachment 313536 [details] Output of "system-config-services" when run in SELinux enforcing mode
Created attachment 313537 [details] AVC alerts from running system-config-services in permissive mode
Created attachment 313538 [details] Output of "ausearch -m avc -ts today | audit2allow -m systemconfigservices" from running system-config-services in permissive mode
Fixed in selinux-policy-3.5.2-2.fc10
*** Bug 458547 has been marked as a duplicate of this bug. ***
Dan, do you have this in a private repository? I can't find this version in Koji: nils@gibraltar:~> koji latest-pkg dist-f10 selinux-policy Build Tag Built by ---------------------------------------- -------------------- ---------------- selinux-policy-3.5.1-4.fc10 dist-f10 dwalsh
Sorry I finally got an update to build
No sweat, I just noticed that you fixed things in versions not generally available ;-).
I usually update the bugzilla with whatever the next version the fix will be in. The build usually happens at the end of the day. In this case the build kept blowing up. So it took a while.
Unfortunately, it doesn't work with 3.5.4-1.fc10. I'll attach "ausearch" output.
Created attachment 314467 [details] Output of "ausearch -m avc -ts today -sv no" from running system-config-services in permissive mode
It is working for me in selinux-policy-3.5.5-1.fc10 Once koji comes back up I will update to this policy. You can install a policy module by copying the following into a file labeled mydus.te policy_module(mydbus, 1.0) gen_requires(` type system_dbusd_t; ') init_domtrans_script(system_dbusd_t) # Then compile and install the module # make -f /usr/share/selinux/devel/Makefile # semodule -i mydbus.pp Should fix the problem.
*** Bug 459341 has been marked as a duplicate of this bug. ***
Created attachment 315429 [details] SELinux AVC starting services
In not working (selinux-policy-3.5.5-1.fc10 ) for me.
Created attachment 315430 [details] starting system-config-services from terminal
restorecon -v /usr/share/system-config-services/system-config-services-mechanism.py