Summary: SELinux is preventing /usr/sbin/aiccu "write" access . Detailed Description: [aiccu has a permissive type (aiccu_t). This access was not denied.] SELinux denied access requested by aiccu. It is not expected that this access is required by aiccu and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug report. Additional Information: Source Context unconfined_u:system_r:aiccu_t:s0 Target Context unconfined_u:system_r:aiccu_t:s0 Target Objects None [ udp_socket ] Source aiccu Source Path /usr/sbin/aiccu (deleted) Port <Unknown> Host (removed) Source RPM Packages aiccu-2007.01.15-7.fc12 Target RPM Packages Policy RPM selinux-policy-3.7.19-23.fc13 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Plugin Name catchall Host Name (removed) Platform Linux fedora.home 2.6.33.5-124.fc13.x86_64 #1 SMP Fri Jun 11 09:38:12 UTC 2010 x86_64 x86_64 Alert Count 8 First Seen Sat 19 Jun 2010 12:01:15 AM EEST Last Seen Sat 19 Jun 2010 10:04:10 AM EEST Local ID 6ad8b7bf-c39f-45a9-ad3b-5ac9d18a4c8b Line Numbers Raw Audit Messages node=fedora.home type=AVC msg=audit(1276931050.600:76): avc: denied { write } for pid=2261 comm="aiccu" laddr=192.168.1.2 lport=45828 faddr=94.75.219.73 fport=5072 scontext=unconfined_u:system_r:aiccu_t:s0 tcontext=unconfined_u:system_r:aiccu_t:s0 tclass=udp_socket node=fedora.home type=SYSCALL msg=audit(1276931050.600:76): arch=c000003e syscall=44 success=yes exit=92 a0=6 a1=7f6b2a756d90 a2=5c a3=0 items=0 ppid=1 pid=2261 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="aiccu" exe="/usr/sbin/aiccu" subj=unconfined_u:system_r:aiccu_t:s0 key=(null) Hash String generated from catchall,aiccu,aiccu_t,aiccu_t,udp_socket,write audit2allow suggests: #============= aiccu_t ============== allow aiccu_t self:udp_socket write;
Created attachment 425303 [details] other alerts
Nothing is mentioned on the alert about /dev/net/tun as in bug 590481 and i also have a alter version of selinux policies which is supposed to solve the aiccu problems. I also get all the alerts that are shown on the screenshots just when i start the aiccu service
Created attachment 425304 [details] other alerts 2
It was fixed in selinux-policy-3.7.19-28.fc13. selinux-policy-3.7.19-28.fc13 has been pushed to the Fedora 13 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update selinux-policy'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/selinux-policy-3.7.19-28.fc13
thank you for the information how much time does it take for a package to go from testing to updates ? i googled that but i couldn't find a clear answer
I Just updated me fedora and selinux-policy-3.7.19-28.fc13 was installed after restarting my PC i tried: [root@fedora ~]# /etc/init.d/aiccu start Starting AICCU (Automatic IPv6 Connectivity Configuration U[FAILED]services: the new bug is: SELinux is preventing /usr/sbin/aiccu "read" access on /etc/hosts. should I open a new bug report?
Please attach the avc messages from /var/log/audit/audit.log Looks like we need sysnet_dns_name_resolve(aiccu_t)
a made a copy of this log file and then (after trying to start aiccu) i made a diff between them the lines that were added because of aiccu are these: 2753,2756d2752 < type=AVC msg=audit(1277492828.466:25568): avc: denied { read } for pid=8034 comm="aiccu" name="resolv.conf" dev=dm-0 ino=165 scontext=unconfined_u:system_r:aiccu_t:s0 tcontext=system_u:object_r:net_conf_t:s0 tclass=file < type=SYSCALL msg=audit(1277492828.466:25568): arch=c000003e syscall=2 success=no exit=-13 a0=32fdd426db a1=0 a2=1b6 a3=2 items=0 ppid=8033 pid=8034 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="aiccu" exe="/usr/sbin/aiccu" subj=unconfined_u:system_r:aiccu_t:s0 key=(null) < type=AVC msg=audit(1277492828.468:25569): avc: denied { read } for pid=8034 comm="aiccu" name="hosts" dev=dm-0 ino=126 scontext=unconfined_u:system_r:aiccu_t:s0 tcontext=system_u:object_r:net_conf_t:s0 tclass=file < type=SYSCALL msg=audit(1277492828.468:25569): arch=c000003e syscall=2 success=no exit=-13 a0=7f402d86a2a6 a1=80000 a2=1b6 a3=0 items=0 ppid=8033 pid=8034 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="aiccu" exe="/usr/sbin/aiccu" subj=unconfined_u:system_r:aiccu_t:s0 key=(null)
Fixed in selinux-policy-3.7.19-32.fc13
selinux-policy-3.7.19-33.fc13 has been submitted as an update for Fedora 13. http://admin.fedoraproject.org/updates/selinux-policy-3.7.19-33.fc13
selinux-policy-3.7.19-33.fc13 has been pushed to the Fedora 13 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update selinux-policy'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/selinux-policy-3.7.19-33.fc13
seems to work OK now!! thank you very much!
Confirming, solved all my problems with aiccu. Thank you!
I know it is a little off-topic but does anyone know of a way to start aiccu automatically on startup? I used 'chkconfig aiccu on' but after reboot i got Starting AICCU (Automatic IPv6 Connectivity Configuration Utility) services: [FAILED] when i tried to start it manually it started ok any ideas?
for anyone interested the solution is: 'chkconfig --del aiccu' and then 'chkconfig --add aiccu' and finally 'chkconfig aiccu on'
Created attachment 429169 [details] SELinux verhindert /bin/bash "sys_tty_config" Zugriff Whoops, i was to fast. One last error apears for aiccu. Best regards
Additional: If selinux is set to enforcing, aiccu is not able to be "verbose" on startup. So the Tunnel infomation are not displayed. /etc/aiccu.conf # Be verbose? (default: false) verbose true
selinux-policy-3.7.19-33.fc13 has been pushed to the Fedora 13 stable repository. If problems still persist, please make note of it in this bug report.