Bug 220115
Summary: | Selinux denials with hald | ||||||
---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Adam Huffman <bloch> | ||||
Component: | hal | Assignee: | David Zeuthen <davidz> | ||||
Status: | CLOSED NEXTRELEASE | QA Contact: | |||||
Severity: | medium | Docs Contact: | |||||
Priority: | medium | ||||||
Version: | 6 | CC: | jeroen, mclasen, sergio.pasra | ||||
Target Milestone: | --- | ||||||
Target Release: | --- | ||||||
Hardware: | x86_64 | ||||||
OS: | Linux | ||||||
Whiteboard: | |||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2007-12-21 15:06:56 UTC | Type: | --- | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Attachments: |
|
Description
Adam Huffman
2006-12-18 22:43:36 UTC
Created attachment 143960 [details]
setroubleshoot error report
What actions did you perform to trigger this behaviour? Thanks. Well, I didn't really do anything, but I think it's caused by an NFS automount that was already mounted. In other words, the denial warning didn't appear directly in response to my action. If it makes any difference, I had resumed from standby (it's a laptop) and had to restart NetworkManager in order to pickup the wireless network again. I didn't do anything directly related to the automounted NFS directory, though. Just noticed that it does seem to be triggered when gnome-vfs is invoked by (for instance) an open file dialog window in Firefox. I have a music dir in an nfs share mounted by autofs. When I open the file browser of the music application in order to load a new music list, this selinux denial is triggered. I get this, usually on boot: Summary SELinux is preventing /usr/sbin/hald (hald_t) "getattr" access to /etc/auto.misc (automount_etc_t). Detailed Description SELinux denied access requested by /usr/sbin/hald. It is not expected that this access is required by /usr/sbin/hald and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Please file a bug report against this package.Allowing AccessSometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for /etc/auto.misc, restorecon -v /etc/auto.misc. There is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see FAQ - or you can disable SELinux protection entirely for the application. Disabling SELinux protection is not recommended. Please file a bug report against this package. Changing the "hald_disable_trans" boolean to true will disable SELinux protection this application: "setsebool -P hald_disable_trans=1."The following command will allow this access:setsebool -P hald_disable_trans=1 Additional Information Source Context: system_u:system_r:hald_tTarget Context: system_u:object_r:automount_etc_tTarget Objects: /etc/auto.misc [ file ]Affected RPM Packages: hal-0.5.8.1-5.fc6 [application]autofs-5.0.1-0.rc2.36 [target]Policy RPM: selinux-policy-2.4.6-7.fc6 Selinux Enabled: True Policy Type: targeted MLS Enabled: True Enforcing Mode: Enforcing Plugin Name: plugins.disable_trans Host Name: neo.lokaal.net Platform: Linux neo.lokaal.net 2.6.18-1.2849.fc6 #1 SMP Fri Nov 10 12:34:46 EST 2006 x86_64 x86_64 Alert Count: 192 Line Numbers: Raw Audit Messages : avc: denied { getattr } for comm="hald" dev=hda1 egid=68 euid=68 exe="/usr/sbin/hald" exit=-13 fsgid=68 fsuid=68 gid=68 items=0 name="auto.misc" path="/etc/auto.misc" pid=3033 scontext=system_u:system_r:hald_t:s0 sgid=68 subj=system_u:system_r:hald_t:s0 suid=68 tclass=file tcontext=system_u:object_r:automount_etc_t:s0 tty=(none) uid=68 This is now allowed in the upstream versions and since FC6 is no longer supported. Closing Next Release. |