Hide Forgot
Description of problem: SELinux is preventing /usr/sbin/lldpad from sendto access on the unix_dgram_socket @00022. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that lldpad should be allowed sendto access on the @00022 unix_dgram_socket by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep lldpad /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:lldpad_t:s0 Target Context system_u:system_r:fcoemon_t:s0 Target Objects @00022 [ unix_dgram_socket ] Source lldpad Source Path /usr/sbin/lldpad Port <Unknown> Host dhcp-25-142.brq.redhat.com Source RPM Packages lldpad-0.9.45-7.el6.x86_64 Target RPM Packages Policy RPM selinux-policy-3.7.19-211.el6.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name dhcp-25-142.brq.redhat.com Platform Linux dhcp-25-142.brq.redhat.com 2.6.32-358.el6.x86_64 #1 SMP Tue Jan 29 11:47:41 EST 2013 x86_64 x86_64 Alert Count 4 First Seen Fri 09 Aug 2013 01:05:03 PM CEST Last Seen Fri 09 Aug 2013 01:07:23 PM CEST Local ID 0bdce7c6-d5a9-4048-86ed-a9e4e10862f3 Raw Audit Messages type=AVC msg=audit(1376046443.294:69876): avc: denied { sendto } for pid=2755 comm="lldpad" path=003030303232 scontext=system_u:system_r:lldpad_t:s0 tcontext=system_u:system_r:fcoemon_t:s0 tclass=unix_dgram_socket type=SYSCALL msg=audit(1376046443.294:69876): arch=x86_64 syscall=sendto success=yes exit=ENOEXEC a0=4 a1=164f160 a2=8 a3=0 items=0 ppid=1 pid=2755 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=lldpad exe=/usr/sbin/lldpad subj=system_u:system_r:lldpad_t:s0 key=(null) Hash: lldpad,lldpad_t,fcoemon_t,unix_dgram_socket,sendto audit2allow #============= lldpad_t ============== allow lldpad_t fcoemon_t:unix_dgram_socket sendto; audit2allow -R #============= lldpad_t ============== allow lldpad_t fcoemon_t:unix_dgram_socket sendto; Steps to Reproduce: 1. Just create virtual machine via VirtManager. Almost default, just Video changed to vga and NIC changed to bridged. 2.
Did you disable unconfined module?
optional_policy(` fcoemon_dgram_send(lldpad_t) ') will be added. But it should work with enabled unconfined module because of optional_policy(` unconfined_domain(lldpad_t) ')
Yes, I was running with disabled unconfined module.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2013-1598.html