Bug 252037

Summary: SELinux denials with hald leading to failure of network interfaces
Product: [Fedora] Fedora Reporter: Adam Huffman <bloch>
Component: selinux-policy-targetedAssignee: Daniel Walsh <dwalsh>
Status: CLOSED NOTABUG QA Contact: Ben Levenson <benl>
Severity: high Docs Contact:
Priority: low    
Version: rawhide   
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-08-14 10:43:56 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Adam Huffman 2007-08-13 20:40:27 UTC 
Description of problem:
This evening I updated my laptop from F8 test1 to the latest rawhide packages. 
Upon rebooting neither of the network interfaces would come up.  Further
investigation revealed that there were SELinux denials with haldaemon - when I
changed to permissive mode, I could start haldaemon and the wireless interface
worked:
Summary
    SELinux is preventing /usr/sbin/hald (hald_t) "read" to reload (var_lib_t).

Detailed Description
    SELinux denied access requested by /usr/sbin/hald. It is not expected that
    this access is required by /usr/sbin/hald and this access may signal an
    intrusion attempt. It is also possible that the specific version or
    configuration of the application is causing it to require additional access.

Allowing Access
    Sometimes labeling problems can cause SELinux denials.  You could try to
    restore the default system file context for reload, restorecon -v reload If
    this does not work, there is currently no automatic way to allow this
    access. Instead,  you can generate a local policy module to allow this
    access - see http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you
    can disable SELinux protection altogether. Disabling SELinux protection is
    not recommended. Please file a
    http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package.

Additional Information        

Source Context                root:system_r:hald_t
Target Context                system_u:object_r:var_lib_t
Target Objects                reload [ file ]
Affected RPM Packages         hal-0.5.10-0.git20070731.fc8.1 [application]
Policy RPM                    selinux-policy-3.0.5-5.fc8
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Permissive
Plugin Name                   plugins.catchall_file
Host Name                     vaio
Platform                      Linux vaio 2.6.23-0.101.rc2.git5.fc8 #1 SMP Sun
                              Aug 12 20:38:58 EDT 2007 x86_64 x86_64
Alert Count                   1
First Seen                    Mon Aug 13 21:23:52 2007
Last Seen                     Mon Aug 13 21:23:52 2007
Local ID                      c891cee8-9736-4e0e-8755-f50896b3efb8
Line Numbers                  

Raw Audit Messages            

avc: denied { read } for comm="hald" dev=dm-5 egid=0 euid=0 exe="/usr/sbin/hald"
exit=1 fsgid=0 fsuid=0 gid=0 items=0 name="reload" pid=3243
scontext=root:system_r:hald_t:s0 sgid=0 subj=root:system_r:hald_t:s0 suid=0
tclass=file tcontext=system_u:object_r:var_lib_t:s0 tty=(none) uid=0



Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:
Comment 1 Daniel Walsh 2007-08-14 10:43:56 UTC 
restorecon -R -v /var/lib

This is a labeling problem.  I am not sure why the upgrade did not fix the label.