Created attachment 374747 [details] AVC denials reported by ntop on startup. Description of problem: When running ntop in Fedora 12, a several AVC denials are reported. This is with standard configurations, so I believe these should be allowed. Version-Release number of selected component (if applicable): How reproducible: ntop-3.3.10-2.fc12.x86_64 selinux-policy-3.6.32-41.fc12.noarch selinux-policy-targeted-3.6.32-41.fc12.noarch Steps to Reproduce: 1. Install and enable ntop Actual results: Several AVC denials happen. Expected results: No denials. Additional info: Ntop seems to work as expected anyway, presumably because ntop_t is a permissive domain currently.
Created attachment 374748 [details] AVC denials reported by ntop when connecting a browser to it
Fixed in selinux-policy-3.6.32-52.fc12.noarch
selinux-policy-3.6.32-52.fc12 has been submitted as an update for Fedora 12. http://admin.fedoraproject.org/updates/selinux-policy-3.6.32-52.fc12
selinux-policy-3.6.32-52.fc12 has been pushed to the Fedora 12 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update selinux-policy'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F12/FEDORA-2009-12549
selinux-policy-3.6.32-55.fc12 has been submitted as an update for Fedora 12. http://admin.fedoraproject.org/updates/selinux-policy-3.6.32-55.fc12
Created attachment 376181 [details] Denials after installing selinux-policy-targeted-3.6.32-52.fc12 It seems the new policy launched a new set of AVC:s. I attach the output of "ausearch -m avc -ts 20:45" after having upgraded selinux-policy-targeted to 3.6.32-52.fc12 from updates testing, and then restarted ntop, followed by a connection to it (http://localhost:3000/) from my browser.
I just realized there is an denial to search nfs_t in my latest attachment. That comes because I mount /usr/local via nfs on this host. That is nothing the standard policy should support I guess. Please disregard that particular one, and sorry for not cleaning up enough before submitting.
selinux-policy-3.6.32-55.fc12 has been pushed to the Fedora 12 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update selinux-policy'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F12/FEDORA-2009-12650
selinux-policy-3.6.32-55.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report.
Created attachment 377432 [details] Denials after installing selinux-policy-targeted-3.6.32-55.fc12
The problem does persist. I attached the avc:s after upgrade to -52 previously. Now I've upgraded to -55, and I still get all these avc:s. See the new attachment for an updated list. The first part is from when I started ntopd, and the later from when I connected to it from a web browser.
This is strange I don't see how this even installed, the fixes were in there but the policy module had a conflict. Fixed in selinux-policy-3.6.32-58.fc12.noarch
selinux-policy-3.6.32-59.fc12 has been submitted as an update for Fedora 12. http://admin.fedoraproject.org/updates/selinux-policy-3.6.32-59.fc12
selinux-policy-3.6.32-59.fc12 has been pushed to the Fedora 12 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update selinux-policy'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F12/FEDORA-2009-13384
Created attachment 379488 [details] Denials after installing selinux-policy-targeted-3.6.32-59.fc12 I upgraded to -59, but I still see the AVC:s when restarting ntop. (At least most of them. It looks like the same list, but I haven't looked close enough to see if a single one may have been removed or added.) In this log, ntop is started at 12:36, and at 16:50 I connect my browser to it. Did it go wrong this time too? Or did I do something wrong? There are some log entries in messages from the time when I upgraded, that I only partially understand: Dec 20 12:35:26 freddi kernel: SELinux: Context unconfined_u:unconfined_r:winbi nd_helper_t:s0-s0:c0.c1023 became invalid (unmapped). Dec 20 12:35:26 freddi dbus: avc: received policyload notice (seqno=2) Dec 20 12:35:26 freddi dbus: Can't send to audit system: USER_AVC avc: received policyload notice (seqno=2) : exe="?" sauid=81 hostname=? addr=? terminal=? Dec 20 12:35:26 freddi dbus: Reloaded configuration Dec 20 12:35:29 freddi kernel: SELinux: Context system_u:object_r:unconfined_mo zilla_home_t:s0 is not valid (left unmapped). Dec 20 12:35:39 freddi yum: Updated: selinux-policy-targeted-3.6.32-59.fc12.noar ch
Yes you are right, there was a screw up in the ntop policy. Fixed in selinux-policy-3.6.32-61.fc12.noarch
selinux-policy-3.6.32-63.fc12 has been submitted as an update for Fedora 12. http://admin.fedoraproject.org/updates/selinux-policy-3.6.32-63.fc12
selinux-policy-3.6.32-59.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report.
Third time lucky! With selinux-policy-3.6.32-63.fc12 I can run ntop without triggering any new AVC:s. :-)
Please update karma.
selinux-policy-3.6.32-63.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report.
selinux-policy-3.6.32-120.fc12 has been submitted as an update for Fedora 12. http://admin.fedoraproject.org/updates/selinux-policy-3.6.32-120.fc12
selinux-policy-3.6.32-120.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report.