Bug 716927 - enforcing MLS: avahi-browse blocked by SELinux
Summary: enforcing MLS: avahi-browse blocked by SELinux
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy
Version: 5.7
Hardware: All
OS: Linux
medium
medium
Target Milestone: rc
: ---
Assignee: Miroslav Grepl
QA Contact: Milos Malik
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-06-27 13:39 UTC by Milos Malik
Modified: 2012-09-24 07:40 UTC (History)
3 users (show)

Fixed In Version: selinux-policy-2.4.6-318.el5
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2012-02-21 05:47:06 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2012:0158 0 normal SHIPPED_LIVE selinux-policy bug fix and enhancement update 2012-02-20 14:53:50 UTC

Description Milos Malik 2011-06-27 13:39:16 UTC 
Description of problem:


Version-Release number of selected component (if applicable):
selinux-policy-mls-2.4.6-316.el5
selinux-policy-devel-2.4.6-316.el5
selinux-policy-2.4.6-316.el5
selinux-policy-strict-2.4.6-316.el5
selinux-policy-targeted-2.4.6-316.el5
selinux-policy-minimum-2.4.6-316.el5
avahi-0.6.16-10.el5_6
avahi-tools-0.6.16-10.el5_6
avahi-glib-0.6.16-10.el5_6

How reproducible:
always

Steps to Reproduce:
# sestatus 
SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   enforcing
Mode from config file:          enforcing
Policy version:                 21
Policy from config file:        mls
# run_init service avahi-daemon status
Authenticating root.
Password: 
Avahi daemon is not running
# run_init service avahi-daemon start
Authenticating root.
Password: 
Starting Avahi daemon... [  OK  ]
# run_init service avahi-daemon status
Authenticating root.
Password: 
Avahi daemon is running
# setenforce 0
# avahi-browse -c -a
+ eth0 IPv6 hp-rx8640-02 [00:1b:78:XX:XX:XX]              Workstation          local
+ eth0 IPv4 hp-rx8640-02 [00:1b:78:YY:YY:YY]              Workstation          local
# setenforce 1
# avahi-browse -c -a
Failed to create client object: Access denied
# echo $?
1
#

Actual results:
----
time->Mon Jun 27 09:26:56 2011
type=USER_AVC msg=audit(1309181216.351:1899): user pid=3704 uid=81 auid=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s15:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_call interface=org.freedesktop.Avahi.Server member=GetAPIVersion dest=org.freedesktop.Avahi spid=10163 tpid=10123 scontext=root:sysadm_r:sysadm_t:s0-s15:c0.c1023 tcontext=system_u:system_r:avahi_t:s0-s15:c0.c1023 tclass=dbus : exe="/bin/dbus-daemon" (sauid=81, hostname=?, addr=?, terminal=?)'
----

Expected results:
* no USER_AVCs
Comment 1 Miroslav Grepl 2011-06-27 16:54:28 UTC 
We have 

        optional_policy(`
            avahi_dbus_chat($1_usertype)
        ')

in userdom_common_user_template() interface in RHEL6.
Comment 2 Daniel Walsh 2011-06-28 10:40:05 UTC 
Looks good, although I doubt avahi is in the allowed package list for MLS.  As a matter of fact neither is dbus.
Comment 8 Miroslav Grepl 2011-10-20 15:38:16 UTC 
Fixed in selinux-policy-2.4.6-318.el5
Comment 11 errata-xmlrpc 2012-02-21 05:47:06 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2012-0158.html
Note You need to log in before you can comment on or make changes to this bug.