First Last Prev Next    This bug is not in your last search results.
Bug 716927 - enforcing MLS: avahi-browse blocked by SELinux
enforcing MLS: avahi-browse blocked by SELinux
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy (Show other bugs)
5.7
All Linux
medium Severity medium
: rc
: ---
Assigned To: Miroslav Grepl
Milos Malik
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2011-06-27 09:39 EDT by Milos Malik
Modified: 2012-09-24 03:40 EDT (History)
3 users (show)

See Also:
Fixed In Version: selinux-policy-2.4.6-318.el5
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-02-21 00:47:06 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

  None (edit)
Description Milos Malik 2011-06-27 09:39:16 EDT 
Description of problem:


Version-Release number of selected component (if applicable):
selinux-policy-mls-2.4.6-316.el5
selinux-policy-devel-2.4.6-316.el5
selinux-policy-2.4.6-316.el5
selinux-policy-strict-2.4.6-316.el5
selinux-policy-targeted-2.4.6-316.el5
selinux-policy-minimum-2.4.6-316.el5
avahi-0.6.16-10.el5_6
avahi-tools-0.6.16-10.el5_6
avahi-glib-0.6.16-10.el5_6

How reproducible:
always

Steps to Reproduce:
# sestatus 
SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   enforcing
Mode from config file:          enforcing
Policy version:                 21
Policy from config file:        mls
# run_init service avahi-daemon status
Authenticating root.
Password: 
Avahi daemon is not running
# run_init service avahi-daemon start
Authenticating root.
Password: 
Starting Avahi daemon... [  OK  ]
# run_init service avahi-daemon status
Authenticating root.
Password: 
Avahi daemon is running
# setenforce 0
# avahi-browse -c -a
+ eth0 IPv6 hp-rx8640-02 [00:1b:78:XX:XX:XX]              Workstation          local
+ eth0 IPv4 hp-rx8640-02 [00:1b:78:YY:YY:YY]              Workstation          local
# setenforce 1
# avahi-browse -c -a
Failed to create client object: Access denied
# echo $?
1
#

Actual results:
----
time->Mon Jun 27 09:26:56 2011
type=USER_AVC msg=audit(1309181216.351:1899): user pid=3704 uid=81 auid=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s15:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_call interface=org.freedesktop.Avahi.Server member=GetAPIVersion dest=org.freedesktop.Avahi spid=10163 tpid=10123 scontext=root:sysadm_r:sysadm_t:s0-s15:c0.c1023 tcontext=system_u:system_r:avahi_t:s0-s15:c0.c1023 tclass=dbus : exe="/bin/dbus-daemon" (sauid=81, hostname=?, addr=?, terminal=?)'
----

Expected results:
* no USER_AVCs
Comment 1 Miroslav Grepl 2011-06-27 12:54:28 EDT 
We have 

        optional_policy(`
            avahi_dbus_chat($1_usertype)
        ')

in userdom_common_user_template() interface in RHEL6.
Comment 2 Daniel Walsh 2011-06-28 06:40:05 EDT 
Looks good, although I doubt avahi is in the allowed package list for MLS.  As a matter of fact neither is dbus.
Comment 8 Miroslav Grepl 2011-10-20 11:38:16 EDT 
Fixed in selinux-policy-2.4.6-318.el5
Comment 11 errata-xmlrpc 2012-02-21 00:47:06 EST 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2012-0158.html
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.