Bug 523031 - setroubleshoot: SELinux is preventing /lib64/dbus-1/dbus-daemon-launch-helper from executing system-config-firewall-mechanism.py.
Summary: setroubleshoot: SELinux is preventing /lib64/dbus-1/dbus-daemon-launch-h...
Keywords:
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: rawhide
Hardware: x86_64
OS: Linux
low
medium
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: setroubleshoot_trace_hash:e787295e6e1...
: 523088 524157 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-09-13 14:26 UTC by vinod
Modified: 2009-09-23 14:04 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2009-09-23 14:04:25 UTC


Attachments (Terms of Use)

Description vinod 2009-09-13 14:26:19 UTC
The following was filed automatically by setroubleshoot:

Summary:

SELinux is preventing /lib64/dbus-1/dbus-daemon-launch-helper from executing
system-config-firewall-mechanism.py.

Detailed Description:

SELinux has denied the dbus-daemon-lau from executing
system-config-firewall-mechanism.py. If dbus-daemon-lau is supposed to be able
to execute system-config-firewall-mechanism.py, this could be a labeling
problem. Most confined domains are allowed to execute files labeled bin_t. So
you could change the labeling on this file to bin_t and retry the application.
If this dbus-daemon-lau is not supposed to execute
system-config-firewall-mechanism.py, this could signal an intrusion attempt.

Allowing Access:

If you want to allow dbus-daemon-lau to execute
system-config-firewall-mechanism.py: chcon -t bin_t
'system-config-firewall-mechanism.py' If this fix works, please update the file
context on disk, with the following command: semanage fcontext -a -t bin_t
'system-config-firewall-mechanism.py' Please specify the full path to the
executable, Please file a bug report to make sure this becomes the default
labeling.

Additional Information:

Source Context                system_u:system_r:system_dbusd_t:s0-s0:c0.c1023
Target Context                system_u:object_r:usr_t:s0
Target Objects                system-config-firewall-mechanism.py [ file ]
Source                        dbus-daemon-lau
Source Path                   /lib64/dbus-1/dbus-daemon-launch-helper
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           dbus-1.2.16-5.fc12
Target RPM Packages           
Policy RPM                    selinux-policy-3.6.31-3.fc12
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   execute
Host Name                     (removed)
Platform                      Linux (removed) 2.6.31-2.fc12.x86_64
                              #1 SMP Thu Sep 10 00:25:40 EDT 2009 x86_64 x86_64
Alert Count                   2
First Seen                    Sun 13 Sep 2009 07:52:08 PM IST
Last Seen                     Sun 13 Sep 2009 07:53:03 PM IST
Local ID                      63605ca1-a376-48af-baf2-46c10e4c78d3
Line Numbers                  

Raw Audit Messages            

node=(removed) type=AVC msg=audit(1252851783.896:36): avc:  denied  { execute } for  pid=3088 comm="dbus-daemon-lau" name="system-config-firewall-mechanism.py" dev=sda5 ino=359 scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:usr_t:s0 tclass=file

node=(removed) type=SYSCALL msg=audit(1252851783.896:36): arch=c000003e syscall=59 success=no exit=-13 a0=1f7f9f0 a1=1f7f8f0 a2=1f7e010 a3=7fff73c1df70 items=0 ppid=3087 pid=3088 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="dbus-daemon-lau" exe="/lib64/dbus-1/dbus-daemon-launch-helper" subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 key=(null)


audit2allow suggests:

#============= system_dbusd_t ==============
allow system_dbusd_t usr_t:file execute;

Comment 1 vinod 2009-09-13 14:32:44 UTC
When trying to configure firewall, A blank system-config-firewall window pops up and terminates after selinux alert. 

Not able to view/change firewall settings.

Comment 2 Thomas Woerner 2009-09-14 12:37:27 UTC
*** Bug 523088 has been marked as a duplicate of this bug. ***

Comment 3 Thomas Woerner 2009-09-14 12:46:58 UTC
Reassiginig to selinux-policy.

A new policy will be added for the dbus firewall backend.

As an interim solution set the type of the dbus backend context with "chcon -t
bin_t /usr/share/system-config-firewall/system-config-firewall-mechanism.py"

Comment 4 Daniel Walsh 2009-09-14 19:41:52 UTC
Fixed in selinux-policy-3.6.31-4.fc12.noarch

Comment 5 Thomas Woerner 2009-09-18 08:06:31 UTC
*** Bug 524157 has been marked as a duplicate of this bug. ***

Comment 6 Flóki Pálsson 2009-09-22 20:22:28 UTC
Not working with
selinux-policy-3.6.32-7.fc12.noarch

Comment 7 Daniel Walsh 2009-09-23 00:46:23 UTC
Floki, please explain.  What errors are you seeing?

Comment 8 Flóki Pálsson 2009-09-23 08:45:43 UTC
I saw sealert after updating to  selinux-policy-3.6.32-7.fc12.noarch when starting s-c-f from menu.


starting system-config-firewall from menu works after using command in comment #3 (which has nasty line break) or after from SELinux Management using "Relable on next reboot". Then system-config-firewall-mechanism.py has  firewallgui_exec_t in SELinux Context.

PS.
I use f12 live snap 2 updated. Then SELinux Management was missing from menu, I thing it should be installed by defult.

Comment 9 Daniel Walsh 2009-09-23 14:04:25 UTC
You relabelled and the system-config-firewall worked, indicating you had a labelling problem.

Open a bugzilla with live snap to add SELinux Management to their default install.

I am going to close this bugzilla since it seems that if you have proper labeling everything is working.


Note You need to log in before you can comment on or make changes to this bug.