SELinux is preventing avahi-daemon (avahi_t) "getcap" to <Unknown> (avahi_t).
Daniel J Walsh
dwalsh at redhat.com
Mon Feb 25 17:29:13 UTC 2008
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Antonio Olivares wrote:
> Dear all,
>
> I am running rawhide. I see the following:
> Is avahi-deamon doing something that it shouldn't?
>
> Thanks,
>
> Antonio
>
> Summary:
>
> SELinux is preventing avahi-daemon (avahi_t) "getcap"
> to <Unknown> (avahi_t).
>
> Detailed Description:
>
> SELinux denied access requested by avahi-daemon. It is
> not expected that this
> access is required by avahi-daemon and this access may
> signal an intrusion
> attempt. It is also possible that the specific version
> or configuration of the
> application is causing it to require additional
> access.
>
> Allowing Access:
>
> You can generate a local policy module to allow this
> access - see FAQ
> (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385)
> Or you can disable
> SELinux protection altogether. Disabling SELinux
> protection is not recommended.
> Please file a bug report
> (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
> against this package.
>
> Additional Information:
>
> Source Context
> system_u:system_r:avahi_t
> Target Context
> system_u:system_r:avahi_t
> Target Objects None [ process ]
> Source avahi-daemon
> Source Path /usr/sbin/avahi-daemon
> Port <Unknown>
> Host localhost
> Source RPM Packages avahi-0.6.17-1.fc7
> Target RPM Packages
> Policy RPM
> selinux-policy-3.3.0-1.fc9
> Selinux Enabled True
> Policy Type targeted
> MLS Enabled True
> Enforcing Mode Enforcing
> Plugin Name catchall
> Host Name localhost
> Platform Linux localhost
> 2.6.25-0.65.rc2.git7.fc9 #1 SMP
> Sat Feb 23 23:06:09 EST
> 2008 i686 athlon
> Alert Count 12
> First Seen Sat 23 Feb 2008 01:04:44
> PM CST
> Last Seen Mon 25 Feb 2008 07:19:57
> AM CST
> Local ID
> e83550c8-f8d8-4109-9f8f-215e82dbb99c
> Line Numbers
>
> Raw Audit Messages
>
> host=localhost type=AVC msg=audit(1203945597.443:10):
> avc: denied { getcap } for pid=2159
> comm="avahi-daemon"
> scontext=system_u:system_r:avahi_t:s0
> tcontext=system_u:system_r:avahi_t:s0 tclass=process
>
> host=localhost type=SYSCALL
> msg=audit(1203945597.443:10): arch=40000003
> syscall=184 success=no exit=-13 a0=8c60e3c a1=0
> a2=9df0f0 a3=8c60e38 items=0 ppid=1 pid=2159
> auid=4294967295 uid=70 gid=70 euid=70 suid=70 fsuid=70
> egid=70 sgid=70 fsgid=70 tty=(none) ses=4294967295
> comm="avahi-daemon" exe="/usr/sbin/avahi-daemon"
> subj=system_u:system_r:avahi_t:s0 key=(null)
>
>
>
>
>
> ____________________________________________________________________________________
> Never miss a thing. Make Yahoo your home page.
> http://www.yahoo.com/r/hs
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
No, I am guessing that some library function or kernel change has
happened to cause all apps that use setcap to need getcap. So I am
making the change in policy.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkfC+ukACgkQrlYvE4MpobPQ9ACgzIKefOCCXipfJJgwGs9VUq/l
yR0Anj6oX/fqRl9QmdW/lAgOwnsKnnQf
=Q/Um
-----END PGP SIGNATURE-----
More information about the fedora-selinux-list
mailing list