Bug 518848 - SELinux is preventing semodule (semanage_t) "read write" unconfined_t
Summary: SELinux is preventing semodule (semanage_t) "read write" unconfined_t
Keywords:
Status: CLOSED WORKSFORME
Alias: None
Product: Fedora
Classification: Fedora
Component: nss_ldap
Version: 11
Hardware: i386
OS: Linux
low
medium
Target Milestone: ---
Assignee: Nalin Dahyabhai
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-08-23 15:14 UTC by faith
Modified: 2009-09-16 22:44 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2009-09-16 22:44:44 UTC


Attachments (Terms of Use)
attempt to do the nss_ldap update (367.61 KB, text/plain)
2009-08-31 20:27 UTC, faith
no flags Details

Description faith 2009-08-23 15:14:10 UTC
Description of problem:  SELinux is preventing semodule (semanage_t) "read write" unconfined_t


Version-Release number of selected component (if applicable):


How reproducible: not sure; didn't seem to prevent me from working at the time so I didn't stop to look at it immediately (sorry)


Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:

Summary:

SELinux is preventing semodule (semanage_t) "read write" unconfined_t.

Detailed Description:

SELinux denied access requested by semodule. It is not expected that this access
is required by semodule and this access may signal an intrusion attempt. It is
also possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                unconfined_u:unconfined_r:semanage_t:s0
Target Context                unconfined_u:unconfined_r:unconfined_t:s0
Target Objects                socket [ tcp_socket ]
Source                        semodule
Source Path                   /usr/sbin/semodule
Port                          <Unknown>
Host                          localhost.localdomain
Source RPM Packages           policycoreutils-2.0.62-12.12.fc11
Target RPM Packages           
Policy RPM                    selinux-policy-3.6.12-69.fc11
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     localhost.localdomain
Platform                      Linux localhost.localdomain 2.6.29.6-213.fc11.i586
                              #1 SMP Tue Jul 7 20:45:17 EDT 2009 i686 i686
Alert Count                   1
First Seen                    Sat 08 Aug 2009 04:57:21 AM EDT
Last Seen                     Sat 08 Aug 2009 04:57:21 AM EDT
Local ID                      a4033405-0107-4466-8fb3-5f42fa0e98ef
Line Numbers                  

Raw Audit Messages            

node=localhost.localdomain type=AVC msg=audit(1249721841.288:3192): avc:  denied  { read write } for  pid=8974 comm="semodule" path="socket:[13000407]" dev=sockfs ino=13000407 scontext=unconfined_u:unconfined_r:semanage_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=tcp_socket

node=localhost.localdomain type=SYSCALL msg=audit(1249721841.288:3192): arch=40000003 syscall=11 success=yes exit=0 a0=82ffed0 a1=8300ea0 a2=82f0f10 a3=8300ea0 items=0 ppid=8932 pid=8974 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=2 comm="semodule" exe="/usr/sbin/semodule" subj=unconfined_u:unconfined_r:semanage_t:s0 key=(null)

Comment 1 Christopher Aillon 2009-08-24 17:45:47 UTC
Why on earth do you think this is a firefox bug?  SELinux, not firefox, is preventing semodule, not firefox, from doing something.  The output even tells you what package to file the bug against:

Source RPM Packages           policycoreutils-2.0.62-12.12.fc11

Over to policycoreutils

Comment 2 Daniel Walsh 2009-08-25 13:16:30 UTC
Sadly it is a nss_ldap problem.  nss_ldap is leaking file descriptors. nss_ldap is leaking file descriptors which is being inherited by semodule commands causing this AVC.

nss_ldap-264-6.fc11 fixes this problem.

Comment 3 Nalin Dahyabhai 2009-08-26 17:48:54 UTC
Can you please check if the updates being tracked at https://admin.fedoraproject.org/updates/F11/FEDORA-2009-8564 prevent this error from occurring?  If so, we can mark this as another bug that the update fixes.  Thanks!

Comment 4 faith 2009-08-28 12:50:46 UTC
pls advise which update I should use for my Dell D600 laptop, i386:

 	
src	
	nss_ldap-264-6.fc11.src.rpm (info) (download)
i586 	(build logs)
	nss_ldap-264-6.fc11.i586.rpm (info) (download)
	nss_ldap-debuginfo-264-6.fc11.i586.rpm (info) (download)
ppc 	(build logs)
	nss_ldap-264-6.fc11.ppc.rpm (info) (download)
	nss_ldap-debuginfo-264-6.fc11.ppc.rpm (info) (download)
ppc64 	(build logs)
	nss_ldap-264-6.fc11.ppc64.rpm (info) (download)
	nss_ldap-debuginfo-264-6.fc11.ppc64.rpm (info) (download)
x86_64 	(build logs)
	nss_ldap-264-6.fc11.x86_64.rpm (info) (download)
	nss_ldap-debuginfo-264-6.fc11.x86_64.rpm (info) (download)

thanks!!

Comment 5 Daniel Walsh 2009-08-28 13:25:34 UTC
i586

Comment 6 faith 2009-08-31 20:27:15 UTC
Created attachment 359319 [details]
attempt to do the nss_ldap update

this is what I get when I attempt to do the nss_ldap update you suggested (see attachment) ...
thanks for hanging with me here

Comment 7 faith 2009-08-31 20:34:34 UTC
BTW, I did try to find how to get the dbus system service, but I think I feel asleep trying to find how to do it.  And looking again, seem to be just searching in circles, finding lots of comments about problems with it.  Please give me a clue. thanks!

Comment 8 faith 2009-09-16 22:44:44 UTC
system shows package was installed and haven't had this SELinux error again; closing this bug.  thanks!


Note You need to log in before you can comment on or make changes to this bug.