Bug 462042
| Summary: | AVC denied for Podsleuth when inserting iPod | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | David Nielsen <gnomeuser> |
| Component: | selinux-policy-targeted | Assignee: | Daniel Walsh <dwalsh> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Ben Levenson <benl> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 11 | CC: | jpeeler+redhat, poelstra |
| Target Milestone: | --- | Keywords: | Reopened |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2009-11-18 13:09:26 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 438943 | ||
Fixed in selinux-policy-3.5.8-6.fc10 You can allow this for now. # audit2allow -M mypol -l -i /var/log/audit/audit.log # semodule -i mypol.pp I'm having the exact same problem on F10, although the audit message is slightly different:
node=jbp.localdomain type=AVC msg=audit(1228577703.977:160): avc: denied { mount } for pid=8426 comm="mono" name="/" dev=sdb2 ino=2 scontext=system_u:system_r:podsleuth_t:s0 tcontext=system_u:object_r:nfs_t:s0 tclass=filesystem
node=jbp.localdomain type=SYSCALL msg=audit(1228577703.977:160): arch=c000003e syscall=165 success=no exit=-13 a0=7fa8a0138e60 a1=7fa8a014c2d0 a2=7fa8a01479a0 a3=1 items=0 ppid=8423 pid=8426 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mono" exe="/usr/bin/mono" subj=system_u:system_r:podsleuth_t:s0 key=(null)
Source RPM Packages mono-core-2.0.1-12.fc10
Target RPM Packages filesystem-2.4.19-1.fc10
Policy RPM selinux-policy-3.5.13-26.fc10
podsleuth-0.6.3-1.fc10.x86_64
Why is podsleuth trying to mount an nfs file system? No idea, iPods should be vfat Ok It looks like we label hfs file systems as nfs_t, which some ipods use, so I guess we need to allow this. You can allow this for now. # audit2allow -M mypol -l -i /var/log/audit/audit.log # semodule -i mypol.pp Fixed in selinux-policy-3.5.13-34.fc10 This bug appears to have been reported against 'rawhide' during the Fedora 11 development cycle. Changing version to '11'. More information and reason for this action is here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping |
Description of problem node=harris type=AVC msg=audit(1221201746.970:91): avc: denied { sys_rawio } for pid=20177 comm="mono" capability=17 scontext=system_u:system_r:podsleuth_t:s0 tcontext=system_u:system_r:podsleuth_t:s0 tclass=capability node=harris type=SYSCALL msg=audit(1221201746.970:91): arch=c000003e syscall=16 success=yes exit=0 a0=7 a1=2285 a2=7f8170382be0 a3=7f8170000090 items=0 ppid=20174 pid=20177 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mono" exe="/usr/bin/mono" subj=system_u:system_r:podsleuth_t:s0 key=(null) Version-Release number of selected component (if applicable): selinux-policy-targeted-3.5.7-1.fc10.noarch podsleuth-0.6.2-3.fc10.x86_64