Bug 470734
Summary: | Bluetooth-related AVC denials on resume | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Jakub Hrozek <jhrozek> |
Component: | selinux-policy-targeted | Assignee: | Daniel Walsh <dwalsh> |
Status: | CLOSED NEXTRELEASE | QA Contact: | Ben Levenson <benl> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | rawhide | CC: | tcallawa |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2008-11-10 20:23:23 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 438943 |
Description
Jakub Hrozek
2008-11-09 19:42:03 UTC
AVC #2: ------- Summary: SELinux is preventing bluetoothd (bluetooth_t) "read write" to ./config (var_lib_t). Detailed Description: SELinux denied access requested by bluetoothd. It is not expected that this access is required by bluetoothd and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for ./config, restorecon -v './config' If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context system_u:system_r:bluetooth_t:s0 Target Context system_u:object_r:var_lib_t:s0 Target Objects ./config [ file ] Source bluetoothd Source Path /usr/sbin/bluetoothd Port <Unknown> Host hendrix Source RPM Packages bluez-4.17-2.fc10 Target RPM Packages Policy RPM selinux-policy-3.5.13-11.fc10 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall_file Host Name hendrix Platform Linux hendrix 2.6.27.4-79.fc10.i686 #1 SMP Tue Nov 4 21:56:37 EST 2008 i686 i686 Alert Count 4 First Seen Sun 09 Nov 2008 08:08:22 PM CET Last Seen Sun 09 Nov 2008 08:11:43 PM CET Local ID a593dd2b-8c90-4602-82cd-595bcabc09bc Line Numbers Raw Audit Messages node=hendrix type=AVC msg=audit(1226257903.136:34): avc: denied { read write } for pid=2261 comm="bluetoothd" name="config" dev=dm-3 ino=180766 scontext=system_u:system_r:bluetooth_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file node=hendrix type=SYSCALL msg=audit(1226257903.136:34): arch=40000003 syscall=5 success=no exit=-13 a0=bf8af6ac a1=2 a2=0 a3=bf8af6ac items=0 ppid=1 pid=2261 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="bluetoothd" exe="/usr/sbin/bluetoothd" subj=system_u:system_r:bluetooth_t:s0 key=(null) Summary: SELinux is preventing bluetoothd (bluetooth_t) "getattr" to /var/lib/bluetooth/00:1C:26:F7:94:EA/config (var_lib_t). Detailed Description: SELinux denied access requested by bluetoothd. It is not expected that this access is required by bluetoothd and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for /var/lib/bluetooth/00:1C:26:F7:94:EA/config, restorecon -v '/var/lib/bluetooth/00:1C:26:F7:94:EA/config' If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context system_u:system_r:bluetooth_t:s0 Target Context system_u:object_r:var_lib_t:s0 Target Objects /var/lib/bluetooth/00:1C:26:F7:94:EA/config [ file ] Source bluetoothd Source Path /usr/sbin/bluetoothd Port <Unknown> Host hendrix Source RPM Packages bluez-4.17-2.fc10 Target RPM Packages Policy RPM selinux-policy-3.5.13-11.fc10 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall_file Host Name hendrix Platform Linux hendrix 2.6.27.4-79.fc10.i686 #1 SMP Tue Nov 4 21:56:37 EST 2008 i686 i686 Alert Count 2 First Seen Sun 09 Nov 2008 08:08:22 PM CET Last Seen Sun 09 Nov 2008 08:11:43 PM CET Local ID eb656609-a2ef-4899-a0aa-b91bae9caba4 Line Numbers Raw Audit Messages node=hendrix type=AVC msg=audit(1226257903.136:32): avc: denied { getattr } for pid=2261 comm="bluetoothd" path="/var/lib/bluetooth/00:1C:26:F7:94:EA/config" dev=dm-3 ino=180766 scontext=system_u:system_r:bluetooth_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file node=hendrix type=SYSCALL msg=audit(1226257903.136:32): arch=40000003 syscall=195 success=no exit=-13 a0=bf8af6ac a1=bf8ae564 a2=3e0ff4 a3=bf8af6ac items=0 ppid=1 pid=2261 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="bluetoothd" exe="/usr/sbin/bluetoothd" subj=system_u:system_r:bluetooth_t:s0 key=(null) I should note that these happen only on resume from suspend-to-ram. Fixed in selinux-policy-3.5.13-18.fc10 selinux-policy-3.5.13-18.fc10 tagged in f10-final, closing. |