Bug 587953
| Summary: | SELinux is preventing /usr/libexec/hald-probe-storage "read" access to device hwcdrom. | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Cássio Magno <kenmatrix> |
| Component: | selinux-policy | Assignee: | Daniel Walsh <dwalsh> |
| Status: | CLOSED INSUFFICIENT_DATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | medium | Docs Contact: | |
| Priority: | low | ||
| Version: | 13 | CC: | dwalsh, mgrepl |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | i386 | ||
| OS: | Linux | ||
| Whiteboard: | setroubleshoot_trace_hash:7d0333798890409e21eb09eded377c45abcf3b4c4170855f284d9672463dfbb7 | ||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2010-07-29 16:38:44 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Should this device be labeled the same as /dev/sr0? Is it a removable cdrom device? |
Sumário: SELinux is preventing /usr/libexec/hald-probe-storage "read" access to device hwcdrom. Descrição detalhada: SELinux has denied hald-probe-stor "read" access to device hwcdrom. hwcdrom is mislabeled, this device has the default label of the /dev directory, which should not happen. All Character and/or Block Devices should have a label. You can attempt to change the label of the file using restorecon -v 'hwcdrom'. If this device remains labeled device_t, then this is a bug in SELinux policy. Please file a bg report. If you look at the other similar devices labels, ls -lZ /dev/SIMILAR, and find a type that would work for hwcdrom, you can use chcon -t SIMILAR_TYPE 'hwcdrom', If this fixes the problem, you can make this permanent by executing semanage fcontext -a -t SIMILAR_TYPE 'hwcdrom' If the restorecon changes the context, this indicates that the application that created the device, created it without using SELinux APIs. If you can figure out which application created the device, please file a bug report against this application. Permitindo acesso: Attempt restorecon -v 'hwcdrom' or chcon -t SIMILAR_TYPE 'hwcdrom' Informações adicionais: Contexto de origem system_u:system_r:hald_t:s0 Contexto de destino system_u:object_r:device_t:s0 Objetos de destino hwcdrom [ blk_file ] Origem hald-probe-stor Caminho da origem /usr/libexec/hald-probe-storage Porta <Desconhecido> Máquina (removed) Pacotes RPM de origem hal-0.5.14-2.fc13 Pacotes RPM de destino RPM da política selinux-policy-3.7.15-4.fc13 Selinux habilitado True Tipo de política targeted Modo reforçado Enforcing Nome do plugin device Nome da máquina (removed) Plataforma Linux (removed) 2.6.33.1-19.fc13.i686 #1 SMP Sat Mar 20 02:34:04 UTC 2010 i686 i686 Contador de alertas 2 Visto pela primeira vez em Sáb 01 Mai 2010 14:46:57 BRT Visto pela última vez em Sáb 01 Mai 2010 14:53:00 BRT ID local e8625477-7c8d-4a5f-bf0b-2a7cfe327a5d Números de linha Mensagens de auditoria não p node=(removed) type=AVC msg=audit(1272736380.969:87): avc: denied { read } for pid=14300 comm="hald-probe-stor" name="hwcdrom" dev=devtmpfs ino=1355565 scontext=system_u:system_r:hald_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=blk_file node=(removed) type=SYSCALL msg=audit(1272736380.969:87): arch=40000003 syscall=5 success=no exit=-13 a0=bfad6a7c a1=8800 a2=0 a3=bfad6b92 items=0 ppid=1280 pid=14300 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="hald-probe-stor" exe="/usr/libexec/hald-probe-storage" subj=system_u:system_r:hald_t:s0 key=(null) Hash String generated from device,hald-probe-stor,hald_t,device_t,blk_file,read audit2allow suggests: #============= hald_t ============== allow hald_t device_t:blk_file read;