Bug 522836

Summary: setroubleshoot: SELinux is preventing /usr/bin/Xorg (deleted) "read" access to device /dev/vga_arbiter.
Product: [Fedora] Fedora Reporter: Ivan Tsvetanov <ivan.cvetanov>
Component: selinux-policyAssignee: Daniel Walsh <dwalsh>
Status: CLOSED DUPLICATE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: rawhideCC: dwalsh, jkubin, mgrepl
Target Milestone: ---   
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard: setroubleshoot_trace_hash:b958cc93fdf4a9de4509e8ef8c0f9c90eb439698c4b30869b6eb04cda6cb1240
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-09-11 18:25:51 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Description Ivan Tsvetanov 2009-09-11 17:40:35 UTC
The following was filed automatically by setroubleshoot:


SELinux is preventing /usr/bin/Xorg (deleted) "read" access to device

Detailed Description:

[Xorg has a permissive type (xserver_t). This access was not denied.]

SELinux has denied Xorg "read" access to device /dev/vga_arbiter.
/dev/vga_arbiter is mislabeled, this device has the default label of the /dev
directory, which should not happen. All Character and/or Block Devices should
have a label. You can attempt to change the label of the file using restorecon
-v '/dev/vga_arbiter'. If this device remains labeled device_t, then this is a
bug in SELinux policy. Please file a bg report. If you look at the other similar
devices labels, ls -lZ /dev/SIMILAR, and find a type that would work for
/dev/vga_arbiter, you can use chcon -t SIMILAR_TYPE '/dev/vga_arbiter', If this
fixes the problem, you can make this permanent by executing semanage fcontext -a
-t SIMILAR_TYPE '/dev/vga_arbiter' If the restorecon changes the context, this
indicates that the application that created the device, created it without using
SELinux APIs. If you can figure out which application created the device, please
file a bug report against this application.

Allowing Access:

Attempt restorecon -v '/dev/vga_arbiter' or chcon -t SIMILAR_TYPE

Additional Information:

Source Context                system_u:system_r:xserver_t:s0-s0:c0.c1023
Target Context                system_u:object_r:device_t:s0
Target Objects                /dev/vga_arbiter [ chr_file ]
Source                        Xorg
Source Path                   /usr/bin/Xorg (deleted)
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.6.31-2.fc12
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   device
Host Name                     (removed)
Platform                      Linux (removed)
                              2.6.31- #1 SMP Tue Aug
                              11 21:20:05 EDT 2009 i686 i686
Alert Count                   1
First Seen                    Fri 11 Sep 2009 09:51:40 PM CEST
Last Seen                     Fri 11 Sep 2009 09:51:40 PM CEST
Local ID                      3cccb52e-db57-4305-8e70-1057c3293d18
Line Numbers                  

Raw Audit Messages            

node=(removed) type=AVC msg=audit(1252698700.708:130): avc:  denied  { read } for  pid=2127 comm="Xorg" path="/dev/vga_arbiter" dev=tmpfs ino=1069 scontext=system_u:system_r:xserver_t:s0-s0:c0.c1023 tcontext=system_u:object_r:device_t:s0 tclass=chr_file

node=(removed) type=SYSCALL msg=audit(1252698700.708:130): arch=40000003 syscall=3 success=yes exit=64 a0=8 a1=bfd77b4c a2=40 a3=97fda00 items=0 ppid=2126 pid=2127 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty7 ses=4294967295 comm="Xorg" exe=2F7573722F62696E2F586F7267202864656C6574656429 subj=system_u:system_r:xserver_t:s0-s0:c0.c1023 key=(null)

audit2allow suggests:

#============= xserver_t ==============
allow xserver_t device_t:chr_file read;

Comment 1 Daniel Walsh 2009-09-11 18:25:51 UTC

*** This bug has been marked as a duplicate of bug 522835 ***