Bug 608025 - SELinux is preventing /usr/bin/python "connectto" access on /var/run/avahi-daemon/socket.
Summary: SELinux is preventing /usr/bin/python "connectto" access on /var/run/ava...
Keywords:
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: rawhide
Hardware: x86_64
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: setroubleshoot_trace_hash:96ea3322c02...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-06-25 12:37 UTC by Tomasz Torcz
Modified: 2010-06-25 19:47 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2010-06-25 18:42:34 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)

Description Tomasz Torcz 2010-06-25 12:37:44 UTC 
Podsumowanie:

SELinux is preventing /usr/bin/python "connectto" access on
/var/run/avahi-daemon/socket.

This is caused by having proxy=http://something.local in /etc/yum.conf.
Abrt runs yum-downloader, which in turn need to resolve *.local domain, and nss-mdns asks avahi for it.

Szczegółowy opis:

[SELinux jest w trybie zezwalania. Ten dostęp nie został odmówiony.]

SELinux denied access requested by yum. It is not expected that this access is
required by yum and this access may signal an intrusion attempt. It is also
possible that the specific version or configuration of the application is
causing it to require additional access.


Dodatkowe informacje:

Kontekst źródłowy          system_u:system_r:abrt_t:s0-s0:c0.c1023
Kontekst docelowy             system_u:system_r:avahi_t:s0
Obiekty docelowe              /var/run/avahi-daemon/socket [ unix_stream_socket
                              ]
Źródło                     yum
Ścieżka źródłowa         /usr/bin/python
Port                          <Nieznane>
Komputer                      (usunięto)
Źródłowe pakiety RPM       python-2.6.5-17.fc14
Docelowe pakiety RPM          
Pakiet RPM polityki           selinux-policy-3.8.5-1.fc14
SELinux jest włączony       True
Typ polityki                  targeted
Tryb wymuszania               Permissive
Nazwa wtyczki                 catchall
Nazwa komputera               (usunięto)
Platforma                     Linux (usunięto) 2.6.35-0.2.rc3.git0.fc14.x86_64 #1
                              SMP Tue Jun 22 23:41:48 UTC 2010 x86_64 x86_64
Liczba alarmów               1
Po raz pierwszy               pią, 25 cze 2010, 14:32:39
Po raz ostatni                pią, 25 cze 2010, 14:32:39
Lokalny identyfikator         f9320e59-a1f5-4d30-8f27-712750837504
Liczba wierszy                

Surowe komunikaty audytu      

node=(usunięto) type=AVC msg=audit(1277469159.289:53415): avc:  denied  { connectto } for  pid=16217 comm="yum" path="/var/run/avahi-daemon/socket" scontext=system_u:system_r:abrt_t:s0-s0:c0.c1023 tcontext=system_u:system_r:avahi_t:s0 tclass=unix_stream_socket

node=(usunięto) type=SYSCALL msg=audit(1277469159.289:53415): arch=c000003e syscall=42 success=yes exit=4294967424 a0=9 a1=7f18d86fe1c0 a2=6e a3=7f18d86fdf40 items=0 ppid=16215 pid=16217 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="yum" exe="/usr/bin/python" subj=system_u:system_r:abrt_t:s0-s0:c0.c1023 key=(null)



Hash String generated from  catchall,yum,abrt_t,avahi_t,unix_stream_socket,connectto
audit2allow suggests:

#============= abrt_t ==============
allow abrt_t avahi_t:unix_stream_socket connectto;
Comment 1 Daniel Walsh 2010-06-25 18:12:55 UTC 
James, Any idea why yum would be connecting to the avahi socket?
Comment 2 Daniel Walsh 2010-06-25 18:39:47 UTC 
Miroslav,

Add

sysnet_dns_name_resolve(abrt_t)
Comment 3 Daniel Walsh 2010-06-25 18:42:34 UTC 
Fixed in selinux-policy-3.8.6-1.fc14
Comment 4 James Antill 2010-06-25 19:27:07 UTC 
Not sure if you worked it out, but from the first comment:

"which in turn need to resolve *.local domain, and nss-mdns asks avahi for it."

...we might get downloads/DNS happening in a separate process at some point, but for now they are in yum.
Comment 5 Daniel Walsh 2010-06-25 19:47:25 UTC 
Yes I stumbled upon the answer.
Note You need to log in before you can comment on or make changes to this bug.