I can confirm this bug as well as a long list of additional SELinux violations related to system_dbusd_t. The standard work-around to create a local policy file and add allow statements for all of the system_dbusd_t violations does not work as one of the allows needed is for sys_module. Attempting to allow sys_module appears to violate some global SELinux setting that it not be granted to anything. In general it appears that the policy for system_dbusd_t needs quite a bit of work to reflect a change in the use of dbus that was introduced into Debian unstable in February, 2009. The example for the use of sys_module by wpa_supplication is pasted below:
Summary: SELinux is preventing wpa_supplicant (system_dbusd_t) "sys_module" system_dbusd_t. Detailed Description: [SELinux is in permissive mode, the operation would have been denied but was permitted due to permissive mode.] SELinux denied access requested by wpa_supplicant. It is not expected that this access is required by wpa_supplicant and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context system_u:system_r:system_dbusd_t:s0 Target Context system_u:system_r:system_dbusd_t:s0 Target Objects None [ capability ] Source wpa_supplicant Source Path /sbin/wpa_supplicant Port <Unknown> Host pancake Source RPM Packages Target RPM Packages Policy RPM <Unknown> Selinux Enabled True Policy Type default MLS Enabled True Enforcing Mode Permissive Plugin Name catchall Host Name pancake Platform Linux pancake 2.6.26-1-686 #1 SMP Sat Jan 10 18:29:31 UTC 2009 i686 Alert Count 11 First Seen Fri 27 Feb 2009 06:14:39 PM EST Last Seen Mon 02 Mar 2009 11:31:51 AM EST Local ID d1f6448e-0c2f-447b-aa1c-323bda950867 Line Numbers Raw Audit Messages node=pancake type=AVC msg=audit(1236011511.179:7): avc: denied { sys_module } for pid=3080 comm="wpa_supplicant" capability=16 scontext=system_u:system_r:system_dbusd_t:s0 tcontext=system_u:system_r:system_dbusd_t:s0 tclass=capability node=pancake type=SYSCALL msg=audit(1236011511.179:7): arch=40000003 syscall=54 success=no exit=-19 a0=9 a1=8933 a2=bfaa938c a3=bfaa938c items=0 ppid=1 pid=3080 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="wpa_supplicant" exe="/sbin/wpa_supplicant" subj=system_u:system_r:system_dbusd_t:s0 key=(null) -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
