Bug 485733 - Various denials
Various denials
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: nss_ldap (Show other bugs)
11
All Linux
low Severity medium
: ---
: ---
Assigned To: Nalin Dahyabhai
Fedora Extras Quality Assurance
:
Depends On:
Blocks: 517000
  Show dependency treegraph
 
Reported: 2009-02-16 11:29 EST by Orion Poplawski
Modified: 2009-08-18 16:11 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-08-18 16:11:25 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Orion Poplawski 2009-02-16 11:29:09 EST
Description of problem:

This is a xen guest.

type=1400 audit(1234799964.375:4): avc:  denied  { sys_tty_config } for  pid=1106 comm="sa1" capability=26 scontext=system_u:system_r:sysstat_t:s0 tcontext=system_u:system_r:sysstat_t:s0 tclass=capability
type=1400 audit(1234799968.846:5): avc:  denied  { read write } for  pid=1272 comm="console-kit-dae" path="socket:[5692]" dev=sockfs ino=5692 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tclass=tcp_socket
type=1400 audit(1234799972.086:6): avc:  denied  { read write } for  pid=1412 comm="wpa_supplicant" path="socket:[5692]" dev=sockfs ino=5692 scontext=system_u:system_r:NetworkManager_t:s0-s0:c0.c1023 tcontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tclass=tcp_socket
type=1400 audit(1234799972.149:7): avc:  denied  { read write } for  pid=1414 comm="nm-system-setti" path="socket:[5692]" dev=sockfs ino=5692 scontext=system_u:system_r:NetworkManager_t:s0-s0:c0.c1023 tcontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tclass=tcp_socket

Version-Release number of selected component (if applicable):
selinux-policy-3.6.5-3.fc11.noarch
Comment 1 Daniel Walsh 2009-02-16 12:54:26 EST
Looks like dbus is leaking an open file descriptor.  Do you use ldap for passwd/usernames?

The two tcp_socket avc's are leaked file descriptors.


allow sysstat_t self:capability sys_tty_config;

Fixed in  selinux-policy-3.6.6-1.fc11
Comment 2 Orion Poplawski 2009-02-16 13:00:20 EST
Yes, I use ldap.  Need to reassign to dbus?
Comment 3 Daniel Walsh 2009-02-16 13:04:06 EST
Nope this is a nss_ldap problem, that is supposed to be fixed.
Comment 4 Nalin Dahyabhai 2009-02-16 13:56:52 EST
(In reply to comment #3)
> Nope this is a nss_ldap problem, that is supposed to be fixed.

Which version of that package is installed?
Comment 5 Orion Poplawski 2009-02-16 14:05:30 EST
nss_ldap-264-1.fc11.x86_64
Comment 6 Bug Zapper 2009-06-09 07:25:09 EDT
This bug appears to have been reported against 'rawhide' during the Fedora 11 development cycle.
Changing version to '11'.

More information and reason for this action is here:
http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Comment 7 Nalin Dahyabhai 2009-08-18 10:42:25 EDT
Does the update at https://admin.fedoraproject.org/updates/F11/FEDORA-2009-8564 resolve this?
Comment 8 Orion Poplawski 2009-08-18 16:11:25 EDT
Yes, and all other avc denials are gone as well.

Note You need to log in before you can comment on or make changes to this bug.