Bug 966110 - Permission attach_queue in class tun_socket not defined in policy
Permission attach_queue in class tun_socket not defined in policy
Status: CLOSED NOTABUG
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
18
Unspecified Unspecified
unspecified Severity medium
: ---
: ---
Assigned To: Miroslav Grepl
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-05-22 10:00 EDT by Matthieu Saulnier
Modified: 2013-06-03 15:20 EDT (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-06-03 15:20:51 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Matthieu Saulnier 2013-05-22 10:00:16 EDT
Description of problem:
When I install a new module or disable an old one, getting this log in /var/log/messages:

May 22 15:08:04 localhost kernel: [  556.998115] SELinux:  Permission attach_queue in class tun_socket not defined in policy.
May 22 15:08:04 localhost kernel: [  556.998121] SELinux: the above unknown classes and permissions will be allowed
May 22 15:08:04 localhost dbus-daemon[548]: dbus[548]: avc:  received policyload notice (seqno=3)
May 22 15:08:04 localhost dbus[548]: avc:  received policyload notice (seqno=3)
May 22 15:08:04 localhost dbus-daemon[548]: dbus[548]: [system] Reloaded configuration
May 22 15:08:04 localhost dbus[548]: [system] Reloaded configuration


Version-Release number of selected component (if applicable):
selinux-policy-3.11.1-95.fc18.noarch


How reproducible:
Always


Steps to Reproduce:
1. semodule -d old_module_name
OR
semodule -i new_module.pp
2.
3.

Actual results:


Expected results:


Additional info:
Comment 1 Daniel Walsh 2013-05-23 10:54:57 EDT
If you rebuild new_module.pp does the problem go away?  Is this a policy built on a newer system being installed on an older system?
Comment 2 Matthieu Saulnier 2013-05-24 05:07:37 EDT
(In reply to Daniel Walsh from comment #1)
> If you rebuild new_module.pp does the problem go away?
nope

> Is this a policy
> built on a newer system being installed on an older system?
no, it was a policy to allow postfix cleanup on my f18 server, policy has been built and installed on my f18 server

In fact this message is appeared the first time just after update to selinux-policy-3.11.1-95:



May 22 01:30:02 localhost dbus-daemon[532]: dbus[532]: [system] Activating service name='org.freedesktop.PackageKit' (using servicehelper)
May 22 01:30:02 localhost dbus[532]: [system] Activating service name='org.freedesktop.PackageKit' (using servicehelper)
May 22 01:30:02 localhost dbus-daemon[532]: dbus[532]: [system] Successfully activated service 'org.freedesktop.PackageKit'
May 22 01:30:02 localhost dbus[532]: [system] Successfully activated service 'org.freedesktop.PackageKit'
May 22 01:31:57 localhost yum[6031]: Updated: selinux-policy-3.11.1-95.fc18.noarch
May 22 01:31:58 localhost yum[6031]: Updated: 1:perl-parent-0.225-243.fc18.noarch
May 22 01:31:58 localhost yum[6031]: Updated: 1:perl-Pod-Escapes-1.04-244.fc18.noarch
May 22 01:31:59 localhost yum[6031]: Updated: perl-Pod-Perldoc-3.17.00-244.fc18.noarch
May 22 01:31:59 localhost yum[6031]: Updated: perl-threads-shared-1.40-244.fc18.x86_64
May 22 01:32:00 localhost yum[6031]: Updated: perl-Scalar-List-Utils-1.25-244.fc18.x86_64
May 22 01:32:00 localhost yum[6031]: Updated: perl-PathTools-3.39.2-244.fc18.x86_64
May 22 01:32:01 localhost yum[6031]: Updated: 1:perl-Pod-Simple-3.20-244.fc18.noarch
May 22 01:32:01 localhost yum[6031]: Updated: perl-Carp-1.26-243.fc18.noarch
May 22 01:32:02 localhost yum[6031]: Updated: 4:perl-macros-5.16.3-244.fc18.x86_64
May 22 01:32:03 localhost yum[6031]: Updated: 4:perl-libs-5.16.3-244.fc18.x86_64
May 22 01:32:03 localhost yum[6031]: Updated: 1:perl-Module-Pluggable-4.00-244.fc18.noarch
May 22 01:32:04 localhost yum[6031]: Updated: perl-threads-1.86-243.fc18.x86_64
May 22 01:32:04 localhost yum[6031]: Updated: perl-Pod-Parser-1.51-244.fc18.noarch
May 22 01:32:10 localhost yum[6031]: Updated: 4:perl-5.16.3-244.fc18.x86_64
May 22 01:32:11 localhost yum[6031]: Updated: perl-Data-Dumper-2.135.06-244.fc18.x86_64
May 22 01:32:11 localhost yum[6031]: Updated: perl-Test-Harness-3.23-244.fc18.noarch
May 22 01:32:12 localhost yum[6031]: Updated: perl-HTTP-Tiny-0.017-244.fc18.noarch
May 22 01:32:12 localhost yum[6031]: Updated: perl-Digest-1.17-244.fc18.noarch
May 22 01:32:13 localhost yum[6031]: Updated: perl-ExtUtils-Manifest-1.61-243.fc18.noarch
May 22 01:32:13 localhost yum[6031]: Updated: perl-ExtUtils-Install-1.58-244.fc18.noarch
May 22 01:32:14 localhost yum[6031]: Updated: 1:perl-ExtUtils-ParseXS-3.16-244.fc18.noarch
May 22 01:32:14 localhost yum[6031]: Updated: 4:perl-devel-5.16.3-244.fc18.x86_64
May 22 01:32:15 localhost yum[6031]: Updated: perl-ExtUtils-MakeMaker-6.63.2-244.fc18.noarch
May 22 01:32:16 localhost yum[6031]: Updated: krb5-libs-1.10.3-17.fc18.x86_64
May 22 01:32:17 localhost yum[6031]: Updated: krb5-workstation-1.10.3-17.fc18.x86_64
May 22 01:32:18 localhost yum[6031]: Updated: perl-CPAN-1.9800-244.fc18.noarch
May 22 01:32:18 localhost yum[6031]: Updated: perl-Test-Simple-0.98-243.fc18.noarch
May 22 01:32:19 localhost yum[6031]: Updated: perl-Digest-MD5-2.51-244.fc18.x86_64
May 22 01:32:19 localhost yum[6031]: Updated: 3:perl-version-0.99-244.fc18.noarch
May 22 01:32:19 localhost yum[6031]: Updated: 1:perl-Package-Constants-0.02-244.fc18.noarch
May 22 01:32:20 localhost yum[6031]: Updated: 1:perl-IO-Zlib-1.10-244.fc18.noarch
May 22 01:32:49 localhost kernel: [242928.681217] SELinux:  Permission attach_queue in class tun_socket not defined in policy.
May 22 01:32:49 localhost kernel: [242928.681223] SELinux: the above unknown classes and permissions will be allowed
May 22 01:32:49 localhost dbus-daemon[532]: dbus[532]: avc:  received policyload notice (seqno=2)
May 22 01:32:49 localhost dbus[532]: avc:  received policyload notice (seqno=2)
May 22 01:32:50 localhost dbus-daemon[532]: dbus[532]: [system] Reloaded configuration
May 22 01:32:50 localhost dbus[532]: [system] Reloaded configuration
May 22 01:32:50 localhost yum[6031]: Updated: selinux-policy-targeted-3.11.1-95.fc18.noarch
May 22 01:32:52 localhost yum[6031]: Updated: selinux-policy-doc-3.11.1-95.fc18.noarch
May 22 01:33:19 localhost yum[6031]: Updated: selinux-policy-devel-3.11.1-95.fc18.noarch
May 22 01:33:20 localhost yum[6031]: Updated: openldap-2.4.35-4.fc18.1.x86_64
May 22 01:33:21 localhost yum[6031]: Updated: python-lxml-3.2.1-1.fc18.x86_64
May 22 01:33:39 localhost dbus-daemon[532]: dbus[532]: [system] Activating service name='org.freedesktop.PackageKit' (using servicehelper)
May 22 01:33:39 localhost dbus[532]: [system] Activating service name='org.freedesktop.PackageKit' (using servicehelper)
May 22 01:33:39 localhost dbus-daemon[532]: dbus[532]: [system] Successfully activated service 'org.freedesktop.PackageKit'
May 22 01:33:39 localhost dbus[532]: [system] Successfully activated service 'org.freedesktop.PackageKit'


However it appeared after update to selinux-policy-3.11.1-96 too:


May 24 10:33:52 localhost yum[15265]: Updated: systemd-201-2.fc18.7.x86_64
May 24 10:33:52 localhost yum[15265]: Updated: selinux-policy-3.11.1-96.fc18.noarch
May 24 10:34:19 localhost yum[15265]: Updated: selinux-policy-devel-3.11.1-96.fc18.noarch
May 24 10:34:21 localhost yum[15265]: Updated: selinux-policy-doc-3.11.1-96.fc18.noarch
May 24 10:34:50 localhost kernel: [156879.558713] SELinux:  Permission attach_queue in class tun_socket not defined in policy.
May 24 10:34:50 localhost kernel: [156879.558718] SELinux: the above unknown classes and permissions will be allowed
May 24 10:34:50 localhost dbus-daemon[548]: dbus[548]: avc:  received policyload notice (seqno=9)
May 24 10:34:50 localhost dbus[548]: avc:  received policyload notice (seqno=9)
May 24 10:34:50 localhost dbus-daemon[548]: dbus[548]: [system] Reloaded configuration
May 24 10:34:50 localhost dbus[548]: [system] Reloaded configuration
Comment 3 Miroslav Grepl 2013-05-28 06:18:32 EDT
Could you remove this local policy and try to reinstall selinux-policy-targeted

# semodule -r <custom_policy>
# yum reinstall selinux-policy-targeted
Comment 4 Matthieu Saulnier 2013-05-29 13:17:02 EDT
(In reply to Miroslav Grepl from comment #3)
> Could you remove this local policy and try to reinstall
> selinux-policy-targeted
> 
> # semodule -r <custom_policy>
> # yum reinstall selinux-policy-targeted

Thanks a lot, that solved the problem:


May 29 18:56:25 lancaster dbus-daemon[541]: dbus[541]: [system] Activating service name='org.freedesktop.PackageKit' (using servicehelper)
May 29 18:56:25 lancaster dbus[541]: [system] Activating service name='org.freedesktop.PackageKit' (using servicehelper)
May 29 18:56:25 lancaster dbus-daemon[541]: dbus[541]: [system] Successfully activated service 'org.freedesktop.PackageKit'
May 29 18:56:25 lancaster dbus[541]: [system] Successfully activated service 'org.freedesktop.PackageKit'
May 29 18:59:29 lancaster kernel: [99776.690162] SELinux:  Permission attach_queue in class tun_socket not defined in policy.
May 29 18:59:29 lancaster kernel: [99776.690169] SELinux: the above unknown classes and permissions will be allowed
May 29 18:59:29 lancaster kernel: [99777.932112] [sched_delayed] sched: RT throttling activated
May 29 18:59:29 lancaster dbus-daemon[541]: dbus[541]: avc:  received policyload notice (seqno=7)
May 29 18:59:29 lancaster dbus[541]: avc:  received policyload notice (seqno=7)
May 29 18:59:29 lancaster dbus-daemon[541]: dbus[541]: [system] Reloaded configuration
May 29 18:59:29 lancaster dbus[541]: [system] Reloaded configuration
May 29 18:59:31 lancaster yum[31025]: Installed: selinux-policy-targeted-3.11.1-96.fc18.noarch
May 29 18:59:31 lancaster dbus-daemon[541]: dbus[541]: [system] Activating service name='org.freedesktop.PackageKit' (using servicehelper)
May 29 18:59:31 lancaster dbus[541]: [system] Activating service name='org.freedesktop.PackageKit' (using servicehelper)
May 29 18:59:31 lancaster dbus-daemon[541]: dbus[541]: [system] Successfully activated service 'org.freedesktop.PackageKit'
May 29 18:59:31 lancaster dbus[541]: [system] Successfully activated service 'org.freedesktop.PackageKit'
Comment 5 Miroslav Grepl 2013-06-03 15:20:51 EDT
Great.

Note You need to log in before you can comment on or make changes to this bug.