Description of problem: Tuned daemon provides DBus interface for enumeration and activation of tuning profiles. This interface is used by tuned-adm tool. Version-Release number of selected component (if applicable): selinux-policy-3.10.0-156.fc17.noarch tuned-2.0.3-1.fc17.noarch (comming to updates soon) How reproducible: always Steps to Reproduce: 1. service tuned start 2. tuned-adm list 3. service tuned stop Actual results: # service tuned start Redirecting to /bin/systemctl start tuned.service # tuned-adm list Cannot talk to Tuned daemon via DBus. # service tuned stop Redirecting to /bin/systemctl stop tuned.service + AVC denials in the audit.log Expected results: # service tuned start Redirecting to /bin/systemctl start tuned.service # tuned-adm list Available profiles: - balanced - latency-performance - powersave - throughput-performance - virtual-guest - virtual-host No current active profile. # service tuned stop Redirecting to /bin/systemctl stop tuned.service + no AVC denials Additional info: audit.log entries after issuing "service tuned start": type=AVC msg=audit(1352288523.994:5107): avc: denied { search } for pid=30847 comm="tuned" name="dbus" dev="tmpfs" ino=13639 scontext=system_u:system_r:tuned_t:s0 tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=dir type=AVC msg=audit(1352288523.994:5107): avc: denied { write } for pid=30847 comm="tuned" name="system_bus_socket" dev="tmpfs" ino=13640 scontext=system_u:system_r:tuned_t:s0 tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=sock_file type=AVC msg=audit(1352288523.994:5107): avc: denied { connectto } for pid=30847 comm="tuned" path="/run/dbus/system_bus_socket" scontext=system_u:system_r:tuned_t:s0 tcontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=SYSCALL msg=audit(1352288523.994:5107): arch=c000003e syscall=42 success=yes exit=0 a0=7 a1=7fdf74eae3f0 a2=21 a3=6e75722f7261762f items=0 ppid=1 pid=30847 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="tuned" exe="/usr/bin/python2.7" subj=system_u:system_r:tuned_t:s0 key=(null) type=USER_AVC msg=audit(1352288523.996:5108): pid=879 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_call interface=org.freedesktop.DBus member=Hello dest=org.freedesktop.DBus spid=30846 scontext=system_u:system_r:tuned_t:s0 tcontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?' type=USER_AVC msg=audit(1352288524.001:5109): pid=879 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { acquire_svc } for service=com.redhat.tuned spid=30846 scontext=system_u:system_r:tuned_t:s0 tcontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?' type=SERVICE_START msg=audit(1352288524.003:5110): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg=' comm="tuned" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' audit.log entries after issuing "tuned-adm list": type=USER_AVC msg=audit(1352288532.156:5111): pid=879 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_call interface=org.freedesktop.DBus.Introspectable member=Introspect dest=:1.959 spid=30852 tpid=30846 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:system_r:tuned_t:s0 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?' type=USER_AVC msg=audit(1352288532.157:5112): pid=879 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_return dest=:1.960 spid=30846 tpid=30852 scontext=system_u:system_r:tuned_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?' type=AVC msg=audit(1352288532.158:5113): avc: denied { search } for pid=30847 comm="tuned" name="devel" dev="dm-2" ino=4065970 scontext=system_u:system_r:tuned_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir type=SYSCALL msg=audit(1352288532.158:5113): arch=c000003e syscall=4 success=no exit=-2 a0=7fdf70009f80 a1=7fdf74ead880 a2=7fdf74ead880 a3=6e75742f6374652f items=0 ppid=1 pid=30847 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="tuned" exe="/usr/bin/python2.7" subj=system_u:system_r:tuned_t:s0 key=(null) audit.log entries after issuing "service tuned stop": type=SERVICE_STOP msg=audit(1352288540.092:5114): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg=' comm="tuned" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
I backported fixes from F18.
selinux-policy-3.10.0-161.fc17 has been submitted as an update for Fedora 17. https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-161.fc17
Package selinux-policy-3.10.0-161.fc17: * should fix your issue, * was pushed to the Fedora 17 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-161.fc17' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2012-18787/selinux-policy-3.10.0-161.fc17 then log in and leave karma (feedback).
selinux-policy-3.10.0-161.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report.