I got this too.

Lubos: You said bug buddy, but I assume that you meant sealert (confusingly also known as "SELinux Troubleshooter" and "SELinux Security Alerts"), so I will reassign there.


setroubleshoot-2.2.69-1.fc13.i686
setroubleshoot-server-2.2.69-1.fc13.i686
report-0.10-5.fc13.i686
report-config-bugzilla-redhat-com-0.10-5.fc13.i686
report-gtk-0.10-5.fc13.i686
report-plugin-bugzilla-0.10-5.fc13.i686
selinux-policy-3.7.15-4.fc13.noarch
selinux-policy-targeted-3.7.15-4.fc13.noarch


The text of the report which did not have a description:


Summary:



Detailed Description:

[SELinux is in permissive mode. This access was not denied.]

SELinux denied access requested by plymouth. It is not expected that this access
is required by plymouth and this access may signal an intrusion attempt. It is
also possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug
report.

Additional Information:

Source Context                system_u:system_r:xdm_t:s0-s0:c0.c1023
Target Context                system_u:system_r:kernel_t:s0
Target Objects                 [ unix_stream_socket ]
Source                        plymouth
Source Path                   /bin/plymouth
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           plymouth-0.8.1-3.fc13
Target RPM Packages           filesystem-2.4.31-1.fc13
Policy RPM                    selinux-policy-3.7.15-4.fc13
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Plugin Name                   catchall
Host Name                     (removed)
Platform                      Linux local 2.6.33.2-46.fc13.i686.PAE #1 SMP Wed
                              Apr 14 13:42:15 UTC 2010 i686 i686
Alert Count                   1
First Seen                    Wed 14 Apr 2010 10:34:13 PM CEST
Last Seen                     Wed 14 Apr 2010 10:34:13 PM CEST
Local ID                      c1392d5b-7550-4a09-a857-ffa583f92f0c
Line Numbers                  

Raw Audit Messages            

node=local type=AVC msg=audit(1271277253.437:6): avc:  denied  { connectto } for  pid=1818 comm="plymouth" path=002F706C792D626F6F742D70726F746F636F6C0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_stream_socket

node=local type=SYSCALL msg=audit(1271277253.437:6): arch=40000003 syscall=102 success=yes exit=0 a0=3 a1=bfe8f520 a2=48d73c a3=6 items=0 ppid=1816 pid=1818 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="plymouth" exe="/bin/plymouth" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)

/var/log/messages contained

Apr 14 22:42:57 local : report: Unable To File Bug:Your bug could not be filed due to bad information in the bug fields.  This is most likely an error in the bug filing program:#012#012required field missing or empty: 'summary'

- but report probably just forwards the unexpected input.

I think this might be a bug in report.  Since I have not touched this code.  It seems to work for me on F13, but I am having a hard time getting to the latest updates.

rpm -q report

A FYI observation:
Did you notice that the report text (which I assume is generated by setroubleshoot before report gets involved) don't have a summary? I assumed that that indicated that the problem was in the SE-specific code and proved report not guilty.

Maybe you are right. there should be an sealert command in the /var/log/messages, that shows the avc, could you execute that and see if there is a summary?

I am not able to generate this problem on my F13 box.

 rpm -q setroubleshoot
setroubleshoot-2.2.72-1.fc13.x86_64

Which is available from Koji.  Are you using a Non English version?

Hello sorry for late response

bash-4.1$ sudo rpm -q settroubleshoot
package settroubleshoot is not installed


Have you seen that attached screenshot? I'm not sure if we're speaking about the same utility.

Anyway this case appeared only in this specific report.

sudo rpm -q setroubleshoot

One t

Reproduced with setroubleshoot-2.2.72-1.fc13.i686

This seems to happen on shutdown, consistently 5 seconds after abrt got signal 15:

Apr 15 01:41:25 local setroubleshoot: [avc.ERROR] Plugin Exception catchall #012Traceback (most recent call last):#012  File "/usr/lib/python2.6/site-packages/setroubleshoot/analyze.py", line 156, in analyze
_avc#012    report_receiver.report_problem(report)#012  File "/usr/lib/python2.6/site-packages/setroubleshoot/server.py", line 205, in report_problem#012    syslog.syslog(syslog.LOG_ERR, summary + _(" For co
mplete SELinux messages. run sealert -l %s" % siginfo.local_id ))#012TypeError: [priority,] message string
Apr 15 01:41:25 local setroubleshoot: SELinux is preventing /sbin/plymouthd "open" access on tty63. For complete SELinux messages. run sealert -l 70af7e07-9c39-43a9-87da-f34398e976da

However,
# sealert -l 5bb991aa-61c4-42d7-935d-58765d8f8b6b
query_alerts error (1003): id (5bb991aa-61c4-42d7-935d-58765d8f8b6b) not found

[How come the stacktrace wasn't caught by abrt? Do setroubleshoot have its own crash handler? Wouldn't it be better to leave that to abrt now?]

I don't know.

Ca

The avc will be Fixed in selinux-policy-3.7.19-2.fc13.noarch

If anyone can reproduce this, please, instead of reporting it to bugzilla, do a "localsave".  Give it the full pathname of a directory to save the file in, and then attached the created file to this bz.

The bugzilla plugin for the report library is not looking for or dealing with an all blank or zero length summary.  I will fix this in the next version of report.  If I can get the above 'localsave' file, I can verify that this is the cause of this problem.

I can confirm that selinux-policy-3.7.19-2.fc13.noarch fixes the avc, but now I can no longer reproduce the problem, even though I downgrade everything I can imagine is relevant.

Lubos, can you reproduce?

I notice that my upgraded system still had libsemanage 2.0.45 from f12, because f13 only had 2.0.43. I don't know if that can have any influence.

IMHO it would be fine if report could handle blank summaries, but it would be far better if we found the reason to why such reports are created in the first place and got that fixed.

(And by the way: Not using any kind of localization here.)

I have the problem and am working on a fix.

The problem is caused by /ply-boot-protocol path, which is an abstract socket.  When python decodes the hex, it adds NULLS before and after the string, which is causing the setroubleshoot to blow up in certain sections, and ends up write "" to the database.  I have replaces the NULLS with @ and it ends up with a string like


Summary:

SELinux is preventing /bin/plymouth "connectto" access on @/ply-boot-protocol.

Detailed Description:

[plymouth has a permissive type (xdm_t). This access was not denied.]

SELinux denied access requested by plymouth. It is not expected that this access
is required by plymouth and this access may signal an intrusion attempt. It is
also possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug
report.

Additional Information:

Source Context                system_u:system_r:xdm_t:s0-s0:c0.c1023
Target Context                system_u:system_r:kernel_t:s0
Target Objects                @/ply-boot-protocol [ unix_stream_socket ]
Source                        plymouth
Source Path                   /bin/plymouth
Port                          <Unknown>
Host                          local
Source RPM Packages           plymouth-0.8.1-3.fc13
Target RPM Packages           
Policy RPM                    selinux-policy-3.7.19-1.fc13
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     localhost.localdomain
Platform                      Linux localhost.localdomain
                              2.6.33.1-24.fc13.x86_64 #1 SMP Tue Mar 30 18:21:22
                              UTC 2010 x86_64 x86_64
Alert Count                   1
First Seen                    Wed 14 Apr 2010 04:34:13 PM EDT
Last Seen                     Wed 14 Apr 2010 04:34:13 PM EDT
Local ID                      b405a1e5-8540-4145-ad23-2a684055d904
Line Numbers                  

Raw Audit Messages            

node=local type=AVC msg=audit(1271277253.437:6): avc:  denied  { connectto } for  pid=1818 comm="plymouth" path=002F706C792D626F6F742D70726F746F636F6C0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_stream_socket 

node=local type=SYSCALL msg=audit(1271277253.437:6): arch=40000003 syscall=102 success=yes exit=0 a0=3 a1=bfe8f520 a2=48d73c a3=6 items=0 ppid=1816 pid=1818 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="plymouth" exe="/bin/plymouth" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)

Fixed in setroubleshoot-2.2.73-1.fc13

BTW You can test this by taking the output from 

Delete the AVC

#ausearch -m avc | /usr/sbin/sedispatch

sedispatch gave/caused the following with setroubleshoot-2.2.72-1.fc13.i686 - is that fixed in setroubleshoot-2.2.73-1.fc13.i686 too?

Got Reply: Traceback (most recent call last):
  File "/usr/lib/python2.6/site-packages/dbus/service.py", line 702, in _message_cb
    retval = candidate_method(self, *args, **keywords)
  File "/usr/lib/python2.6/site-packages/setroubleshoot/server.py", line 501, in avc
    self.add(AVC(audit_event))
  File "/usr/lib/python2.6/site-packages/setroubleshoot/audit_data.py", line 586, in __init__
    self.derive_avc_info_from_audit_event()
  File "/usr/lib/python2.6/site-packages/setroubleshoot/audit_data.py", line 884, in derive_avc_info_from_audit_event
    raise ValueError("Invalid AVC %s, it is allowed in current policy" %  avc)
NameError: global name 'avc' is not defined

setroubleshoot-2.2.73-1.fc13 has been submitted as an update for Fedora 13.
http://admin.fedoraproject.org/updates/setroubleshoot-2.2.73-1.fc13

nope

I confirm that setroubleshoot-2.2.73-1.fc13.i686 works and allowed me to file
Bug 583125  - SELinux is preventing /sbin/shutdown "connectto" access on @/com/ubuntu/upstart.

Stacktrace reported in
Bug 583133  - NameError: global name 'avc' is not defined

Hello bug is no longer reproducible by me. But I see that you already have stack from it.

Lubos

setroubleshoot-2.2.74-1.fc13 has been pushed to the Fedora 13 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update setroubleshoot'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/setroubleshoot-2.2.74-1.fc13

setroubleshoot-2.2.74-1.fc13 has been pushed to the Fedora 13 stable repository.  If problems still persist, please make note of it in this bug report.