485733 – Various denials

Bug 485733 - Various denials

Summary: Various denials

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	nss_ldap
Sub Component:
Version:	11
Hardware:	All
OS:	Linux
Priority:	low
Severity:	medium
Target Milestone:	---
Assignee:	Nalin Dahyabhai
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	517000
TreeView+	depends on / blocked

Reported:	2009-02-16 16:29 UTC by Orion Poplawski
Modified:	2009-08-18 20:11 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2009-08-18 20:11:25 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Orion Poplawski 2009-02-16 16:29:09 UTC

Description of problem:

This is a xen guest.

type=1400 audit(1234799964.375:4): avc:  denied  { sys_tty_config } for  pid=1106 comm="sa1" capability=26 scontext=system_u:system_r:sysstat_t:s0 tcontext=system_u:system_r:sysstat_t:s0 tclass=capability
type=1400 audit(1234799968.846:5): avc:  denied  { read write } for  pid=1272 comm="console-kit-dae" path="socket:[5692]" dev=sockfs ino=5692 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tclass=tcp_socket
type=1400 audit(1234799972.086:6): avc:  denied  { read write } for  pid=1412 comm="wpa_supplicant" path="socket:[5692]" dev=sockfs ino=5692 scontext=system_u:system_r:NetworkManager_t:s0-s0:c0.c1023 tcontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tclass=tcp_socket
type=1400 audit(1234799972.149:7): avc:  denied  { read write } for  pid=1414 comm="nm-system-setti" path="socket:[5692]" dev=sockfs ino=5692 scontext=system_u:system_r:NetworkManager_t:s0-s0:c0.c1023 tcontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tclass=tcp_socket

Version-Release number of selected component (if applicable):
selinux-policy-3.6.5-3.fc11.noarch

Comment 1 Daniel Walsh 2009-02-16 17:54:26 UTC

Looks like dbus is leaking an open file descriptor.  Do you use ldap for passwd/usernames?

The two tcp_socket avc's are leaked file descriptors.


allow sysstat_t self:capability sys_tty_config;

Fixed in  selinux-policy-3.6.6-1.fc11

Comment 2 Orion Poplawski 2009-02-16 18:00:20 UTC

Yes, I use ldap.  Need to reassign to dbus?

Comment 3 Daniel Walsh 2009-02-16 18:04:06 UTC

Nope this is a nss_ldap problem, that is supposed to be fixed.

Comment 4 Nalin Dahyabhai 2009-02-16 18:56:52 UTC

(In reply to comment #3)
> Nope this is a nss_ldap problem, that is supposed to be fixed.

Which version of that package is installed?

Comment 5 Orion Poplawski 2009-02-16 19:05:30 UTC

nss_ldap-264-1.fc11.x86_64

Comment 6 Bug Zapper 2009-06-09 11:25:09 UTC

This bug appears to have been reported against 'rawhide' during the Fedora 11 development cycle.
Changing version to '11'.

More information and reason for this action is here:
http://fedoraproject.org/wiki/BugZappers/HouseKeeping

Comment 7 Nalin Dahyabhai 2009-08-18 14:42:25 UTC

Does the update at https://admin.fedoraproject.org/updates/F11/FEDORA-2009-8564 resolve this?

Comment 8 Orion Poplawski 2009-08-18 20:11:25 UTC

Yes, and all other avc denials are gone as well.

Note You need to log in before you can comment on or make changes to this bug.