Description of problem: After update to RHEL 5.3, there is SELinux denial for nm-system-setti Summary: SELinux is preventing nm-system-setti (system_dbusd_t) "getsched" to <Unknown> (system_dbusd_t). Version-Release number of selected component (if applicable): selinux-policy-2.4.6-203.el5 How reproducible: Update RHEL5.2 to 5.3 Additional info: Source Context system_u:system_r:system_dbusd_t Target Context system_u:system_r:system_dbusd_t Target Objects None [ process ] Source nm-system-setti Source Path /usr/sbin/nm-system-settings Port <Unknown> Host ... Source RPM Packages NetworkManager-0.7.0-3.el5 Target RPM Packages Policy RPM selinux-policy-2.4.6-203.el5 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall Host Name ... Platform Linux ... 2.6.18-128.el5 #1 SMP Wed Dec 17 11:42:39 EST 2008 i686 i686 Alert Count 2 First Seen Wed 21 Jan 2009 11:08:00 AM MSK Last Seen Wed 21 Jan 2009 11:08:00 AM MSK Local ID ... Line Numbers Raw Audit Messages host=... type=AVC msg=audit(1232525280.355:16): avc: denied { getsched } for pid=3318 comm="nm-system-setti" scontext=system_u:system_r:system_dbusd_t:s0 tcontext=system_u:system_r:system_dbusd_t:s0 tclass=process host=... type=SYSCALL msg=audit(1232525280.355:16): arch=40000003 syscall=157 success=no exit=-13 a0=cf6 a1=ffffff94 a2=ceeff4 a3=b7fd7700 items=0 ppid=1 pid=3318 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="nm-system-setti" exe="/usr/sbin/nm-system-settings" subj=system_u:system_r:system_dbusd_t:s0 key=(null)
Fixed in selinux-policy-2.4.6-207.el5 Preview to U4 policy is available on http://people.redhat.com/dwalsh/SElinux/RHEL5
Comment #1 appears to have a type in the URL. I am guessing the correct URL is http://people.redhat.com/dwalsh/SELinux/RHEL5/ (note the capital "L" in "SELinux").
Daniel, Can you please let me know how to resolve this fix in my installation. A new installation of Red Hat 5 here also came up with these errors following installation and then after completion of several software updates. Regards, John. hslredhat.uk
You can add your own custom policy to add just this rule. by executing # grep dbus /var/log/audit/audit.log | audit2allow -M mydbus # semodule -i mydbus.pp This will modify policy on your machine to allow the access that is being denied. You could also just downlog the policy on http://people.redhat.com/dwalsh/SELinux/RHEL5/ And install it, which should work fine on your machine. When RHEL5.4 comes out it will still update your policy if a newer version has been released.
~~ Attention - RHEL 5.4 Beta Released! ~~ RHEL 5.4 Beta has been released! There should be a fix present in the Beta release that addresses this particular request. Please test and report back results here, at your earliest convenience. RHEL 5.4 General Availability release is just around the corner! If you encounter any issues while testing Beta, please describe the issues you have encountered and set the bug into NEED_INFO. If you encounter new issues, please clone this bug to open a new issue and request it be reviewed for inclusion in RHEL 5.4 or a later update, if it is not of urgent severity. Please do not flip the bug status to VERIFIED. Only post your verification results, and if available, update Verified field with the appropriate value. Questions can be posted to this bug or your customer or partner representative.
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2009-1242.html