Bug 587953

Summary: SELinux is preventing /usr/libexec/hald-probe-storage "read" access to device hwcdrom.
Product: [Fedora] Fedora Reporter: Cássio Magno <kenmatrix>
Component: selinux-policyAssignee: Daniel Walsh <dwalsh>
Status: CLOSED INSUFFICIENT_DATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: 13CC: dwalsh, mgrepl
Target Milestone: ---   
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard: setroubleshoot_trace_hash:7d0333798890409e21eb09eded377c45abcf3b4c4170855f284d9672463dfbb7
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-07-29 16:38:44 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Description Cássio Magno 2010-05-01 18:07:23 UTC

SELinux is preventing /usr/libexec/hald-probe-storage "read" access to device

Descrição detalhada:

SELinux has denied hald-probe-stor "read" access to device hwcdrom. hwcdrom is
mislabeled, this device has the default label of the /dev directory, which
should not happen. All Character and/or Block Devices should have a label. You
can attempt to change the label of the file using restorecon -v 'hwcdrom'. If
this device remains labeled device_t, then this is a bug in SELinux policy.
Please file a bg report. If you look at the other similar devices labels, ls -lZ
/dev/SIMILAR, and find a type that would work for hwcdrom, you can use chcon -t
SIMILAR_TYPE 'hwcdrom', If this fixes the problem, you can make this permanent
by executing semanage fcontext -a -t SIMILAR_TYPE 'hwcdrom' If the restorecon
changes the context, this indicates that the application that created the
device, created it without using SELinux APIs. If you can figure out which
application created the device, please file a bug report against this

Permitindo acesso:

Attempt restorecon -v 'hwcdrom' or chcon -t SIMILAR_TYPE 'hwcdrom'

Informações adicionais:

Contexto de origem            system_u:system_r:hald_t:s0
Contexto de destino           system_u:object_r:device_t:s0
Objetos de destino            hwcdrom [ blk_file ]
Origem                        hald-probe-stor
Caminho da origem             /usr/libexec/hald-probe-storage
Porta                         <Desconhecido>
Máquina                      (removed)
Pacotes RPM de origem         hal-0.5.14-2.fc13
Pacotes RPM de destino        
RPM da política              selinux-policy-3.7.15-4.fc13
Selinux habilitado            True
Tipo de política             targeted
Modo reforçado               Enforcing
Nome do plugin                device
Nome da máquina              (removed)
Plataforma                    Linux (removed) #1 SMP
                              Sat Mar 20 02:34:04 UTC 2010 i686 i686
Contador de alertas           2
Visto pela primeira vez em    Sáb 01 Mai 2010 14:46:57 BRT
Visto pela última vez em     Sáb 01 Mai 2010 14:53:00 BRT
ID local                      e8625477-7c8d-4a5f-bf0b-2a7cfe327a5d
Números de linha             

Mensagens de auditoria não p 

node=(removed) type=AVC msg=audit(1272736380.969:87): avc:  denied  { read } for  pid=14300 comm="hald-probe-stor" name="hwcdrom" dev=devtmpfs ino=1355565 scontext=system_u:system_r:hald_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=blk_file

node=(removed) type=SYSCALL msg=audit(1272736380.969:87): arch=40000003 syscall=5 success=no exit=-13 a0=bfad6a7c a1=8800 a2=0 a3=bfad6b92 items=0 ppid=1280 pid=14300 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="hald-probe-stor" exe="/usr/libexec/hald-probe-storage" subj=system_u:system_r:hald_t:s0 key=(null)

Hash String generated from  device,hald-probe-stor,hald_t,device_t,blk_file,read
audit2allow suggests:

#============= hald_t ==============
allow hald_t device_t:blk_file read;

Comment 1 Daniel Walsh 2010-05-03 18:01:43 UTC
Should this device be labeled the same as /dev/sr0?

Is it a removable cdrom device?