Bug 495340
Summary: | probably (mostly) DeviceKit-related SELinux issues (staff_u and non-staff_u) | ||||||
---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Matěj Cepl <mcepl> | ||||
Component: | selinux-policy | Assignee: | Daniel Walsh <dwalsh> | ||||
Status: | CLOSED RAWHIDE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||
Severity: | medium | Docs Contact: | |||||
Priority: | low | ||||||
Version: | rawhide | CC: | davidz, dcbw, dwalsh, jkubin, mcepl, mgrepl, rhughes | ||||
Target Milestone: | --- | Keywords: | SELinux | ||||
Target Release: | --- | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
Whiteboard: | |||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2009-04-13 14:07:46 UTC | Type: | --- | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Attachments: |
|
You seem to have a file named null, that setroubleshoot and NetworkManager want to write to? Other then that I will add policy for the other avcs # grep avc /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Fixed in selinux-policy-3.6.12-3.fc11.noarch |
Created attachment 339218 [details] /var/log/audit/audit.log Description of problem: I was getting a long list of AVC denials related to devkit-disks. After some investigation I came up with this: [root@viklef SELinux]# grep -i 'device\|devkit' </var/log/audit/audit.log|grep denied|wc -l 131 [root@viklef SELinux]# grep -i 'device\|devkit' </var/log/audit/audit.log|grep denied|audit2allow #============= NetworkManager_t ============== allow NetworkManager_t device_t:file read; #============= devicekit_disk_t ============== allow devicekit_disk_t self:capability sys_rawio; allow devicekit_disk_t udev_tbl_t:file { read getattr open }; #============= devicekit_power_t ============== allow devicekit_power_t boot_t:dir { search getattr }; allow devicekit_power_t boot_t:file { read getattr open }; allow devicekit_power_t proc_net_t:file { read getattr open }; #============= devicekit_t ============== allow devicekit_t staff_t:dbus send_msg; #============= setroubleshootd_t ============== allow setroubleshootd_t device_t:file write; #============= staff_t ============== allow staff_t devicekit_disk_t:dbus send_msg; allow staff_t devicekit_t:dbus send_msg; [root@viklef SELinux]# I am not sure how untangle it into separate bugs, so filing it here (and whole /var/log/audit/audit.log is attached as well) Version-Release number of selected component (if applicable): NetworkManager-glib-0.7.0.100-2.git20090408.fc11.x86_64 dbus-glib-0.80-2.fc11.i586 NetworkManager-0.7.0.100-2.git20090408.fc11.x86_64 DeviceKit-power-008-0.1.20090401git.fc11.x86_64 dbus-x11-1.2.12-1.fc11.x86_64 selinux-policy-3.6.12-2.fc11.noarch dbus-libs-1.2.12-1.fc11.i586 DeviceKit-003-1.x86_64 NetworkManager-vpnc-0.7.0.99-1.fc11.x86_64 dbus-1.2.12-1.fc11.x86_64 dbus-debuginfo-1.2.12-1.fc11.x86_64 dbus-glib-debuginfo-0.80-2.fc11.x86_64 dbus-libs-1.2.12-1.fc11.x86_64 NetworkManager-gnome-0.7.0.100-2.git20090408.fc11.x86_64 selinux-policy-targeted-3.6.12-2.fc11.noarch dbus-glib-0.80-2.fc11.x86_64 DeviceKit-disks-004-0.6.20090408git.fc11.x86_64 dbus-python-0.83.0-5.fc11.x86_64