Bug 181489

Summary: haldaemon fails to start when SELinux is enabled
Product: [Fedora] Fedora Reporter: Jeff Needle <jneedle>
Component: selinux-policy-targetedAssignee: Daniel Walsh <dwalsh>
Status: CLOSED RAWHIDE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: rawhideCC: davidz, johnp, rowan, thethirddoorontheleft
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2006-02-14 18:57:54 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jeff Needle 2006-02-14 16:51:36 UTC
# service haldaemon start
Starting HAL daemon:                                       [FAILED]

Feb 14 11:51:47 localhost kernel: audit(1139935907.611:110): avc:  denied  {
setgid } for  pid=3337 comm="hald" capability=6
scontext=user_u:system_r:hald_t:s0 tcontext=user_u:system_r:hald_t:s0
tclass=capability

# setenforce 0

# service haldaemon start
Starting HAL daemon:                                       [  OK  ]


# audit2allow -l -i /var/log/messages

allow NetworkManager_t etc_t:file unlink;
allow NetworkManager_t kernel_t:fd use;
allow automount_t kernel_t:fd use;
allow avahi_t kernel_t:fd use;
allow consoletype_t ptmx_t:chr_file { read write };
allow cpuspeed_t kernel_t:fd use;
allow cupsd_config_t kernel_t:fd use;
allow cupsd_t kernel_t:fd use;
allow dhcpc_t etc_t:file write;
allow fsadm_t etc_t:file write;
allow fsadm_t kernel_t:fd use;
allow getty_t kernel_t:fd use;
allow gpm_t kernel_t:fd use;
allow hald_t self:capability setgid;
allow hald_t kernel_t:fd use;
allow hostname_t kernel_t:fd use;
allow hwclock_t kernel_t:fd use;
allow ifconfig_t ptmx_t:chr_file { read write };
allow irqbalance_t kernel_t:fd use;
allow klogd_t kernel_t:fd use;
allow mount_t etc_t:file write;
allow mount_t kernel_t:fd use;
allow netutils_t kernel_t:fd use;
allow pam_console_t ptmx_t:chr_file { read write };
allow portmap_t kernel_t:fd use;
allow readahead_t kernel_t:fd use;
allow restorecon_t ptmx_t:chr_file { read write };
allow rpcd_t kernel_t:fd use;
allow syslogd_t kernel_t:fd use;
allow system_dbusd_t kernel_t:fd use;
allow unconfined_t self:process execstack;

Comment 1 John (J5) Palmieri 2006-02-14 16:55:42 UTC
This is due to the latest HAL dropping privileges and using a helper daemon to
execute scripts that need access to root.  David can you elaborate?

Comment 2 Daniel Walsh 2006-02-14 17:09:32 UTC
Can't we give me a heads up before these things hit rawhide?  Please check your
code with selinux in enforcing mode before building into rawhide.

Fixed in selinux-policy-2.2.15-1

Dan

Comment 3 John (J5) Palmieri 2006-02-14 18:57:54 UTC
Works for me

Comment 4 Jeff Needle 2006-02-14 20:40:35 UTC
Yep, works for me too.  And you've gotta love that 18 minute turnaround.

Comment 5 John (J5) Palmieri 2006-02-14 22:20:48 UTC
*** Bug 181542 has been marked as a duplicate of this bug. ***

Comment 6 John (J5) Palmieri 2006-02-14 22:21:43 UTC
*** Bug 181522 has been marked as a duplicate of this bug. ***