Bug 490386 - SELinux is preventing avahi-daemon (avahi_t) "read write" unconfined_t.
SELinux is preventing avahi-daemon (avahi_t) "read write" unconfined_t.
Status: CLOSED INSUFFICIENT_DATA
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
rawhide
All Linux
low Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Fedora Extras Quality Assurance
:
: 490388 (view as bug list)
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2009-03-15 20:32 EDT by Jerry Amundson
Modified: 2009-03-17 14:03 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-03-17 14:03:37 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Jerry Amundson 2009-03-15 20:32:56 EDT
Description of problem:
SELinux is preventing avahi-daemon (avahi_t) "read write" unconfined_t. 

Version-Release number of selected component (if applicable):
avahi-0.6.24-2.fc11.i586

How reproducible:
always

Steps to Reproduce:
1.open xterm, and su -
2.service avahi-daemon status
3.
  
Actual results:
avc

Expected results:
no avc

Additional info:

Summary:

SELinux is preventing avahi-daemon (avahi_t) "read write" unconfined_t.

Detailed Description:

SELinux denied access requested by avahi-daemon. It is not expected that this
access is required by avahi-daemon and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                unconfined_u:system_r:avahi_t:s0
Target Context                unconfined_u:unconfined_r:unconfined_t:s0
Target Objects                socket [ unix_stream_socket ]
Source                        avahi-daemon
Source Path                   /usr/sbin/avahi-daemon
Port                          <Unknown>
Host                          walnut
Source RPM Packages           avahi-0.6.24-2.fc11
Target RPM Packages           
Policy RPM                    selinux-policy-3.6.8-3.fc11
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     walnut
Platform                      Linux walnut 2.6.29-0.237.rc7.git4.fc11.i586 #1
                              SMP Wed Mar 11 18:55:21 EDT 2009 i686 i686
Alert Count                   4
First Seen                    Sun 15 Mar 2009 06:04:58 PM CDT
Last Seen                     Sun 15 Mar 2009 07:28:20 PM CDT
Local ID                      b3048bf5-1b9b-4367-b7fc-01f87c911afd
Line Numbers                  

Raw Audit Messages            

node=walnut type=AVC msg=audit(1237163300.876:135): avc:  denied  { read write } for  pid=3291 comm="avahi-daemon" path="socket:[12796]" dev=sockfs ino=12796 scontext=unconfined_u:system_r:avahi_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=unix_stream_socket

node=walnut type=AVC msg=audit(1237163300.876:135): avc:  denied  { read write } for  pid=3291 comm="avahi-daemon" path="socket:[12810]" dev=sockfs ino=12810 scontext=unconfined_u:system_r:avahi_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=unix_stream_socket

node=walnut type=SYSCALL msg=audit(1237163300.876:135): arch=40000003 syscall=11 success=yes exit=0 a0=833a620 a1=833a720 a2=833a730 a3=833a720 items=0 ppid=3288 pid=3291 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="avahi-daemon" exe="/usr/sbin/avahi-daemon" subj=unconfined_u:system_r:avahi_t:s0 key=(null)
Comment 1 Daniel Walsh 2009-03-16 11:32:23 EDT
When did this happen?  Were you logged in on a Konsole and did a service avahi restart?

Did you restart avahi using some GUI?

Did it happen after a yum upgrade on a konsole terminal?
Comment 2 Daniel Walsh 2009-03-16 11:33:52 EDT
*** Bug 490388 has been marked as a duplicate of this bug. ***
Comment 3 Jerry Amundson 2009-03-16 17:20:27 EDT
(In reply to comment #1)
> When did this happen?  Were you logged in on a Konsole and did a service avahi
> restart?

I opened an xterm window, "su -", then "service avahi-daemon status".

> Did you restart avahi using some GUI?
> Did it happen after a yum upgrade on a konsole terminal?  

Prior to running the commands above, I had yum erase'd the avahi-qt3 package. Now, with avahi-qt3 installed, "service avahi-daemon status" does not avc.

-- 
Fedora Bugzappers volunteer triage team
https://fedoraproject.org/wiki/BugZappers
Comment 4 Daniel Walsh 2009-03-17 14:03:37 EDT
Well there is a leaked file descriptor somewhere that avahi is being handed, which is causing the AVC.  Unless we can track it down to the terminal or a gui causing the problem, not much I can do to help.

If you see this AVC check in your terminal so see if you have a leaked file descriptor.

ls -l /proc/self/fd
total 0
lr-x------. 1 root root 64 2009-03-17 13:59 0 -> /dev/pts/1
lrwx------. 1 root root 64 2009-03-17 13:59 1 -> /dev/pts/1
lrwx------. 1 root root 64 2009-03-17 13:59 2 -> /dev/pts/1
lr-x------. 1 root root 64 2009-03-17 13:59 3 -> /proc/14709/fd

This list shows the correct file descriptors.  0,1,2 using the terminal for stdin, stdout, and stderr.  3 is actually the ls command reading /proc/self/fd

Note You need to log in before you can comment on or make changes to this bug.