Summary: SELinux is preventing /usr/lib/news/bin/innd "sendto" access on /var/run/news/ctlinnd1N09cI. Detailed Description: SELinux denied access requested by innd. It is not expected that this access is required by innd and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug report. Additional Information: Source Context unconfined_u:system_r:innd_t:s0 Target Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1 023 Target Objects /var/run/news/ctlinnd1N09cI [ unix_dgram_socket ] Source innd Source Path /usr/lib/news/bin/innd Port <Unknown> Host (removed) Source RPM Packages inn-2.5.0-6.fc12 Target RPM Packages Policy RPM selinux-policy-3.6.32-89.fc12 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Plugin Name catchall Host Name (removed) Platform Linux (removed) 2.6.31.12-174.2.22.fc12.x86_64 #1 SMP Fri Feb 19 18:55:03 UTC 2010 x86_64 x86_64 Alert Count 1 First Seen Sat 27 Feb 2010 06:44:35 PM CST Last Seen Sat 27 Feb 2010 06:44:35 PM CST Local ID 0968a0ba-c160-4c41-8f16-dc9dcd3842c2 Line Numbers Raw Audit Messages node=(removed) type=AVC msg=audit(1267317875.17:12669): avc: denied { sendto } for pid=21079 comm="innd" path="/var/run/news/ctlinnd1N09cI" scontext=unconfined_u:system_r:innd_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_dgram_socket node=(removed) type=SYSCALL msg=audit(1267317875.17:12669): arch=c000003e syscall=44 success=no exit=-13 a0=d a1=7fbd02752fb0 a2=7 a3=0 items=0 ppid=1 pid=21079 auid=500 uid=9 gid=13 euid=9 suid=9 fsuid=9 egid=13 sgid=13 fsgid=13 tty=(none) ses=14 comm="innd" exe="/usr/lib/news/bin/innd" subj=unconfined_u:system_r:innd_t:s0 key=(null) Hash String generated from catchall,innd,innd_t,unconfined_t,unix_dgram_socket,sendto audit2allow suggests: #============= innd_t ============== allow innd_t unconfined_t:unix_dgram_socket sendto;
Occurs when running "ctlinnd throttle xxx" (as root).
Miroslav add userdom_stream_connect(innd_t)
Fixed in selinux-policy-3.6.32-96.fc12
selinux-policy-3.6.32-99.fc12 has been submitted as an update for Fedora 12. http://admin.fedoraproject.org/updates/selinux-policy-3.6.32-99.fc12
selinux-policy-3.6.32-99.fc12 has been pushed to the Fedora 12 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update selinux-policy'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/selinux-policy-3.6.32-99.fc12
selinux-policy-3.6.32-99.fc12 appears to fix this problem for me.
selinux-policy-3.6.32-99.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report.
Same problem is back in selinux-policy-3.6.32-106, this time apparently caused by running /usr/lib/news/bin/sm from a cron job. Summary: SELinux is preventing /usr/lib/news/bin/innd "sendto" access on /var/run/news/ctlinndEus6ae. Detailed Description: [SELinux is in permissive mode. This access was not denied.] SELinux denied access requested by innd. It is not expected that this access is required by innd and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug report. Additional Information: Source Context system_u:system_r:innd_t:s0 Target Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1 023 Target Objects /var/run/news/ctlinndEus6ae [ unix_dgram_socket ] Source innd Source Path /usr/lib/news/bin/innd Port <Unknown> Host (removed) Source RPM Packages inn-2.5.0-6.fc12 Target RPM Packages Policy RPM selinux-policy-3.6.32-106.fc12 Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Plugin Name catchall Host Name (removed) Platform Linux omega-3a.local 2.6.32.10-90.fc12.x86_64 #1 SMP Tue Mar 23 09:47:08 UTC 2010 x86_64 x86_64 Alert Count 1 First Seen Sun 04 Apr 2010 12:05:02 PM CDT Last Seen Sun 04 Apr 2010 12:05:02 PM CDT Local ID 06dddbd8-355e-43fd-9951-956b01fa5740 Line Numbers Raw Audit Messages node=omega-3a.local type=AVC msg=audit(1270400702.202:37058): avc: denied { sendto } for pid=2222 comm="innd" path="/var/run/news/ctlinndEus6ae" scontext=system_u:system_r:innd_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_dgram_socket node=omega-3a.local type=SYSCALL msg=audit(1270400702.202:37058): arch=c000003e syscall=44 success=yes exit=7 a0=d a1=7feefba26640 a2=7 a3=0 items=0 ppid=1 pid=2222 auid=4294967295 uid=9 gid=13 euid=9 suid=9 fsuid=9 egid=13 sgid=13 fsgid=13 tty=(none) ses=4294967295 comm="innd" exe="/usr/lib/news/bin/innd" subj=system_u:system_r:innd_t:s0 key=(null)
Robert seems I picked the totally wrong interface. Miroslav it should have been userdom_dgram_send(innd_t)
Fixed in selinux-policy-3.6.32-111.fc12
selinux-policy-3.6.32-113.fc12 has been submitted as an update for Fedora 12. http://admin.fedoraproject.org/updates/selinux-policy-3.6.32-113.fc12
selinux-policy-3.6.32-113.fc12 has been pushed to the Fedora 12 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update selinux-policy'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/selinux-policy-3.6.32-113.fc12
selinux-policy-3.6.32-113.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report.