Description of problem: Setting up 'minimum' SElinux policy prevent 'connectto' on unix_stream_socket: /run/dbus/system_bus_socket some processes: 1. bluetoothd 2. cupsd 3. sedispatch Version-Release number of selected component (if applicable): /usr/bin/bluetoothd - 4.99 cups - 1:1.5.4.-2.fc17 selinux-policy* - 3.10.0-149.fc17 libselinux* - 2.1.10-3.fc17 How reproducible: always Steps to Reproduce: 1. # yum install selinux-policy-minimum 2. # edit /etc/selinux/config to enable it 3. reboot system Actual results: System not boot Additional info:
Could you attach AVC msgs? Thank you.
if selinux policy enforced - in the /var/log/messages falls thousands of messages: Sep 26 10:27:04 f17-32-01 sedispatch: Connection Error (Failed to connect to socket /var/run/dbus/system_bus_socket: Permission denied): AVC Will be dropped DETAILS FOR cupsd: SELinux is preventing /usr/sbin/cupsd from connectto access on the unix_stream_socket /run/dbus/system_bus_socket. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that cupsd should be allowed connectto access on the system_bus_socket unix_stream_socket by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep cupsd /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:cupsd_t:s0-s0:c0.c1023 Target Context system_u:system_r:init_t:s0-s0:c0.c1023 Target Objects /run/dbus/system_bus_socket [ unix_stream_socket ] Source cupsd Source Path /usr/sbin/cupsd Port <Unknown> Host f17-32-01.corp.zapdvin.by Source RPM Packages cups-1.5.4-2.fc17.i686 Target RPM Packages Policy RPM selinux-policy-3.10.0-149.fc17.noarch Selinux Enabled True Policy Type minimum Enforcing Mode Permissive Host Name f17-32-01.corp.zapdvin.by Platform Linux f17-32-01.corp.zapdvin.by 3.5.4-1.fc17.i686 #1 SMP Mon Sep 17 15:41:12 UTC 2012 i686 i686 Alert Count 1 First Seen 2012-09-27 08:10:54 FET Last Seen 2012-09-27 08:10:54 FET Local ID cc665fa4-9489-4a5d-b843-07bd59a2b91b Raw Audit Messages type=AVC msg=audit(1348722654.123:100): avc: denied { connectto } for pid=1070 comm="cupsd" path="/run/dbus/system_bus_socket" scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:init_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=SYSCALL msg=audit(1348722654.123:100): arch=i386 syscall=socketcall success=yes exit=0 a0=3 a1=bff781a0 a2=b74adff4 a3=bff78330 items=0 ppid=1 pid=1070 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=cupsd exe=/usr/sbin/cupsd subj=system_u:system_r:cupsd_t:s0-s0:c0.c1023 key=(null) Hash: cupsd,cupsd_t,init_t,unix_stream_socket,connectto audit2allow #============= cupsd_t ============== allow cupsd_t init_t:unix_stream_socket connectto; audit2allow -R #============= cupsd_t ============== allow cupsd_t init_t:unix_stream_socket connectto;
For the bluetoothd: SELinux is preventing /usr/sbin/bluetoothd from connectto access on the unix_stream_socket /run/dbus/system_bus_socket. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that bluetoothd should be allowed connectto access on the system_bus_socket unix_stream_socket by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep bluetoothd /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:bluetooth_t:s0 Target Context system_u:system_r:init_t:s0-s0:c0.c1023 Target Objects /run/dbus/system_bus_socket [ unix_stream_socket ] Source bluetoothd Source Path /usr/sbin/bluetoothd Port <Unknown> Host f17-32-01.corp.zapdvin.by Source RPM Packages bluez-4.99-2.fc17.i686 Target RPM Packages Policy RPM selinux-policy-3.10.0-149.fc17.noarch Selinux Enabled True Policy Type minimum Enforcing Mode Permissive Host Name f17-32-01.corp.zapdvin.by Platform Linux f17-32-01.corp.zapdvin.by 3.5.4-1.fc17.i686 #1 SMP Mon Sep 17 15:41:12 UTC 2012 i686 i686 Alert Count 1 First Seen 2012-09-27 08:09:33 FET Last Seen 2012-09-27 08:09:33 FET Local ID 3302669e-b352-48d3-993f-272a6adb73db Raw Audit Messages type=AVC msg=audit(1348722573.582:47): avc: denied { connectto } for pid=549 comm="bluetoothd" path="/run/dbus/system_bus_socket" scontext=system_u:system_r:bluetooth_t:s0 tcontext=system_u:system_r:init_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=SYSCALL msg=audit(1348722573.582:47): arch=i386 syscall=socketcall success=yes exit=0 a0=3 a1=bfb00fd0 a2=b75d9ff4 a3=bfb01160 items=0 ppid=1 pid=549 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=bluetoothd exe=/usr/sbin/bluetoothd subj=system_u:system_r:bluetooth_t:s0 key=(null) Hash: bluetoothd,bluetooth_t,init_t,unix_stream_socket,connectto audit2allow #============= bluetooth_t ============== allow bluetooth_t init_t:unix_stream_socket connectto; audit2allow -R #============= bluetooth_t ============== allow bluetooth_t init_t:unix_stream_socket connectto;
For sedispatch: SELinux is preventing sedispatch from connectto access on the unix_stream_socket /run/dbus/system_bus_socket. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that sedispatch should be allowed connectto access on the system_bus_socket unix_stream_socket by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep sedispatch /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:audisp_t:s0 Target Context system_u:system_r:init_t:s0-s0:c0.c1023 Target Objects /run/dbus/system_bus_socket [ unix_stream_socket ] Source sedispatch Source Path sedispatch Port <Unknown> Host f17-32-01.corp.zapdvin.by Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.10.0-149.fc17.noarch Selinux Enabled True Policy Type minimum Enforcing Mode Permissive Host Name f17-32-01.corp.zapdvin.by Platform Linux f17-32-01.corp.zapdvin.by 3.5.4-1.fc17.i686 #1 SMP Mon Sep 17 15:41:12 UTC 2012 i686 i686 Alert Count 1 First Seen 2012-09-27 08:09:33 FET Last Seen 2012-09-27 08:09:33 FET Local ID 0c7d0c6b-850b-4750-b999-cfef2dd32bd0 Raw Audit Messages type=AVC msg=audit(1348722573.537:45): avc: denied { connectto } for pid=423 comm="sedispatch" path="/run/dbus/system_bus_socket" scontext=system_u:system_r:audisp_t:s0 tcontext=system_u:system_r:init_t:s0-s0:c0.c1023 tclass=unix_stream_socket Hash: sedispatch,audisp_t,init_t,unix_stream_socket,connectto audit2allow #============= audisp_t ============== allow audisp_t init_t:unix_stream_socket connectto; audit2allow -R #============= audisp_t ============== allow audisp_t init_t:unix_stream_socket connectto;
And also not descripted above: The source process: systemd-journal Attempted this access: getattr On this directory: /sys/fs/cgroup SELinux is preventing systemd-journal from getattr access on the directory /sys/fs/cgroup. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that systemd-journal should be allowed getattr access on the cgroup directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep systemd-journal /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:syslogd_t:s0 Target Context system_u:object_r:cgroup_t:s0 Target Objects /sys/fs/cgroup [ dir ] Source systemd-journal Source Path systemd-journal Port <Unknown> Host f17-32-01.corp.zapdvin.by Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.10.0-149.fc17.noarch Selinux Enabled True Policy Type minimum Enforcing Mode Permissive Host Name f17-32-01.corp.zapdvin.by Platform Linux f17-32-01.corp.zapdvin.by 3.5.4-1.fc17.i686 #1 SMP Mon Sep 17 15:41:12 UTC 2012 i686 i686 Alert Count 2 First Seen 2012-09-26 12:37:19 FET Last Seen 2012-09-27 08:20:38 FET Local ID f15c3f1a-0c45-457f-bc61-1bc8f1b76af7 Raw Audit Messages type=AVC msg=audit(1348723238.897:113): avc: denied { getattr } for pid=283 comm="systemd-journal" path="/sys/fs/cgroup" dev="tmpfs" ino=7281 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=dir Hash: systemd-journal,syslogd_t,cgroup_t,dir,getattr audit2allow #============= syslogd_t ============== #!!!! This avc can be allowed using the boolean 'init_systemd' allow syslogd_t cgroup_t:dir getattr; audit2allow -R #============= syslogd_t ============== #!!!! This avc can be allowed using the boolean 'init_systemd' allow syslogd_t cgroup_t:dir getattr; And also: The source process: systemd-journal Attempted this access: search On this directory: /sys/fs/cgroup SELinux is preventing systemd-journal from search access on the directory /sys/fs/cgroup. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that systemd-journal should be allowed search access on the cgroup directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep systemd-journal /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:syslogd_t:s0 Target Context system_u:object_r:cgroup_t:s0 Target Objects /sys/fs/cgroup [ dir ] Source systemd-journal Source Path systemd-journal Port <Unknown> Host f17-32-01.corp.zapdvin.by Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.10.0-149.fc17.noarch Selinux Enabled True Policy Type minimum Enforcing Mode Permissive Host Name f17-32-01.corp.zapdvin.by Platform Linux f17-32-01.corp.zapdvin.by 3.5.4-1.fc17.i686 #1 SMP Mon Sep 17 15:41:12 UTC 2012 i686 i686 Alert Count 1 First Seen 2012-09-27 08:20:38 FET Last Seen 2012-09-27 08:20:38 FET Local ID ae0b2f5f-9c91-448b-9b1a-dad74d1ccb2e Raw Audit Messages type=AVC msg=audit(1348723238.897:114): avc: denied { search } for pid=283 comm="systemd-journal" name="/" dev="tmpfs" ino=7281 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=dir Hash: systemd-journal,syslogd_t,cgroup_t,dir,search audit2allow #============= syslogd_t ============== #!!!! This avc can be allowed using the boolean 'init_systemd' allow syslogd_t cgroup_t:dir search; audit2allow -R #============= syslogd_t ============== #!!!! This avc can be allowed using the boolean 'init_systemd' allow syslogd_t cgroup_t:dir search;
Looks like dbus should be moved into the base required policy for minimum. init_systemd boolean should definitely be turned on in Fedora 17
Well this is pretty hard to do it with the dbus module. Sergey, how does look your output of # semodule -l > /tmp/miminum could you attach this minimum file? Thank you.
Created attachment 618423 [details] /tmp/minimum # semodule -l > /tmp/minimum
Did you turn off this boolean? If you execute # setsebool -P init_systemd 1 then it should work.