Bug 483173 - SELinux prevents nm-system-setti (system_dbusd_t) "getsched"
SELinux prevents nm-system-setti (system_dbusd_t) "getsched"
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy-targeted (Show other bugs)
x86_64 Linux
low Severity medium
: rc
: ---
Assigned To: Daniel Walsh
Depends On:
  Show dependency treegraph
Reported: 2009-01-29 18:43 EST by dennis.burian
Modified: 2012-10-15 09:51 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2009-09-02 03:59:31 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description dennis.burian 2009-01-29 18:43:07 EST
Description of problem:  Below is the output from a setroubleshoot browser window.  This bug appeared after a system update I did today.

SELinux is preventing nm-system-setti (system_dbusd_t) "getsched" to <Unknown>

Detailed Description:

SELinux denied access requested by nm-system-setti. It is not expected that this
access is required by nm-system-setti and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                system_u:system_r:system_dbusd_t
Target Context                system_u:system_r:system_dbusd_t
Target Objects                None [ process ]
Source                        nm-system-setti
Source Path                   /usr/sbin/nm-system-settings
Port                          <Unknown>
Host                          localhost.localdomain
Source RPM Packages           NetworkManager-0.7.0-3.el5
Target RPM Packages           
Policy RPM                    selinux-policy-2.4.6-203.el5
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     localhost.localdomain
Platform                      Linux localhost.localdomain 2.6.18-128.el5 #1 SMP
                              Wed Dec 17 11:41:38 EST 2008 x86_64 x86_64
Alert Count                   2
First Seen                    Thu 29 Jan 2009 10:29:54 AM CST
Last Seen                     Thu 29 Jan 2009 10:29:54 AM CST
Local ID                      8a9d7731-b706-4142-8a80-d9a076cc1cff
Line Numbers                  

Raw Audit Messages            

host=localhost.localdomain type=AVC msg=audit(1233246594.870:17): avc:  denied  { getsched } for  pid=4740 comm="nm-system-setti" scontext=system_u:system_r:system_dbusd_t:s0 tcontext=system_u:system_r:system_dbusd_t:s0 tclass=process

host=localhost.localdomain type=SYSCALL msg=audit(1233246594.870:17): arch=c000003e syscall=145 success=no exit=-13 a0=1284 a1=2af4ef28e1d0 a2=d a3=0 items=0 ppid=1 pid=4740 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="nm-system-setti" exe="/usr/sbin/nm-system-settings" subj=system_u:system_r:system_dbusd_t:s0 key=(null)
Comment 1 Daniel Walsh 2009-01-30 08:42:29 EST
You can add these rules for now using

# grep avc /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Fixed in selinux-policy-2.4.6-206.el5
Comment 8 errata-xmlrpc 2009-09-02 03:59:31 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.


Note You need to log in before you can comment on or make changes to this bug.