Bug 485195
| Summary: | many many many AVC denials ... DeviceKit SELinux policy missing | ||||||
|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Matěj Cepl <mcepl> | ||||
| Component: | DeviceKit | Assignee: | David Zeuthen <davidz> | ||||
| Status: | CLOSED RAWHIDE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||
| Severity: | medium | Docs Contact: | |||||
| Priority: | low | ||||||
| Version: | rawhide | CC: | davidz, dwalsh, mcepl, mclasen | ||||
| Target Milestone: | --- | Keywords: | SELinux | ||||
| Target Release: | --- | ||||||
| Hardware: | All | ||||||
| OS: | Linux | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2009-02-12 14:27:55 UTC | Type: | --- | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Attachments: |
|
||||||
Created attachment 331669 [details]
ausearch -m AVC |grep devkit
Fixed in selinux-policy-3.6.5-3.fc11 |
Description of problem: DeviceKit generates a lot of AVC denials (see attached /var/log/audit/audit.* and output of ausearch -m AVC |grep devkit). ausearch -m AVC |grep devkit|audit2allow generates quite persuasive list: [root@hubmaier ~]# ausearch -m AVC |grep devkit |audit2allow #============= devicekit_power_t ============== allow devicekit_power_t NetworkManager_t:dir search; allow devicekit_power_t NetworkManager_t:file { read getattr open }; allow devicekit_power_t audisp_t:dir search; allow devicekit_power_t audisp_t:file { read getattr open }; allow devicekit_power_t auditd_t:dir search; allow devicekit_power_t auditd_t:file { read getattr open }; allow devicekit_power_t automount_t:dir search; allow devicekit_power_t automount_t:file { read getattr open }; allow devicekit_power_t avahi_t:dir search; allow devicekit_power_t avahi_t:file { read getattr open }; allow devicekit_power_t bitlbee_t:dir search; allow devicekit_power_t bitlbee_t:file { read getattr open }; allow devicekit_power_t consolekit_t:dir search; allow devicekit_power_t consolekit_t:file { read getattr open }; allow devicekit_power_t crond_t:dir search; allow devicekit_power_t crond_t:file { read getattr open }; allow devicekit_power_t cupsd_t:dir search; allow devicekit_power_t cupsd_t:file { read getattr open }; allow devicekit_power_t devicekit_t:dir search; allow devicekit_power_t devicekit_t:file { read getattr open }; allow devicekit_power_t dovecot_auth_t:dir search; allow devicekit_power_t dovecot_auth_t:file { read getattr open }; allow devicekit_power_t dovecot_t:dir search; allow devicekit_power_t dovecot_t:file { read getattr open }; allow devicekit_power_t fsdaemon_t:dir search; allow devicekit_power_t fsdaemon_t:file { read getattr open }; allow devicekit_power_t gpm_t:dir search; allow devicekit_power_t gpm_t:file { read getattr open }; allow devicekit_power_t hald_acl_t:dir search; allow devicekit_power_t hald_acl_t:file { read getattr open }; allow devicekit_power_t hald_t:dir search; allow devicekit_power_t hald_t:file { read getattr open }; allow devicekit_power_t inetd_child_t:dir search; allow devicekit_power_t inetd_child_t:file { read getattr open }; allow devicekit_power_t initrc_t:dir search; allow devicekit_power_t initrc_t:file { read getattr open }; allow devicekit_power_t irqbalance_t:dir search; allow devicekit_power_t irqbalance_t:file { read getattr open }; allow devicekit_power_t kernel_t:dir search; allow devicekit_power_t kernel_t:file { read getattr open }; allow devicekit_power_t kerneloops_t:dir search; allow devicekit_power_t kerneloops_t:file { read getattr open }; allow devicekit_power_t ntpd_t:dir search; allow devicekit_power_t ntpd_t:file { read getattr open }; allow devicekit_power_t postfix_master_t:dir search; allow devicekit_power_t postfix_master_t:file { read getattr open }; allow devicekit_power_t postfix_qmgr_t:dir search; allow devicekit_power_t postfix_qmgr_t:file { read getattr open }; allow devicekit_power_t proc_t:file { write read getattr open }; allow devicekit_power_t rpm_t:dir search; allow devicekit_power_t rpm_t:file { read getattr open }; allow devicekit_power_t setroubleshootd_t:dir search; allow devicekit_power_t setroubleshootd_t:file { read getattr open }; allow devicekit_power_t soundd_t:dir search; allow devicekit_power_t soundd_t:file { read getattr open }; allow devicekit_power_t squid_t:dir search; allow devicekit_power_t squid_t:file { read getattr open }; allow devicekit_power_t sshd_t:dir search; allow devicekit_power_t sshd_t:file { read getattr open }; allow devicekit_power_t syslogd_t:dir search; allow devicekit_power_t syslogd_t:file { read getattr open }; allow devicekit_power_t system_dbusd_t:dir search; allow devicekit_power_t system_dbusd_t:file { read getattr open }; allow devicekit_power_t unconfined_dbusd_t:dir search; allow devicekit_power_t unconfined_dbusd_t:file { read getattr open }; allow devicekit_power_t virtd_t:dir search; allow devicekit_power_t virtd_t:file { read getattr open }; allow devicekit_power_t xdm_dbusd_t:dir search; allow devicekit_power_t xdm_dbusd_t:file { read getattr open }; allow devicekit_power_t xdm_t:dir search; allow devicekit_power_t xdm_t:file { read getattr open }; allow devicekit_power_t xserver_t:dir search; allow devicekit_power_t xserver_t:file { read getattr open }; #============= devicekit_t ============== allow devicekit_t udev_tbl_t:file { read getattr open }; [root@hubmaier ~]#