Bug 608025 - SELinux is preventing /usr/bin/python "connectto" access on /var/run/avahi-daemon/socket.
SELinux is preventing /usr/bin/python "connectto" access on /var/run/ava...
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
x86_64 Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Fedora Extras Quality Assurance
Depends On:
  Show dependency treegraph
Reported: 2010-06-25 08:37 EDT by Tomasz Torcz
Modified: 2010-06-25 15:47 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2010-06-25 14:42:34 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Tomasz Torcz 2010-06-25 08:37:44 EDT

SELinux is preventing /usr/bin/python "connectto" access on

This is caused by having proxy=http://something.local in /etc/yum.conf.
Abrt runs yum-downloader, which in turn need to resolve *.local domain, and nss-mdns asks avahi for it.

Szczegółowy opis:

[SELinux jest w trybie zezwalania. Ten dostęp nie został odmówiony.]

SELinux denied access requested by yum. It is not expected that this access is
required by yum and this access may signal an intrusion attempt. It is also
possible that the specific version or configuration of the application is
causing it to require additional access.

Dodatkowe informacje:

Kontekst źródłowy          system_u:system_r:abrt_t:s0-s0:c0.c1023
Kontekst docelowy             system_u:system_r:avahi_t:s0
Obiekty docelowe              /var/run/avahi-daemon/socket [ unix_stream_socket
Źródło                     yum
Ścieżka źródłowa         /usr/bin/python
Port                          <Nieznane>
Komputer                      (usunięto)
Źródłowe pakiety RPM       python-2.6.5-17.fc14
Docelowe pakiety RPM          
Pakiet RPM polityki           selinux-policy-3.8.5-1.fc14
SELinux jest włączony       True
Typ polityki                  targeted
Tryb wymuszania               Permissive
Nazwa wtyczki                 catchall
Nazwa komputera               (usunięto)
Platforma                     Linux (usunięto) 2.6.35-0.2.rc3.git0.fc14.x86_64 #1
                              SMP Tue Jun 22 23:41:48 UTC 2010 x86_64 x86_64
Liczba alarmów               1
Po raz pierwszy               pią, 25 cze 2010, 14:32:39
Po raz ostatni                pią, 25 cze 2010, 14:32:39
Lokalny identyfikator         f9320e59-a1f5-4d30-8f27-712750837504
Liczba wierszy                

Surowe komunikaty audytu      

node=(usunięto) type=AVC msg=audit(1277469159.289:53415): avc:  denied  { connectto } for  pid=16217 comm="yum" path="/var/run/avahi-daemon/socket" scontext=system_u:system_r:abrt_t:s0-s0:c0.c1023 tcontext=system_u:system_r:avahi_t:s0 tclass=unix_stream_socket

node=(usunięto) type=SYSCALL msg=audit(1277469159.289:53415): arch=c000003e syscall=42 success=yes exit=4294967424 a0=9 a1=7f18d86fe1c0 a2=6e a3=7f18d86fdf40 items=0 ppid=16215 pid=16217 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="yum" exe="/usr/bin/python" subj=system_u:system_r:abrt_t:s0-s0:c0.c1023 key=(null)

Hash String generated from  catchall,yum,abrt_t,avahi_t,unix_stream_socket,connectto
audit2allow suggests:

#============= abrt_t ==============
allow abrt_t avahi_t:unix_stream_socket connectto;
Comment 1 Daniel Walsh 2010-06-25 14:12:55 EDT
James, Any idea why yum would be connecting to the avahi socket?
Comment 2 Daniel Walsh 2010-06-25 14:39:47 EDT


Comment 3 Daniel Walsh 2010-06-25 14:42:34 EDT
Fixed in selinux-policy-3.8.6-1.fc14
Comment 4 James Antill 2010-06-25 15:27:07 EDT
Not sure if you worked it out, but from the first comment:

"which in turn need to resolve *.local domain, and nss-mdns asks avahi for it."

...we might get downloads/DNS happening in a separate process at some point, but for now they are in yum.
Comment 5 Daniel Walsh 2010-06-25 15:47:25 EDT
Yes I stumbled upon the answer.

Note You need to log in before you can comment on or make changes to this bug.