Bug 540197

Summary: SELinux is preventing udev-acl.ck (consolekit_t) "getattr" udev_tbl_t.
Product: [Fedora] Fedora Reporter: Hin-Tak Leung <htl10>
Component: selinux-policyAssignee: Daniel Walsh <dwalsh>
Status: CLOSED DUPLICATE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: 12CC: dwalsh, mgrepl
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard: setroubleshoot_trace_hash:7aafb5c27d301cf51b6c89553806e0c68f64317aea9e355d0bfdf16e50c5de01
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-11-23 15:45:08 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Hin-Tak Leung 2009-11-22 17:50:02 UTC 
Summary:

SELinux is preventing udev-acl.ck (consolekit_t) "getattr" udev_tbl_t.

Detailed Description:

[udev-acl.ck has a permissive type (consolekit_t). This access was not denied.]

SELinux denied access requested by udev-acl.ck. It is not expected that this
access is required by udev-acl.ck and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                system_u:system_r:consolekit_t:SystemLow-
                              SystemHigh
Target Context                system_u:object_r:udev_tbl_t:SystemLow
Target Objects                /dev/.udev/db/\x2fdevices\x2fpci0000:00\x2f0000:00
                              :14.2\x2fsound\x2fcard0\x2fcontrolC0 [ file ]
Source                        udev-acl.ck
Source Path                   /lib/udev/udev-acl
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           udev-145-12.fc12
Target RPM Packages           
Policy RPM                    selinux-policy-3.6.12-88.fc11
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     (removed)
Platform                      Linux (removed)
                              2.6.31.5-127.fc12.x86_64 #1 SMP Sat Nov 7 21:11:14
                              EST 2009 x86_64 x86_64
Alert Count                   8
First Seen                    Sun 22 Nov 2009 03:53:42 GMT
Last Seen                     Sun 22 Nov 2009 04:56:29 GMT
Local ID                      9a558bdd-9522-4bf3-9218-0c333768193a
Line Numbers                  

Raw Audit Messages            

node=(removed) type=AVC msg=audit(1258865789.311:321): avc:  denied  { getattr } for  pid=1678 comm="udev-acl.ck" path="/dev/.udev/db/\x2fdevices\x2fpci0000:00\x2f0000:00:14.2\x2fsound\x2fcard0\x2fcontrolC0" dev=tmpfs ino=9278 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:object_r:udev_tbl_t:s0 tclass=file

node=(removed) type=SYSCALL msg=audit(1258865789.311:321): arch=c000003e syscall=6 success=yes exit=128 a0=7ffffe4ec9c0 a1=7ffffe4eb520 a2=7ffffe4eb520 a3=e items=0 ppid=1180 pid=1678 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="udev-acl.ck" exe="/lib/udev/udev-acl" subj=system_u:system_r:consolekit_t:s0-s0:c0.c1023 key=(null)



Hash String generated from  selinux-policy-3.6.12-88.fc11,catchall,udev-acl.ck,consolekit_t,udev_tbl_t,file,getattr
audit2allow suggests:

#============= consolekit_t ==============
allow consolekit_t udev_tbl_t:file getattr;
Comment 1 Hin-Tak Leung 2009-11-22 18:37:11 UTC 
This is possibly a consequence of doing yum upgrade though f11 to f12. touch /.autorelabel and reboot probably should be documented in the YumUpgradeFAQ.
Comment 2 Daniel Walsh 2009-11-23 15:45:08 UTC 

*** This bug has been marked as a duplicate of bug 540170 ***