571344 – SELinux is preventing /bin/plymouth "dac_override" access

Bug 571344 - SELinux is preventing /bin/plymouth "dac_override" access

Summary: SELinux is preventing /bin/plymouth "dac_override" access

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	13
Hardware:	All
OS:	Linux
Priority:	low
Severity:	medium
Target Milestone:	---
Assignee:	Daniel Walsh
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2010-03-08 08:53 UTC by Quentin Armitage
Modified:	2010-03-20 03:35 UTC (History)
CC List:	2 users (show)
Fixed In Version:	selinux-policy-3.7.14-3.fc13
Clone Of:
Environment:
Last Closed:	2010-03-20 03:35:52 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Quentin Armitage 2010-03-08 08:53:39 UTC

Summary:

SELinux is preventing /bin/plymouth "dac_override" access .

Detailed Description:

SELinux denied access requested by plymouth. It is not expected that this access
is required by plymouth and this access may signal an intrusion attempt. It is
also possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug
report.

Additional Information:

Source Context                unconfined_u:system_r:plymouth_t:s0
Target Context                unconfined_u:system_r:plymouth_t:s0
Target Objects                None [ capability ]
Source                        plymouth
Source Path                   /bin/plymouth
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           plymouth-0.8.0-0.20100225.1.fc13
Target RPM Packages           
Policy RPM                    selinux-policy-3.7.11-1.fc13
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     (removed)
Platform                      Linux delilah.armitage.org.uk
                              2.6.33-1.fc13.i686.PAE #1 SMP Wed Feb 24 19:54:49
                              UTC 2010 i686 i686
Alert Count                   14
First Seen                    Fri 05 Mar 2010 17:36:42 GMT
Last Seen                     Mon 08 Mar 2010 07:58:55 GMT
Local ID                      39fc464e-0ea0-471e-86fb-722be0e517ed
Line Numbers                  

Raw Audit Messages            

node=delilah.armitage.org.uk type=AVC msg=audit(1268035135.630:45): avc:  denied  { dac_override } for  pid=6382 comm="plymouth" capability=1  scontext=unconfined_u:system_r:plymouth_t:s0 tcontext=unconfined_u:system_r:plymouth_t:s0 tclass=capability

node=delilah.armitage.org.uk type=AVC msg=audit(1268035135.630:45): avc:  denied  { dac_read_search } for  pid=6382 comm="plymouth" capability=2  scontext=unconfined_u:system_r:plymouth_t:s0 tcontext=unconfined_u:system_r:plymouth_t:s0 tclass=capability

node=delilah.armitage.org.uk type=SYSCALL msg=audit(1268035135.630:45): arch=40000003 syscall=5 success=no exit=-13 a0=804d483 a1=0 a2=bf9210df a3=0 items=0 ppid=6369 pid=6382 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="plymouth" exe="/bin/plymouth" subj=unconfined_u:system_r:plymouth_t:s0 key=(null)

How reproducible:
Always

Steps to Reproduce:
1.Execute /etc/init.d/asterisk start when asterisk is already running
2.
3.

Comment 1 Daniel Walsh 2010-03-09 14:41:42 UTC

Miroslav change plymouth_t to and application_domain rather then an init_daemon_domain

Comment 2 Daniel Walsh 2010-03-12 19:19:23 UTC

Fixed in selinux-policy-3.7.14-1.fc13.noarch

Comment 3 Fedora Update System 2010-03-12 19:44:35 UTC

selinux-policy-3.7.14-1.fc13 has been submitted as an update for Fedora 13.
http://admin.fedoraproject.org/updates/selinux-policy-3.7.14-1.fc13

Comment 4 Fedora Update System 2010-03-14 13:38:30 UTC

selinux-policy-3.7.14-3.fc13 has been pushed to the Fedora 13 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update selinux-policy'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/selinux-policy-3.7.14-3.fc13

Comment 5 Fedora Update System 2010-03-20 03:34:40 UTC

selinux-policy-3.7.14-3.fc13 has been pushed to the Fedora 13 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.