Bug 458037 - dbus/policykit enabled system-config-services doesn't work with SELinux/targeted enforcing
dbus/policykit enabled system-config-services doesn't work with SELinux/targe...
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
rawhide
All Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Fedora Extras Quality Assurance
: Reopened
: 458547 459341 (view as bug list)
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-08-06 05:09 EDT by Nils Philippsen
Modified: 2008-09-02 16:15 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-08-29 12:35:08 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Output of "system-config-services" when run in SELinux enforcing mode (1.23 KB, text/plain)
2008-08-06 05:12 EDT, Nils Philippsen
no flags Details
AVC alerts from running system-config-services in permissive mode (132.33 KB, text/plain)
2008-08-06 05:13 EDT, Nils Philippsen
no flags Details
Output of "ausearch -m avc -ts today | audit2allow -m systemconfigservices" from running system-config-services in permissive mode (5.78 KB, text/plain)
2008-08-06 05:14 EDT, Nils Philippsen
no flags Details
Output of "ausearch -m avc -ts today -sv no" from running system-config-services in permissive mode (1.77 KB, text/plain)
2008-08-18 05:00 EDT, Nils Philippsen
no flags Details
SELinux AVC starting services (3.12 KB, text/plain)
2008-08-30 17:10 EDT, Flóki Pálsson
no flags Details
starting system-config-services from terminal (1.31 KB, text/plain)
2008-08-30 17:21 EDT, Flóki Pálsson
no flags Details

  None (edit)
Description Nils Philippsen 2008-08-06 05:09:50 EDT
Description of problem:
System-config-services for F10 is made to use of PolicyKit to separate UI from code that needs privileges. If started with SELinux/targeted enforcing, the system dbus-daemon fails to start the associated privileged dbus service/mechanism (/usr/share/system-config-services/system-config-services-mechanism.py). If started in permissive mode, there are a lot more AVC alerts related to how the mechanism monitors the services, starts/stops/enables/disables them.

Version-Release number of selected component (if applicable):
selinux-policy-targeted-3.5.1-4.fc10.noarch
system-config-services-0.99.21-1.fc10.noarch

How reproducible:
Reproducible.

Steps to Reproduce:
1. "setenforce 1"
2. Start "system-config-services" from the command line
3. "setenforce 0", then repeat
  
Actual results:
In enforcing mode, it fails to start completely (see attached error message). In permissive mode, a lot of AVC alerts are logged (see attached ausearch and audit2allow output).

Expected results:
No error messages, system-config-services is running without generating AVC alerts.

Additional info:
The mechanism used needs to read/monitor files in /etc/{init.d,rc?.d,xinetd.d}, /var/lock/subsys, /proc/<pids>, ... as well as chkconfig/so the mechnism may need an SELinux type/role of its own (not sure about the nomenclature).
Comment 1 Nils Philippsen 2008-08-06 05:12:26 EDT
Created attachment 313536 [details]
Output of "system-config-services" when run in SELinux enforcing mode
Comment 2 Nils Philippsen 2008-08-06 05:13:23 EDT
Created attachment 313537 [details]
AVC alerts from running system-config-services in permissive mode
Comment 3 Nils Philippsen 2008-08-06 05:14:42 EDT
Created attachment 313538 [details]
Output of "ausearch -m avc -ts today | audit2allow -m systemconfigservices" from running system-config-services in permissive mode
Comment 4 Daniel Walsh 2008-08-07 08:24:55 EDT
Fixed in selinux-policy-3.5.2-2.fc10
Comment 5 Nils Philippsen 2008-08-11 03:48:35 EDT
*** Bug 458547 has been marked as a duplicate of this bug. ***
Comment 6 Nils Philippsen 2008-08-11 04:12:30 EDT
Dan, do you have this in a private repository? I can't find this version in Koji:

nils@gibraltar:~> koji latest-pkg dist-f10 selinux-policy
Build                                     Tag                   Built by
----------------------------------------  --------------------  ----------------
selinux-policy-3.5.1-4.fc10               dist-f10              dwalsh
Comment 7 Daniel Walsh 2008-08-12 15:05:14 EDT
Sorry I finally got an update to build
Comment 8 Nils Philippsen 2008-08-12 17:47:08 EDT
No sweat, I just noticed that you fixed things in versions not generally available ;-).
Comment 9 Daniel Walsh 2008-08-13 12:32:29 EDT
I usually update the bugzilla with whatever the next version the fix will be in.  The build usually happens at the end of the day.  In this case the build kept blowing up.   So it took a while.
Comment 10 Nils Philippsen 2008-08-18 04:59:12 EDT
Unfortunately, it doesn't work with 3.5.4-1.fc10. I'll attach "ausearch" output.
Comment 11 Nils Philippsen 2008-08-18 05:00:28 EDT
Created attachment 314467 [details]
Output of "ausearch -m avc -ts today -sv no" from running system-config-services in permissive mode
Comment 12 Daniel Walsh 2008-08-18 07:34:54 EDT
It is working for me in selinux-policy-3.5.5-1.fc10   

Once koji comes back up I will update to this policy.

You can install a policy module by copying the following into a file labeled mydus.te

policy_module(mydbus, 1.0)
gen_requires(`
               type system_dbusd_t;
')

init_domtrans_script(system_dbusd_t)


# Then compile and install the module

# make -f /usr/share/selinux/devel/Makefile
# semodule -i mydbus.pp

Should fix the problem.
Comment 13 Nils Philippsen 2008-08-22 05:28:14 EDT
*** Bug 459341 has been marked as a duplicate of this bug. ***
Comment 14 Flóki Pálsson 2008-08-30 17:10:27 EDT
Created attachment 315429 [details]
SELinux AVC starting services
Comment 15 Flóki Pálsson 2008-08-30 17:17:03 EDT
In not working (selinux-policy-3.5.5-1.fc10 ) for me.
Comment 16 Flóki Pálsson 2008-08-30 17:21:28 EDT
Created attachment 315430 [details]
starting system-config-services from terminal
Comment 17 Daniel Walsh 2008-09-02 16:15:31 EDT
restorecon -v /usr/share/system-config-services/system-config-services-mechanism.py

Note You need to log in before you can comment on or make changes to this bug.