libreport version: 2.0.10 executable: /usr/bin/python2.7 hashmarkername: setroubleshoot kernel: 3.5.2-1.fc17.x86_64 time: Mon 20 Aug 2012 06:14:21 PM EDT description: :SELinux is preventing /usr/lib64/dbus-1/dbus-daemon-launch-helper from 'name_connect' accesses on the tcp_socket . : :***** Plugin catchall (100. confidence) suggests *************************** : :If you believe that dbus-daemon-launch-helper should be allowed name_connect access on the tcp_socket by default. :Then you should report this as a bug. :You can generate a local policy module to allow this access. :Do :allow this access for now by executing: :# grep dbus-daemon-lau /var/log/audit/audit.log | audit2allow -M mypol :# semodule -i mypol.pp : :Additional Information: :Source Context system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 :Target Context system_u:object_r:ephemeral_port_t:s0 :Target Objects [ tcp_socket ] :Source dbus-daemon-lau :Source Path /usr/lib64/dbus-1/dbus-daemon-launch-helper :Port 39816 :Host (removed) :Source RPM Packages dbus-1.4.10-4.fc17.x86_64 :Target RPM Packages :Policy RPM selinux-policy-3.10.0-145.fc17.noarch :Selinux Enabled True :Policy Type targeted :Enforcing Mode Permissive :Host Name (removed) :Platform Linux (removed) 3.5.2-1.fc17.x86_64 #1 SMP Wed Aug : 15 16:09:27 UTC 2012 x86_64 x86_64 :Alert Count 4 :First Seen 2012-08-20 18:11:19 EDT :Last Seen 2012-08-20 18:13:18 EDT :Local ID 6fefe390-90b1-4dbb-a396-03daf459141b : :Raw Audit Messages :type=AVC msg=audit(1345500798.727:102): avc: denied { name_connect } for pid=2997 comm="dbus-daemon-lau" dest=39816 scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:ephemeral_port_t:s0 tclass=tcp_socket : : :type=SYSCALL msg=audit(1345500798.727:102): arch=x86_64 syscall=connect success=yes exit=0 a0=3 a1=7fffcfec6f60 a2=10 a3=0 items=0 ppid=2996 pid=2997 auid=4294967295 uid=81 gid=81 euid=0 suid=0 fsuid=0 egid=81 sgid=81 fsgid=81 tty=(none) ses=4294967295 comm=dbus-daemon-lau exe=/usr/lib64/dbus-1/dbus-daemon-launch-helper subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 key=(null) : :Hash: dbus-daemon-lau,system_dbusd_t,ephemeral_port_t,tcp_socket,name_connect : :audit2allow : :#============= system_dbusd_t ============== :allow system_dbusd_t ephemeral_port_t:tcp_socket name_connect; : :audit2allow -R : :#============= system_dbusd_t ============== :allow system_dbusd_t ephemeral_port_t:tcp_socket name_connect; :
Do you know what you were doing when this happened?
This is an upgrade from F16 via preupgrade. There was an existing NetworkManager VPN (openvpn) connection in F16, worked with no errors. In F17 the same connection is causing selinux message provided above.
Ok, it could be an upgrade issue. Are you still getting it?
Yes, every time a VPN connection is established.
Ok, does it happen also if you log out/in?
Even after upgrading to the latest as of now and rebooting.
Colin any idea what is happening here?
Could be the machine has say an LDAP NSS module configured, and the launch helper is calling getpwent()? Hard to say without a stack trace.
Do you have nis/ypbind setup?
(In reply to comment #9) > Do you have nis/ypbind setup? yes, NIS is configured
Is allow_ypbind turned on getsebool allow_ypbind
(In reply to comment #11) > Is allow_ypbind turned on > > getsebool allow_ypbind # getsebool allow_ypbind allow_ypbind --> on
In F18 I added the ephemeral_port_t to all interfaces that use generic port, which would add them to the list used by nsswitch, we need to back port corenetwork.if.in from F18 to F17
Backported to F17.
selinux-policy-3.10.0-150.fc17 has been submitted as an update for Fedora 17. https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-150.fc17
Package selinux-policy-3.10.0-150.fc17: * should fix your issue, * was pushed to the Fedora 17 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-150.fc17' as soon as you are able to, then reboot. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2012-14725/selinux-policy-3.10.0-150.fc17 then log in and leave karma (feedback).
after upgrading to selinux-policy-3.10.0-150.fc17.noarch this sealert is no longer reproducible.
Great. Thanks for testing.
selinux-policy-3.10.0-153.fc17 has been submitted as an update for Fedora 17. https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-153.fc17
selinux-policy-3.10.0-153.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report.