Bug 860604 - selinux-policy-minimum prevent work bluetoothd, sedispatch, and cupsd
selinux-policy-minimum prevent work bluetoothd, sedispatch, and cupsd
Status: CLOSED NOTABUG
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
17
i686 Linux
unspecified Severity unspecified
: ---
: ---
Assigned To: Miroslav Grepl
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-09-26 05:33 EDT by Sergey
Modified: 2014-10-07 00:07 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-10-17 03:58:56 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
/tmp/minimum (7.37 KB, text/plain)
2012-09-28 02:07 EDT, Sergey
no flags Details

  None (edit)
Description Sergey 2012-09-26 05:33:11 EDT
Description of problem:

Setting up 'minimum' SElinux policy prevent 'connectto' on unix_stream_socket: /run/dbus/system_bus_socket some processes:
1. bluetoothd
2. cupsd
3. sedispatch

Version-Release number of selected component (if applicable):
/usr/bin/bluetoothd - 4.99
cups - 1:1.5.4.-2.fc17
selinux-policy* - 3.10.0-149.fc17
libselinux* - 2.1.10-3.fc17


How reproducible:
always


Steps to Reproduce:
1. # yum install selinux-policy-minimum
2. # edit /etc/selinux/config to enable it
3. reboot system
  
Actual results:
System not boot

Additional info:
Comment 1 Miroslav Grepl 2012-09-26 07:01:19 EDT
Could you attach AVC msgs? Thank you.
Comment 2 Sergey 2012-09-27 01:25:04 EDT
if selinux policy enforced - in the /var/log/messages falls thousands of messages:

Sep 26 10:27:04 f17-32-01 sedispatch: Connection Error (Failed to connect to socket /var/run/dbus/system_bus_socket: Permission denied): AVC Will be dropped

DETAILS FOR cupsd:

SELinux is preventing /usr/sbin/cupsd from connectto access on the unix_stream_socket /run/dbus/system_bus_socket.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that cupsd should be allowed connectto access on the system_bus_socket unix_stream_socket by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep cupsd /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:cupsd_t:s0-s0:c0.c1023
Target Context                system_u:system_r:init_t:s0-s0:c0.c1023
Target Objects                /run/dbus/system_bus_socket [ unix_stream_socket ]
Source                        cupsd
Source Path                   /usr/sbin/cupsd
Port                          <Unknown>
Host                          f17-32-01.corp.zapdvin.by
Source RPM Packages           cups-1.5.4-2.fc17.i686
Target RPM Packages           
Policy RPM                    selinux-policy-3.10.0-149.fc17.noarch
Selinux Enabled               True
Policy Type                   minimum
Enforcing Mode                Permissive
Host Name                     f17-32-01.corp.zapdvin.by
Platform                      Linux f17-32-01.corp.zapdvin.by 3.5.4-1.fc17.i686
                              #1 SMP Mon Sep 17 15:41:12 UTC 2012 i686 i686
Alert Count                   1
First Seen                    2012-09-27 08:10:54 FET
Last Seen                     2012-09-27 08:10:54 FET
Local ID                      cc665fa4-9489-4a5d-b843-07bd59a2b91b

Raw Audit Messages
type=AVC msg=audit(1348722654.123:100): avc:  denied  { connectto } for  pid=1070 comm="cupsd" path="/run/dbus/system_bus_socket" scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:init_t:s0-s0:c0.c1023 tclass=unix_stream_socket


type=SYSCALL msg=audit(1348722654.123:100): arch=i386 syscall=socketcall success=yes exit=0 a0=3 a1=bff781a0 a2=b74adff4 a3=bff78330 items=0 ppid=1 pid=1070 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=cupsd exe=/usr/sbin/cupsd subj=system_u:system_r:cupsd_t:s0-s0:c0.c1023 key=(null)

Hash: cupsd,cupsd_t,init_t,unix_stream_socket,connectto

audit2allow

#============= cupsd_t ==============
allow cupsd_t init_t:unix_stream_socket connectto;

audit2allow -R

#============= cupsd_t ==============
allow cupsd_t init_t:unix_stream_socket connectto;
Comment 3 Sergey 2012-09-27 01:26:15 EDT
For the bluetoothd:

SELinux is preventing /usr/sbin/bluetoothd from connectto access on the unix_stream_socket /run/dbus/system_bus_socket.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that bluetoothd should be allowed connectto access on the system_bus_socket unix_stream_socket by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep bluetoothd /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:bluetooth_t:s0
Target Context                system_u:system_r:init_t:s0-s0:c0.c1023
Target Objects                /run/dbus/system_bus_socket [ unix_stream_socket ]
Source                        bluetoothd
Source Path                   /usr/sbin/bluetoothd
Port                          <Unknown>
Host                          f17-32-01.corp.zapdvin.by
Source RPM Packages           bluez-4.99-2.fc17.i686
Target RPM Packages           
Policy RPM                    selinux-policy-3.10.0-149.fc17.noarch
Selinux Enabled               True
Policy Type                   minimum
Enforcing Mode                Permissive
Host Name                     f17-32-01.corp.zapdvin.by
Platform                      Linux f17-32-01.corp.zapdvin.by 3.5.4-1.fc17.i686
                              #1 SMP Mon Sep 17 15:41:12 UTC 2012 i686 i686
Alert Count                   1
First Seen                    2012-09-27 08:09:33 FET
Last Seen                     2012-09-27 08:09:33 FET
Local ID                      3302669e-b352-48d3-993f-272a6adb73db

Raw Audit Messages
type=AVC msg=audit(1348722573.582:47): avc:  denied  { connectto } for  pid=549 comm="bluetoothd" path="/run/dbus/system_bus_socket" scontext=system_u:system_r:bluetooth_t:s0 tcontext=system_u:system_r:init_t:s0-s0:c0.c1023 tclass=unix_stream_socket


type=SYSCALL msg=audit(1348722573.582:47): arch=i386 syscall=socketcall success=yes exit=0 a0=3 a1=bfb00fd0 a2=b75d9ff4 a3=bfb01160 items=0 ppid=1 pid=549 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=bluetoothd exe=/usr/sbin/bluetoothd subj=system_u:system_r:bluetooth_t:s0 key=(null)

Hash: bluetoothd,bluetooth_t,init_t,unix_stream_socket,connectto

audit2allow

#============= bluetooth_t ==============
allow bluetooth_t init_t:unix_stream_socket connectto;

audit2allow -R

#============= bluetooth_t ==============
allow bluetooth_t init_t:unix_stream_socket connectto;
Comment 4 Sergey 2012-09-27 01:27:07 EDT
For sedispatch:

SELinux is preventing sedispatch from connectto access on the unix_stream_socket /run/dbus/system_bus_socket.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that sedispatch should be allowed connectto access on the system_bus_socket unix_stream_socket by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep sedispatch /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:audisp_t:s0
Target Context                system_u:system_r:init_t:s0-s0:c0.c1023
Target Objects                /run/dbus/system_bus_socket [ unix_stream_socket ]
Source                        sedispatch
Source Path                   sedispatch
Port                          <Unknown>
Host                          f17-32-01.corp.zapdvin.by
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.10.0-149.fc17.noarch
Selinux Enabled               True
Policy Type                   minimum
Enforcing Mode                Permissive
Host Name                     f17-32-01.corp.zapdvin.by
Platform                      Linux f17-32-01.corp.zapdvin.by 3.5.4-1.fc17.i686
                              #1 SMP Mon Sep 17 15:41:12 UTC 2012 i686 i686
Alert Count                   1
First Seen                    2012-09-27 08:09:33 FET
Last Seen                     2012-09-27 08:09:33 FET
Local ID                      0c7d0c6b-850b-4750-b999-cfef2dd32bd0

Raw Audit Messages
type=AVC msg=audit(1348722573.537:45): avc:  denied  { connectto } for  pid=423 comm="sedispatch" path="/run/dbus/system_bus_socket" scontext=system_u:system_r:audisp_t:s0 tcontext=system_u:system_r:init_t:s0-s0:c0.c1023 tclass=unix_stream_socket


Hash: sedispatch,audisp_t,init_t,unix_stream_socket,connectto

audit2allow

#============= audisp_t ==============
allow audisp_t init_t:unix_stream_socket connectto;

audit2allow -R

#============= audisp_t ==============
allow audisp_t init_t:unix_stream_socket connectto;
Comment 5 Sergey 2012-09-27 01:32:38 EDT
And also not descripted above:

The source process: systemd-journal
Attempted this access: getattr
On this directory: /sys/fs/cgroup

SELinux is preventing systemd-journal from getattr access on the directory /sys/fs/cgroup.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that systemd-journal should be allowed getattr access on the cgroup directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep systemd-journal /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:syslogd_t:s0
Target Context                system_u:object_r:cgroup_t:s0
Target Objects                /sys/fs/cgroup [ dir ]
Source                        systemd-journal
Source Path                   systemd-journal
Port                          <Unknown>
Host                          f17-32-01.corp.zapdvin.by
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.10.0-149.fc17.noarch
Selinux Enabled               True
Policy Type                   minimum
Enforcing Mode                Permissive
Host Name                     f17-32-01.corp.zapdvin.by
Platform                      Linux f17-32-01.corp.zapdvin.by 3.5.4-1.fc17.i686
                              #1 SMP Mon Sep 17 15:41:12 UTC 2012 i686 i686
Alert Count                   2
First Seen                    2012-09-26 12:37:19 FET
Last Seen                     2012-09-27 08:20:38 FET
Local ID                      f15c3f1a-0c45-457f-bc61-1bc8f1b76af7

Raw Audit Messages
type=AVC msg=audit(1348723238.897:113): avc:  denied  { getattr } for  pid=283 comm="systemd-journal" path="/sys/fs/cgroup" dev="tmpfs" ino=7281 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=dir


Hash: systemd-journal,syslogd_t,cgroup_t,dir,getattr

audit2allow

#============= syslogd_t ==============
#!!!! This avc can be allowed using the boolean 'init_systemd'

allow syslogd_t cgroup_t:dir getattr;

audit2allow -R

#============= syslogd_t ==============
#!!!! This avc can be allowed using the boolean 'init_systemd'

allow syslogd_t cgroup_t:dir getattr;




And also: 

The source process: systemd-journal
Attempted this access: search
On this directory: /sys/fs/cgroup

SELinux is preventing systemd-journal from search access on the directory /sys/fs/cgroup.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that systemd-journal should be allowed search access on the cgroup directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep systemd-journal /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:syslogd_t:s0
Target Context                system_u:object_r:cgroup_t:s0
Target Objects                /sys/fs/cgroup [ dir ]
Source                        systemd-journal
Source Path                   systemd-journal
Port                          <Unknown>
Host                          f17-32-01.corp.zapdvin.by
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.10.0-149.fc17.noarch
Selinux Enabled               True
Policy Type                   minimum
Enforcing Mode                Permissive
Host Name                     f17-32-01.corp.zapdvin.by
Platform                      Linux f17-32-01.corp.zapdvin.by 3.5.4-1.fc17.i686
                              #1 SMP Mon Sep 17 15:41:12 UTC 2012 i686 i686
Alert Count                   1
First Seen                    2012-09-27 08:20:38 FET
Last Seen                     2012-09-27 08:20:38 FET
Local ID                      ae0b2f5f-9c91-448b-9b1a-dad74d1ccb2e

Raw Audit Messages
type=AVC msg=audit(1348723238.897:114): avc:  denied  { search } for  pid=283 comm="systemd-journal" name="/" dev="tmpfs" ino=7281 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=dir


Hash: systemd-journal,syslogd_t,cgroup_t,dir,search

audit2allow

#============= syslogd_t ==============
#!!!! This avc can be allowed using the boolean 'init_systemd'

allow syslogd_t cgroup_t:dir search;

audit2allow -R

#============= syslogd_t ==============
#!!!! This avc can be allowed using the boolean 'init_systemd'

allow syslogd_t cgroup_t:dir search;
Comment 6 Daniel Walsh 2012-09-27 10:43:52 EDT
Looks like dbus should be moved into the base required policy for minimum.  init_systemd boolean should definitely be turned on in Fedora 17
Comment 7 Miroslav Grepl 2012-09-27 13:16:53 EDT
Well this is pretty hard to do it with the dbus module.


Sergey,
how does look your output of

# semodule -l > /tmp/miminum


could you attach this minimum file? Thank you.
Comment 8 Sergey 2012-09-28 02:07:18 EDT
Created attachment 618423 [details]
/tmp/minimum

# semodule -l > /tmp/minimum
Comment 9 Miroslav Grepl 2012-10-17 03:58:56 EDT
Did you turn off this boolean?

If you execute

# setsebool -P init_systemd 1

then it should work.

Note You need to log in before you can comment on or make changes to this bug.