Bug 518888

Summary: SELinux is preventing hald (hald_t) "getattr" access to device /dev/mtdblock0.
Product: [Fedora] Fedora Reporter: Michael S. <misc>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: low Docs Contact:
Priority: low    
Version: 11CC: dwalsh, jkubin, mgrepl
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: 3.6.12-80.fc11 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-08-28 21:56:47 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Michael S. 2009-08-23 22:19:43 UTC 
Description of problem:

using a script that run this : 

    export loop=$(losetup -f) && \
    losetup $loop $1 && \
    modprobe block2mtd block2mtd=$loop,131072 && \
    sleep 2 && \
    modprobe jffs2 && \
    sleep 2 && \
    modprobe mtdblock && \
    sleep 2 && \
    mount -t jffs2 -o ro /dev/mtdblock0 $2 && \

to mount jffs2 file as a loopback device, i see this error in the logs :


SELinux is preventing hald (hald_t) "getattr" access to device /dev/mtdblock0.

Description détaillée:

SELinux has denied the hald (hald_t) "getattr" access to device /dev/mtdblock0.
/dev/mtdblock0 is mislabeled, this device has the default label of the /dev
directory, which should not happen. All Character and/or Block Devices should
have a label. You can attempt to change the label of the file using restorecon
-v '/dev/mtdblock0'. If this device remains labeled device_t, then this is a bug
in SELinux policy. Please file a bug report
(http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against the selinux-policy
package. If you look at the other similar devices labels, ls -lZ /dev/SIMILAR,
and find a type that would work for /dev/mtdblock0, you can use chcon -t
SIMILAR_TYPE '/dev/mtdblock0', If this fixes the problem, you can make this
permanent by executing semanage fcontext -a -t SIMILAR_TYPE '/dev/mtdblock0' If
the restorecon changes the context, this indicates that the application that
created the device, created it without using SELinux APIs. If you can figure out
which application created the device, please file a bug report
(http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this application.

Autoriser l'accès:

Attempt restorecon -v '/dev/mtdblock0' or chcon -t SIMILAR_TYPE '/dev/mtdblock0'

Informations complémentaires:

Contexte source               system_u:system_r:hald_t:s0
Contexte cible                system_u:object_r:device_t:s0
Objets du contexte            /dev/mtdblock0 [ blk_file ]
source                        hald
Chemin de la source           2F7573722F7362696E2F68616C64202864656C6574656429
Port                          <Inconnu>
Hôte                         akroma.ephaone.org
Paquetages RPM source         
Paquetages RPM cible          
Politique RPM                 selinux-policy-3.6.12-72.fc11
Selinux activé               True
Type de politique             targeted
MLS activé                   True
Mode strict                   Enforcing
Nom du plugin                 device
Nom de l'hôte                akroma.ephaone.org
Plateforme                    Linux akroma.ephaone.org
                              2.6.29.6-213.fc11.i686.PAE #1 SMP Tue Jul 7
                              20:59:29 EDT 2009 i686 i686
Compteur d'alertes            11
Première alerte              sam. 22 août 2009 17:59:35 CEST
Dernière alerte              sam. 22 août 2009 19:53:16 CEST
ID local                      2c12a637-b625-401f-8c15-28f5334356c0
Numéros des lignes           

Messages d'audit bruts        

node=akroma.ephaone.org type=AVC msg=audit(1250963596.144:29391): avc:  denied  { getattr } for  pid=1572 comm="hald" path="/dev/mtdblock0" dev=tmpfs ino=1044226 scontext=system_u:system_r:hald_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=blk_file

node=akroma.ephaone.org type=SYSCALL msg=audit(1250963596.144:29391): arch=40000003 syscall=195 success=no exit=-13 a0=bfe88b2c a1=bfe88aac a2=366ff4 a3=bfe88aac items=0 ppid=1 pid=1572 auid=4294967295 uid=68 gid=68 euid=68 suid=68 fsuid=68 egid=68 sgid=68 fsgid=68 tty=(none) ses=4294967295 comm="hald" exe=2F7573722F7362696E2F68616C64202864656C6574656429 subj=system_u:system_r:hald_t:s0 key=(null)


As I assume that the device is created using the kernel, i guess that's a kernel bug ?
Comment 1 Daniel Walsh 2009-08-24 14:02:38 UTC 
SELinux does not know what a /dev/mtdblock0 is?

Do you ?  Do you know what device it is similar to?
Comment 2 Daniel Walsh 2009-08-24 14:08:31 UTC 
Seems to be similar to a /dev/flash*

So I think we should label

/dev/mtd.*		-b	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
Comment 3 Miroslav Grepl 2009-08-24 15:38:03 UTC 
Fixed in selinux-policy-3.6.12-80.fc11
Comment 4 Fedora Update System 2009-08-24 15:44:39 UTC 
selinux-policy-3.6.12-80.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/selinux-policy-3.6.12-80.fc11
Comment 5 Fedora Update System 2009-08-25 04:26:23 UTC 
selinux-policy-3.6.12-80.fc11 has been pushed to the Fedora 11 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update selinux-policy'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F11/FEDORA-2009-8895
Comment 6 Fedora Update System 2009-08-28 21:56:21 UTC 
selinux-policy-3.6.12-80.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.