490386 – SELinux is preventing avahi-daemon (avahi_t) "read write" unconfined_t.

Bug 490386 - SELinux is preventing avahi-daemon (avahi_t) "read write" unconfined_t.

Summary: SELinux is preventing avahi-daemon (avahi_t) "read write" unconfined_t.

Keywords:
Status:	CLOSED INSUFFICIENT_DATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	rawhide
Hardware:	All
OS:	Linux
Priority:	low
Severity:	medium
Target Milestone:	---
Assignee:	Daniel Walsh
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Duplicates (1):	490388 (view as bug list)
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2009-03-16 00:32 UTC by Jerry Amundson
Modified:	2009-03-17 18:03 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2009-03-17 18:03:37 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Jerry Amundson 2009-03-16 00:32:56 UTC

Description of problem:
SELinux is preventing avahi-daemon (avahi_t) "read write" unconfined_t. 

Version-Release number of selected component (if applicable):
avahi-0.6.24-2.fc11.i586

How reproducible:
always

Steps to Reproduce:
1.open xterm, and su -
2.service avahi-daemon status
3.
  
Actual results:
avc

Expected results:
no avc

Additional info:

Summary:

SELinux is preventing avahi-daemon (avahi_t) "read write" unconfined_t.

Detailed Description:

SELinux denied access requested by avahi-daemon. It is not expected that this
access is required by avahi-daemon and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                unconfined_u:system_r:avahi_t:s0
Target Context                unconfined_u:unconfined_r:unconfined_t:s0
Target Objects                socket [ unix_stream_socket ]
Source                        avahi-daemon
Source Path                   /usr/sbin/avahi-daemon
Port                          <Unknown>
Host                          walnut
Source RPM Packages           avahi-0.6.24-2.fc11
Target RPM Packages           
Policy RPM                    selinux-policy-3.6.8-3.fc11
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     walnut
Platform                      Linux walnut 2.6.29-0.237.rc7.git4.fc11.i586 #1
                              SMP Wed Mar 11 18:55:21 EDT 2009 i686 i686
Alert Count                   4
First Seen                    Sun 15 Mar 2009 06:04:58 PM CDT
Last Seen                     Sun 15 Mar 2009 07:28:20 PM CDT
Local ID                      b3048bf5-1b9b-4367-b7fc-01f87c911afd
Line Numbers                  

Raw Audit Messages            

node=walnut type=AVC msg=audit(1237163300.876:135): avc:  denied  { read write } for  pid=3291 comm="avahi-daemon" path="socket:[12796]" dev=sockfs ino=12796 scontext=unconfined_u:system_r:avahi_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=unix_stream_socket

node=walnut type=AVC msg=audit(1237163300.876:135): avc:  denied  { read write } for  pid=3291 comm="avahi-daemon" path="socket:[12810]" dev=sockfs ino=12810 scontext=unconfined_u:system_r:avahi_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=unix_stream_socket

node=walnut type=SYSCALL msg=audit(1237163300.876:135): arch=40000003 syscall=11 success=yes exit=0 a0=833a620 a1=833a720 a2=833a730 a3=833a720 items=0 ppid=3288 pid=3291 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="avahi-daemon" exe="/usr/sbin/avahi-daemon" subj=unconfined_u:system_r:avahi_t:s0 key=(null)

Comment 1 Daniel Walsh 2009-03-16 15:32:23 UTC

When did this happen?  Were you logged in on a Konsole and did a service avahi restart?

Did you restart avahi using some GUI?

Did it happen after a yum upgrade on a konsole terminal?

Comment 2 Daniel Walsh 2009-03-16 15:33:52 UTC

*** Bug 490388 has been marked as a duplicate of this bug. ***

Comment 3 Jerry Amundson 2009-03-16 21:20:27 UTC

(In reply to comment #1)
> When did this happen?  Were you logged in on a Konsole and did a service avahi
> restart?

I opened an xterm window, "su -", then "service avahi-daemon status".

> Did you restart avahi using some GUI?
> Did it happen after a yum upgrade on a konsole terminal?  

Prior to running the commands above, I had yum erase'd the avahi-qt3 package. Now, with avahi-qt3 installed, "service avahi-daemon status" does not avc.

-- 
Fedora Bugzappers volunteer triage team
https://fedoraproject.org/wiki/BugZappers

Comment 4 Daniel Walsh 2009-03-17 18:03:37 UTC

Well there is a leaked file descriptor somewhere that avahi is being handed, which is causing the AVC.  Unless we can track it down to the terminal or a gui causing the problem, not much I can do to help.

If you see this AVC check in your terminal so see if you have a leaked file descriptor.

ls -l /proc/self/fd
total 0
lr-x------. 1 root root 64 2009-03-17 13:59 0 -> /dev/pts/1
lrwx------. 1 root root 64 2009-03-17 13:59 1 -> /dev/pts/1
lrwx------. 1 root root 64 2009-03-17 13:59 2 -> /dev/pts/1
lr-x------. 1 root root 64 2009-03-17 13:59 3 -> /proc/14709/fd

This list shows the correct file descriptors.  0,1,2 using the terminal for stdin, stdout, and stderr.  3 is actually the ls command reading /proc/self/fd

Note You need to log in before you can comment on or make changes to this bug.