Re: Is this an error that should be BZ'd?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi,

Could you try it with the latest selinux-policy package?

It's fixed in F25 and higher:

#============= init_t ==============

#!!!! This avc is allowed in the current policy
allow init_t kernel_t:unix_stream_socket { read write };

$ rpm -q selinux-policy
selinux-policy-3.13.1-225.15.fc25.noarch


Thanks,
Lukas.


On 04/11/2017 08:06 AM, Ed Greshko wrote:

I was having some problems with getting a setting to stick under network
manager.  I wanted to eliminate a silent selinux AVC.  So I issued a
semodule -DB.  This is on F25, BTW.

But now I'm continuously getting the following....

SELinux is preventing systemd from 'read, write' accesses on the
unix_stream_socket unix_stream_socket.

*****  Plugin catchall (100. confidence) suggests
**************************

If you believe that systemd should be allowed read write access on the
unix_stream_socket unix_stream_socket by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'systemd' --raw | audit2allow -M my-systemd
# semodule -X 300 -i my-systemd.pp

Additional Information:
Source Context                system_u:system_r:init_t:s0
Target Context                system_u:system_r:kernel_t:s0-s0:c0.c1023
Target Objects                unix_stream_socket [ unix_stream_socket ]
Source                        systemd
Source Path                   systemd
Port                          <Unknown>
Host                          meimei.greshko.com
Source RPM Packages
Target RPM Packages
Policy RPM                    <Unknown>
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     meimei.greshko.com
Platform                      Linux meimei.greshko.com
4.10.8-200.fc25.x86_64 #1
                              SMP Fri Mar 31 13:20:22 UTC 2017 x86_64 x86_64
Alert Count                   2
First Seen                    2017-04-11 13:59:41 CST
Last Seen                     2017-04-11 13:59:41 CST
Local ID                      a9f3060f-290b-4777-bf8f-28d0313ca9f1

Raw Audit Messages
type=AVC msg=audit(1491890381.516:407): avc:  denied  { read write }
for  pid=1 comm="systemd" path="socket:[65875]" dev="sockfs" ino=65875
scontext=system_u:system_r:init_t:s0
tcontext=system_u:system_r:kernel_t:s0-s0:c0.c1023
tclass=unix_stream_socket permissive=0


Hash: systemd,init_t,kernel_t,unix_stream_socket,read,write


Should I follow the recommendation of generating a local policy?  Should
this be BZ'd?






--
Lukas Vrabec
Software Engineer, Security Technologies
Red Hat, Inc.
_______________________________________________
selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux