Bug 1116597
Summary: | SELinux is preventing /usr/sbin/upsmon from 'open' accesses on the chr_file /dev/urandom. | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Bruno Wolff III <bruno> |
Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
Status: | CLOSED RAWHIDE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | rawhide | CC: | bruno, dominick.grift, dwalsh, kielogl, lvrabec, mgrepl |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | i686 | ||
OS: | Unspecified | ||
Whiteboard: | abrt_hash:68afca948327d379d6b83b2b8b5b060515134c22ba7d4688958d4b1a611ee098 | ||
Fixed In Version: | selinux-policy-3.13.1-64.fc22 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2014-07-16 10:05:35 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Bruno Wolff III
2014-07-06 14:21:58 UTC
That is strange, since this is definitely allowed? *** Bug 1116594 has been marked as a duplicate of this bug. *** I have been doing some relabeles to make sure labelling is up to date and I didn't go back very far in my logs when I filed the recent series of bugs, but maybe there was a period were something wasn't labelled properly or policy was different. If you want I can see if the upsmon AVCs are still happening? I checked and on one machine I haven't seen this in over a day and a half, but on anther I got one with the last day. type=AVC msg=audit(1404757874.930:43): avc: denied { getattr } for pid=1311 comm="upsmon" path="/dev/urandom" dev="devtmpfs" ino=1048 scontext=system_u:system_r:nut_upsmon_t:s0 tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file permissive=1 Could this have been fixed within the last few days? Well it is not allowd. I added it. commit 72f56829dfc4c7e51e42902caf1a038dcdc2d20a Author: Miroslav Grepl <mgrepl> Date: Wed Jul 9 14:17:47 2014 +0200 Allow all nut domains to read /dev/(u)?random. The following is also needed to allow fifo in /var/run/nut for upssched timers allow nut_upsmon_t nut_var_run_t:sock_file { write create unlink setattr }; a97f16fc364449706b86fec9a919a5d42f9ed455 fixes this in git. https://github.com/selinux-policy/selinux-policy/commit/5be2c944e525cae9e911fd7fe2f29e7bd39fc4e2 commit 5be2c944e525cae9e911fd7fe2f29e7bd39fc4e2 Author: Dan Walsh <dwalsh> Date: Mon Jul 14 09:18:18 2014 -0400 Allow nut_upsmon_t to create sock_file in /run dir |