libreport version: 2.0.10 executable: /usr/bin/python2.7 hashmarkername: setroubleshoot kernel: 3.3.2-1.fc17.x86_64 time: Tuesday 24 April 2012 10:43:43 PM IST description: :SELinux is preventing /usr/bin/bash from using the 'net_admin' capabilities. : :***** Plugin catchall (100. confidence) suggests *************************** : :If you believe that bash should have the net_admin capability by default. :Then you should report this as a bug. :You can generate a local policy module to allow this access. :Do :allow this access for now by executing: :# grep Default /var/log/audit/audit.log | audit2allow -M mypol :# semodule -i mypol.pp : :Additional Information: :Source Context system_u:system_r:xdm_t:s0-s0:c0.c1023 :Target Context system_u:system_r:xdm_t:s0-s0:c0.c1023 :Target Objects [ capability ] :Source Default :Source Path /usr/bin/bash :Port <Unknown> :Host (removed) :Source RPM Packages bash-4.2.24-1.fc17.x86_64 :Target RPM Packages :Policy RPM selinux-policy-3.10.0-116.fc17.noarch :Selinux Enabled True :Policy Type targeted :Enforcing Mode Enforcing :Host Name (removed) :Platform Linux (removed) 3.3.2-1.fc17.x86_64 #1 : SMP Fri Apr 13 20:23:49 UTC 2012 x86_64 x86_64 :Alert Count 3 :First Seen Tuesday 24 April 2012 04:17:48 PM IST :Last Seen Tuesday 24 April 2012 10:10:43 PM IST :Local ID 493b2c67-ff52-41db-a582-b6fbddc96c11 : :Raw Audit Messages :type=AVC msg=audit(1335285643.607:256): avc: denied { net_admin } for pid=27351 comm="Default" capability=12 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tclass=capability : : :type=AVC msg=audit(1335285643.607:256): avc: denied { write } for pid=27351 comm="Default" name="icmp_echo_ignore_all" dev="proc" ino=22700 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file : : :type=SYSCALL msg=audit(1335285643.607:256): arch=x86_64 syscall=open success=no exit=EACCES a0=24fefe0 a1=201 a2=1b6 a3=fffffffe items=0 ppid=27218 pid=27351 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=Default exe=/usr/bin/bash subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null) : :Hash: Default,xdm_t,xdm_t,capability,net_admin : :audit2allowunable to open /sys/fs/selinux/policy: Permission denied : : :audit2allow -Runable to open /sys/fs/selinux/policy: Permission denied : :
What is Default, and icmp_echo_ignore_all doing? This looks like local customization and probably not something you want the login program doing. You can add dontaudit rules # grep xdm_t /var/log/audit/audit.log | audit2allow -M myxdm # semodule -i myxdm.pp
Actually I just spoke to the gdm packager here and now I understand a little better what you are doing.
Miroslav gdm executes /etc/gdm/*/Default or /etc/gdm/*/:[0-9]+ as root and administrators can put anything they want into these files. I think to make this work we will need a new domain gdm_unconfined_t and gdm_unconfined_exec_t, so when gdm executes these executables, they will be allowed full control on a system that does not have the unconfined domain disabled.
Fixed in selinux-policy-3.10.0-118.fc17.noarch
selinux-policy-3.10.0-119.fc17 has been submitted as an update for Fedora 17. https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-119.fc17
Package selinux-policy-3.10.0-121.fc17: * should fix your issue, * was pushed to the Fedora 17 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-121.fc17' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2012-7313/selinux-policy-3.10.0-121.fc17 then log in and leave karma (feedback).
selinux-policy-3.10.0-121.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report.