With ipa/sssd (freeipa-client-2.2.1-2.fc17.x86_64, sssd-client-1.8.5-3.fc17.x86_64) and SELinux I get a lot of messages like this ------------------------ SELinux is preventing /usr/bin/evince-thumbnailer from connectto access on the unix_stream_socket /var/lib/sss/pipes/nss. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that evince-thumbnailer should be allowed connectto access on the nss unix_stream_socket by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep evince-thumbnai /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023 Target Context system_u:system_r:sssd_t:s0 Target Objects /var/lib/sss/pipes/nss [ unix_stream_socket ] Source evince-thumbnai Source Path /usr/bin/evince-thumbnailer Port <Unknown> Host foo.bar Source RPM Packages evince-3.4.0-2.fc17.x86_64 Target RPM Packages Policy RPM selinux-policy-3.10.0-166.fc17.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name foo.bar Platform Linux foo.bar 3.7.3-101.fc17.x86_64 #1 SMP Fri Jan 18 17:40:57 UTC 2013 x86_64 x86_64 Alert Count 5 First Seen 2013-01-29 09:11:14 CET Last Seen 2013-01-29 09:11:14 CET Local ID 22e7c557-055b-459a-95fe-6e258ffca03f Raw Audit Messages type=AVC msg=audit(1359447074.747:858): avc: denied { connectto } for pid=17232 comm="evince-thumbnai" path="/var/lib/sss/pipes/nss" scontext=unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023 tcontext=system_u:system_r:sssd_t:s0 tclass=unix_stream_socket type=SYSCALL msg=audit(1359447074.747:858): arch=x86_64 syscall=connect success=no exit=EACCES a0=3 a1=7fff94f61370 a2=6e a3=7f33d6ba1180 items=0 ppid=16383 pid=17232 auid=1702200013 uid=1702200013 gid=1702200013 euid=1702200013 suid=1702200013 fsuid=1702200013 egid=1702200013 sgid=1702200013 fsgid=1702200013 ses=64 tty=(none) comm=evince-thumbnai exe=/usr/bin/evince-thumbnailer subj=unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023 key=(null) Hash: evince-thumbnai,thumb_t,sssd_t,unix_stream_socket,connectto audit2allow #============= thumb_t ============== allow thumb_t sssd_t:unix_stream_socket connectto; audit2allow -R #============= thumb_t ============== allow thumb_t sssd_t:unix_stream_socket connectto; ------------------------ I don't know if it is the correct way to allow /usr/bin/evince-thumbnailer the access to /var/lib/sss/pipes/nss?
I think we should dontaudit this. # grep thumb_t /var/log/audit/audit.log | audit2allow -DM mythumb # semodule -i mythumb.pp Will stop it from complaining. Made this change to git. cad2c7c2160368b19ff7c0d917d4b6f45897e5d4
Backported.
selinux-policy-3.10.0-167.fc17 has been submitted as an update for Fedora 17. https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-167.fc17
Package selinux-policy-3.10.0-167.fc17: * should fix your issue, * was pushed to the Fedora 17 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-167.fc17' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2013-1971/selinux-policy-3.10.0-167.fc17 then log in and leave karma (feedback).
It looks like that 'selinux-policy-3.10.0-167.fc17' fixed the problem for me.
Thank you for testing.
selinux-policy-3.10.0-167.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report.
Today I had again a problem with /usr/bin/evince-thumbnailer, this time it's a write access on the sock_file /var/lib/sss/pipes/nss (before it was connectto access on the unix_stream_socket /var/lib/sss/pipes/nss). The selinux-policy-3.10.0-166.fc17.noarch is active so I guess the evince-thumbnailer still creates SELinux-Messages. ------------------------ SELinux is preventing /usr/bin/evince-thumbnailer from write access on the sock_file /var/lib/sss/pipes/nss. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that evince-thumbnailer should be allowed write access on the nss sock_file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep evince-thumbnai /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023 Target Context system_u:object_r:sssd_var_lib_t:s0 Target Objects /var/lib/sss/pipes/nss [ sock_file ] Source evince-thumbnai Source Path /usr/bin/evince-thumbnailer Port <Unknown> Host foo.bar Source RPM Packages evince-3.4.0-2.fc17.x86_64 Target RPM Packages Policy RPM selinux-policy-3.10.0-167.fc17.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name foo.bar Platform Linux foo.bar 3.7.3-101.fc17.x86_64 #1 SMP Fri Jan 18 17:40:57 UTC 2013 x86_64 x86_64 Alert Count 3 First Seen 2013-02-13 18:11:06 CET Last Seen 2013-02-13 18:11:06 CET Local ID ce6dc5c9-e4b4-4ec9-9e5f-650470587a7c Raw Audit Messages type=AVC msg=audit(1360775466.172:3031): avc: denied { write } for pid=10684 comm="evince-thumbnai" name="nss" dev="sda3" ino=655923 scontext=unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=sock_file type=SYSCALL msg=audit(1360775466.172:3031): arch=x86_64 syscall=connect success=no exit=EACCES a0=3 a1=7fffc3d33b50 a2=6e a3=7f9b8f9f9180 items=0 ppid=9764 pid=10684 auid=1702200019 uid=1702200019 gid=1702200019 euid=1702200019 suid=1702200019 fsuid=1702200019 egid=1702200019 sgid=1702200019 fsgid=1702200019 ses=331 tty=(none) comm=evince-thumbnai exe=/usr/bin/evince-thumbnailer subj=unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023 key=(null) Hash: evince-thumbnai,thumb_t,sssd_var_lib_t,sock_file,write audit2allow #============= thumb_t ============== allow thumb_t sssd_var_lib_t:sock_file write; audit2allow -R #============= thumb_t ============== allow thumb_t sssd_var_lib_t:sock_file write; ------------------------
Sorry, I mean the selinux-policy-3.10.0-167.fc17.noarch is active.