Hide Forgot
SELinux is preventing /usr/lib/iscan/network from 'execute_no_trans' accesses on the file /usr/lib/iscan/network. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that network should be allowed execute_no_trans access on the network file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep network /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:colord_t:s0-s0:c0.c1023 Target Context system_u:object_r:lib_t:s0 Target Objects /usr/lib/iscan/network [ file ] Source network Source Path /usr/lib/iscan/network Port <Unknown> Host (removed) Source RPM Packages iscan-network-nt-1.1.0-2 Target RPM Packages iscan-network-nt-1.1.0-2 Policy RPM selinux-policy-3.9.16-44.fc15 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 2.6.41.1-1.fc15.i686.PAE #1 SMP Fri Nov 11 21:43:42 UTC 2011 i686 i686 Alert Count 2 First Seen Wed 23 Nov 2011 10:44:23 AM CET Last Seen Wed 23 Nov 2011 10:47:58 AM CET Local ID 2bc4279f-ff82-4591-a8cd-fc69bf05eaf6 Raw Audit Messages type=AVC msg=audit(1322041678.105:21): avc: denied { execute_no_trans } for pid=1339 comm="colord" path="/usr/lib/iscan/network" dev=dm-1 ino=547904 scontext=system_u:system_r:colord_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lib_t:s0 tclass=file type=SYSCALL msg=audit(1322041678.105:21): arch=i386 syscall=execve success=yes exit=0 a0=bff88d24 a1=bff87cdc a2=bff8a3bc a3=1 items=0 ppid=1326 pid=1339 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=network exe=/usr/lib/iscan/network subj=system_u:system_r:colord_t:s0-s0:c0.c1023 key=(null) Hash: network,colord_t,lib_t,file,execute_no_trans audit2allow #============= colord_t ============== allow colord_t lib_t:file execute_no_trans; audit2allow -R #============= colord_t ============== allow colord_t lib_t:file execute_no_trans;
Fixed in selinux-policy-3.9.16-49.fc15
selinux-policy-3.9.16-50.fc15 has been submitted as an update for Fedora 15. https://admin.fedoraproject.org/updates/selinux-policy-3.9.16-50.fc15
Package selinux-policy-3.9.16-50.fc15: * should fix your issue, * was pushed to the Fedora 15 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.9.16-50.fc15' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2011-17089/selinux-policy-3.9.16-50.fc15 then log in and leave karma (feedback).
selinux-policy-3.9.16-50.fc15 has been pushed to the Fedora 15 stable repository. If problems still persist, please make note of it in this bug report.
On my system this problem is respawn after the last update. In this update the modified packages are (this is a reduced version of the output of yum history info <id>): updated curl-7.21.7-5.fc16.x86_64 @?fedora 7.21.7-6.fc16.x86_64 @updates updated dhclient-12:4.2.3-5.P2.fc16.x86_64 ? 12:4.2.3-6.P2.fc16.x86_64 @updates updated dhcp-common-12:4.2.3-5.P2.fc16.x86_64 ? 12:4.2.3-6.P2.fc16.x86_64 @updates updated dhcp-libs-12:4.2.3-5.P2.fc16.x86_64 ? 12:4.2.3-6.P2.fc16.x86_64 @updates removed kernel-3.1.8-2.fc16.x86_64 ? installed kernel-3.2.2-1.fc16.x86_64 @updates removed kernel-devel-3.1.8-2.fc16.x86_64 ? installed kernel-devel-3.2.2-1.fc16.x86_64 @updates updated kernel-headers-3.2.1-3.fc16.x86_64 ? 3.2.2-1.fc16.x86_64 @updates updated kernel-tools-3.2.1-3.fc16.x86_64 ? 3.2.2-1.fc16.x86_64 @updates updated libblkid-2.20.1-2.1.fc16.x86_64 ? 2.20.1-2.2.fc16.x86_64 @updates updated libcurl-7.21.7-5.fc16.x86_64 @?fedora 7.21.7-6.fc16.x86_64 @updates updated libcurl-devel-7.21.7-5.fc16.x86_64 @?fedora 7.21.7-6.fc16.x86_64 @updates updated libmount-2.20.1-2.1.fc16.x86_64 ? 2.20.1-2.2.fc16.x86_64 @updates updated libuuid-2.20.1-2.1.fc16.i686 ? updated libuuid-2.20.1-2.1.fc16.x86_64 ? 2.20.1-2.2.fc16.i686 @updates 2.20.1-2.2.fc16.x86_64 @updates updated mdadm-3.2.2-15.fc16.x86_64 ? 3.2.3-3.fc16.x86_64 @updates updated python-kitchen-1.0.0-1.fc16.noarch @?fedora 1.1.0-1.fc16.noarch @updates updated rsyslog-5.8.5-1.fc16.x86_64 @?fedora 5.8.7-1.fc16.x86_64 @updates updated setroubleshoot-3.0.45-1.fc16.x86_64 ? 3.1.2-1.fc16.x86_64 @updates updated setroubleshoot-server-3.0.45-1.fc16.x86_64 ? 3.1.2-1.fc16.x86_64 @updates updated t1lib-5.1.2-7.fc15.x86_64 @?fedora 5.1.2-9.fc16.x86_64 @updates updated util-linux-2.20.1-2.1.fc16.x86_64 ? 2.20.1-2.2.fc16.x86_64 @updates My system is fedora 16 x86_64. After the update I have made a reboot in runlevel 3 for installing the nvidia proprietary driver for the new kernel and after the next reboot the selinux problem is back again. hope this can help
Please show the AVC's and do not assume this is the same.
Ok, here you are ;-) Some parts of the message were translated in my home language, so I've re-translated them to English. SELinux is preventing /usr/libexec/colord from execute_no_trans access on the None /usr/lib64/iscan/network. ***** Plugin catchall (100. confidence) suggests **************************** If you believe that colord should be allowed execute_no_trans access on the network <Unknown> by default. So you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep colord /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional informations: Source context system_u:system_r:colord_t:s0-s0:c0.c1023 Target context system_u:object_r:lib_t:s0 Target object /usr/lib64/iscan/network [ None ] Source colord Source path /usr/libexec/colord Port <Sconosciuto> Host fedora-16 Source RPM Package Target RPM Package Policy RPM Package <Sconosciuto> Selinux enabled True Policy type targeted Enforcing mode Enforcing Host Name fedora-16 Platform Linux fedora-16 3.2.2-1.fc16.x86_64 #1 SMP Thu Jan 26 03:21:58 UTC 2012 x86_64 x86_64 Alert count 4 First seen Sat 28 Jan 2012 2:07:32 PM CET Last seen Mon 30 Jan 2012 1:36:22 PM CET local ID 815358c3-8bb0-4dfb-bdaf-c43ab55d41fa Raw Audit messages type=AVC msg=audit(1327926982.971:81): avc: denied { execute_no_trans } for pid=2205 comm="colord" path="/usr/lib64/iscan/network" dev=sda11 ino=1446877 scontext=system_u:system_r:colord_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lib_t:s0 tclass=filenode=fedora-16 type=SYSCALL msg=audit(1327926982.971:81): arch=c000003e syscall=59 success=no exit=-13 a0=cb2dd0 a1=7fff6d594450 a2=7fff6d596b48 a3=7fff6d596270 items=0 ppid=2175 pid=2205 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="colord" exe="/usr/libexec/colord" subj=system_u:system_r:colord_t:s0-s0:c0.c1023 key=(null) Hash: colord,colord_t,lib_t,None,execute_no_trans audit2allow audit2allow -R I don't know why SELinux can't see the RPM packages, but on my system they are the following # yum provides /usr/bin/iscan [...] iscan-2.28.0-2.ltdl7.x86_64 : simple, easy to use scanner utility for EPSON scanners Repo : @/iscan-2.28.0-2.ltdl7.x86_64 Corrispondenza trovata in: Nome file : /usr/bin/iscan # yum provides /usr/lib64/iscan/network [...] iscan-network-nt-1.1.0-2.x86_64 : Image Scan! Network Plugin Repo : @/iscan-network-nt-1.1.0-2.x86_64 Corrispondenza trovata in: Nome file : /usr/lib64/iscan/network # yum info selinux-policy Plugin abilitati:langpacks, presto, refresh-packagekit Pacchetti installati Nome : selinux-policy Arch : noarch Versione : 3.10.0 Rilascio : 72.fc16 Dimensione : 8.8 M Repo : installed Dal repo : updates Sommario : SELinux policy configuration URL : http://oss.tresys.com/repos/refpolicy/ Licenza : GPLv2+ Descrizione : SELinux Reference Policy - modular. : Based off of reference policy: Checked out revision 2.20091117
There is a bug in the policy. if you execute # chcon -t bin_t /usr/lib64/iscan/network are you getting more AVC msgs?
This has changed things. After have applied that context to /usr/lib64/iscan/network I have tried a reboot and that AVC was not shown. But now I see another kind of AVC: SELinux is preventing /usr/libexec/colord from name_connect access on the None . ***** Plugin catchall (100. confidence) suggerisce**************************** Seyou believe that colord should be allowed name_connect access on the <Sconosciuto> by default. Quindiyou should report this as a bug. You can generate a local policy module to allow this access. Fai allow this access for now by executing: # grep colord /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Informazioni addizionali: Contesto della sorgente system_u:system_r:colord_t:s0-s0:c0.c1023 Contesto target system_u:object_r:port_t:s0 Oggetti target [ None ] Sorgente colord Percorso della sorgente /usr/libexec/colord Porta <Sconosciuto> Host fedora-16 Sorgente Pacchetti RPM Pacchetti RPM target RPM della policy <Sconosciuto> Selinux abilitato True Tipo di policy targeted Modalità Enforcing Enforcing Host Name fedora-16 Piattaforma Linux fedora-16 3.2.2-1.fc16.x86_64 #1 SMP Thu Jan 26 03:21:58 UTC 2012 x86_64 x86_64 Conteggio avvisi 1 Primo visto lun 30 gen 2012 19:33:08 CET Ultimo visto lun 30 gen 2012 19:33:08 CET ID locale 66d87bde-d68f-42ce-aa69-b9dde16c3797 Messaggi Raw Audit type=AVC msg=audit(1327948388.548:101): avc: denied { name_connect } for pid=2231 comm="colord" scontext=system_u:system_r:colord_t:s0-s0:c0.c1023 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socketnode=fedora-16 type=SYSCALL msg=audit(1327948388.548:101): arch=c000003e syscall=42 success=no exit=-13 a0=c a1=7fffdfd591e0 a2=10 a3=7fffdfd58f40 items=0 ppid=1 pid=2231 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="colord" exe="/usr/libexec/colord" subj=system_u:system_r:colord_t:s0-s0:c0.c1023 key=(null) Hash: colord,colord_t,port_t,None,name_connect audit2allow audit2allow -R Do you think that a complete iscan reinstall would resolve these problems?
Ok, colord shouldn't need this access. You can either allow it or dontaudit using local policy # grep colord_t /var/log/audit/audit.log | audit2allow -D -M mycolord # semodule -i mycolord.pp
This message is a notice that Fedora 15 is now at end of life. Fedora has stopped maintaining and issuing updates for Fedora 15. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At this time, all open bugs with a Fedora 'version' of '15' have been closed as WONTFIX. (Please note: Our normal process is to give advanced warning of this occurring, but we forgot to do that. A thousand apologies.) Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, feel free to reopen this bug and simply change the 'version' to a later Fedora version. Bug Reporter: Thank you for reporting this issue and we are sorry that we were unable to fix it before Fedora 15 reached end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged to click on "Clone This Bug" (top right of this page) and open it against that version of Fedora. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete. The process we are following is described here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping