Bug 584457

Summary: SELinux is preventing gcm-apply "read" access on 001.
Product: [Fedora] Fedora Reporter: Carl G. <carlg>
Component: selinux-policyAssignee: Daniel Walsh <dwalsh>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: medium    
Version: 13CC: dwalsh, mgrepl, ricardo.arguello
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard: setroubleshoot_trace_hash:190b06c1c467d718e0b9120216048e1489cd7989e00c7733c399bd69e10b4ad1
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-06-13 03:46:51 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Carl G. 2010-04-21 15:50:02 UTC 
Summary:

SELinux is preventing gcm-apply "read" access on 001.

Detailed Description:

SELinux denied access requested by gcm-apply. It is not expected that this
access is required by gcm-apply and this access may signal an intrusion attempt.
It is also possible that the specific version or configuration of the
application is causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug
report.

Additional Information:

Source Context                staff_u:staff_r:staff_t:s0
Target Context                system_u:object_r:usb_device_t:s0
Target Objects                001 [ chr_file ]
Source                        gcm-apply
Source Path                   /usr/bin/gcm-apply
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.7.15-4.fc13
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     (removed)
Platform                      Linux BubbleNet.BubbleWork 2.6.33.1-24.fc13.x86_64
                              #1 SMP Tue Mar 30 18:21:22 UTC 2010 x86_64 x86_64
Alert Count                   238
First Seen                    Wed 21 Apr 2010 11:01:21 AM EDT
Last Seen                     Wed 21 Apr 2010 11:22:14 AM EDT
Local ID                      dc7aee13-dfff-4221-9798-3c29ea2cce6f
Line Numbers                  

Raw Audit Messages            

node=BubbleNet.BubbleWork type=AVC msg=audit(1271863334.903:129): avc:  denied  { read } for  pid=2015 comm="gcm-apply" name="001" dev=devtmpfs ino=5741 scontext=staff_u:staff_r:staff_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file



Hash String generated from  catchall,gcm-apply,staff_t,usb_device_t,chr_file,read
audit2allow suggests:

#============= staff_t ==============
allow staff_t usb_device_t:chr_file read;
Comment 1 Carl G. 2010-04-21 16:00:32 UTC 
display composition fail to start when it's enabled.
Comment 2 Daniel Walsh 2010-04-21 16:45:04 UTC 
Fixed in selinux-policy-3.7.19-1.fc13.noarch
Comment 3 Carl G. 2010-04-22 04:17:18 UTC 
rpm -q selinux-policy
selinux-policy-3.7.19-2.fc13.noarch

Still having this issue.
Comment 4 Daniel Walsh 2010-04-22 11:30:25 UTC 
What does this output

# sesearch -A -s staff_t -t usb_device_t 
Found 1 semantic av rules:
   allow staff_usertype usb_device_t : chr_file { ioctl read write getattr lock append open } ;
Comment 5 Carl G. 2010-04-22 17:03:06 UTC 
(In reply to comment #4)
> What does this output
> 
> # sesearch -A -s staff_t -t usb_device_t 
> Found 1 semantic av rules:
>    allow staff_usertype usb_device_t : chr_file { ioctl read write getattr lock
> append open } ;    
^ this

[carl@BubbleWork ~]$ compiz --replace --debug
compiz (core) - Debug: Could not stat() file /home/carl/.compiz/plugins/libcore.so : No such file or directory
compiz (core) - Debug: Could not stat() file /usr/lib64/compiz/libcore.so : No such file or directory
compiz (core) - Fatal: GLX_EXT_texture_from_pixmap is missing
compiz (core) - Error: Failed to manage screen: 0
compiz (core) - Fatal: No manageable screens found on display :0.0

I don't know why it's not working then, like i stated in the email i send to you, seapplet doesn't report any AVCs and i can't see anything relevant in audit.log && messages.

I just noticed that i can't start compiz when setenforce is set to 1.
Comment 6 Carl G. 2010-04-22 17:04:28 UTC 
Okay, nvm about the compiz --debug.