Red Hat Bugzilla – Bug 716927
enforcing MLS: avahi-browse blocked by SELinux
Last modified: 2012-09-24 03:40:40 EDT
Description of problem: Version-Release number of selected component (if applicable): selinux-policy-mls-2.4.6-316.el5 selinux-policy-devel-2.4.6-316.el5 selinux-policy-2.4.6-316.el5 selinux-policy-strict-2.4.6-316.el5 selinux-policy-targeted-2.4.6-316.el5 selinux-policy-minimum-2.4.6-316.el5 avahi-0.6.16-10.el5_6 avahi-tools-0.6.16-10.el5_6 avahi-glib-0.6.16-10.el5_6 How reproducible: always Steps to Reproduce: # sestatus SELinux status: enabled SELinuxfs mount: /selinux Current mode: enforcing Mode from config file: enforcing Policy version: 21 Policy from config file: mls # run_init service avahi-daemon status Authenticating root. Password: Avahi daemon is not running # run_init service avahi-daemon start Authenticating root. Password: Starting Avahi daemon... [ OK ] # run_init service avahi-daemon status Authenticating root. Password: Avahi daemon is running # setenforce 0 # avahi-browse -c -a + eth0 IPv6 hp-rx8640-02 [00:1b:78:XX:XX:XX] Workstation local + eth0 IPv4 hp-rx8640-02 [00:1b:78:YY:YY:YY] Workstation local # setenforce 1 # avahi-browse -c -a Failed to create client object: Access denied # echo $? 1 # Actual results: ---- time->Mon Jun 27 09:26:56 2011 type=USER_AVC msg=audit(1309181216.351:1899): user pid=3704 uid=81 auid=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s15:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_call interface=org.freedesktop.Avahi.Server member=GetAPIVersion dest=org.freedesktop.Avahi spid=10163 tpid=10123 scontext=root:sysadm_r:sysadm_t:s0-s15:c0.c1023 tcontext=system_u:system_r:avahi_t:s0-s15:c0.c1023 tclass=dbus : exe="/bin/dbus-daemon" (sauid=81, hostname=?, addr=?, terminal=?)' ---- Expected results: * no USER_AVCs
We have optional_policy(` avahi_dbus_chat($1_usertype) ') in userdom_common_user_template() interface in RHEL6.
Looks good, although I doubt avahi is in the allowed package list for MLS. As a matter of fact neither is dbus.
Fixed in selinux-policy-2.4.6-318.el5
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2012-0158.html