Bug 631064

Summary: SELinux is preventing /sbin/hdparm "read" to /var/run/pm-utils/locks/pm-suspend.lock.
Product: [Fedora] Fedora Reporter: Steve Tyler <stephent98>
Component: selinux-policyAssignee: Daniel Walsh <dwalsh>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: 14CC: dwalsh, mgrepl
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.9.3-1.fc14 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-09-11 03:42:04 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
selinux-alert.1.log
none
selinux-alert.2.log
none
selinux-alert.3.log none

Description Steve Tyler 2010-09-07 16:26:37 UTC 
Created attachment 443775 [details]
selinux-alert.1.log

Description of problem:
In an F14 VM, I get three selinux alerts after attempting to suspend. Suspend fails and the desktop immediately returns.

Version-Release number of selected component (if applicable):
selinux-policy-3.9.0-2.fc14
hdparm-9.27-1.fc13
kernel-2.6.35.4-12.fc14.x86_64

How reproducible:
Always.

Steps to Reproduce:
1. Install F14 to a VM, boot, update.
2. Relabel on reboot.
3. Login and attempt to suspend.

I'm using "qemu-kvm -hda f14-alpha.img -m 512m"
  
Actual results:
The suspend fails and the desktop immediately returns.
Three selinux alerts are reported.

Expected results:
No selinux alerts.

Additional info:
node=fir type=AVC msg=audit(1283875150.620:20): avc:  denied  { read } for  pid=1898 comm="hdparm" path="/var/run/pm-utils/locks/pm-suspend.lock" dev=dm-0 ino=260379 scontext=system_u:system_r:fsadm_t:s0 tcontext=system_u:object_r:hald_var_run_t:s0 tclass=file

node=fir type=SYSCALL msg=audit(1283875150.620:20): arch=c000003e syscall=59 success=yes exit=0 a0=2655d00 a1=2656150 a2=26579b0 a3=20 items=0 ppid=1897 pid=1898 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="hdparm" exe="/sbin/hdparm" subj=system_u:system_r:fsadm_t:s0 key=(null)
Comment 1 Steve Tyler 2010-09-07 16:32:29 UTC 
Created attachment 443865 [details]
selinux-alert.2.log

SELinux is preventing /bin/bash "getattr" access on /.
98video-quirk-d has a permissive type (devicekit_power_t). This access was not
denied.
Comment 2 Steve Tyler 2010-09-07 16:34:53 UTC 
Created attachment 443913 [details]
selinux-alert.3.log

Summary:

SELinux has prevented vbetool from performing an unsafe memory operation.

Detailed Description:

SELinux denied an operation requested by vbetool, a program used to alter video
hardware state. This program is known to use an unsafe operation on system
memory but so are a number of malware/exploit programs which masquerade as
vbetool. This tool is used to reset video state when a machine resumes from a
suspend. If your machine is not resuming properly your only choice is to allow
this operation and reduce your system security against such malware.
Comment 3 Steve Tyler 2010-09-07 16:38:46 UTC 
qemu is running on an F13 system:

[stephent@walnut ~]$ rpm -qa 'qemu*' | sort
qemu-common-0.12.5-1.fc13.x86_64
qemu-img-0.12.5-1.fc13.x86_64
qemu-kvm-0.12.5-1.fc13.x86_64
qemu-system-x86-0.12.5-1.fc13.x86_64
Comment 4 Daniel Walsh 2010-09-07 17:37:28 UTC 
Steven do not open three bugs all in the same report.  The first one is a problem reported against pm-utils. It is leaking a file descriptor.  The vbetool one is a bug in vbetool which should not need that access.  Also an existing bug on vbetool has been opened on this one.

The devicekit_power_t one is fixed in the latest policy.
Comment 5 Steve Tyler 2010-09-07 18:08:52 UTC 
(In reply to comment #4)
> Steven do not open three bugs all in the same report.  The first one is a
> problem reported against pm-utils. It is leaking a file descriptor.  The
> vbetool one is a bug in vbetool which should not need that access.  Also an
> existing bug on vbetool has been opened on this one.
> 
> The devicekit_power_t one is fixed in the latest policy.

OK, thanks. Since they all had the same proximate cause I collected them here. If you need me to spin off separate bugs next time, please just ask and suggest the components.
Comment 6 Daniel Walsh 2010-09-07 18:13:39 UTC 
No since they are all covered I will just close this bug as fixed in the next release.


Fixed in selinux-policy-3.9.3-1.fc14
Comment 7 Fedora Update System 2010-09-08 18:40:53 UTC 
selinux-policy-3.9.3-1.fc14 has been submitted as an update for Fedora 14.
https://admin.fedoraproject.org/updates/selinux-policy-3.9.3-1.fc14
Comment 8 Steve Tyler 2010-09-08 22:49:46 UTC 
(In reply to comment #7)
> selinux-policy-3.9.3-1.fc14 has been submitted as an update for Fedora 14.
> https://admin.fedoraproject.org/updates/selinux-policy-3.9.3-1.fc14

Thanks, Dan.
The devicekit_power_t alert does not occur after suspend fails in a VM.
Comment 9 Daniel Walsh 2010-09-09 01:31:48 UTC 
Please update karma.
Comment 10 Fedora Update System 2010-09-09 04:11:14 UTC 
selinux-policy-3.9.3-1.fc14 has been pushed to the Fedora 14 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update selinux-policy'.  You can provide feedback for this update here: https://admin.fedoraproject.org/updates/selinux-policy-3.9.3-1.fc14
Comment 11 Fedora Update System 2010-09-11 03:40:20 UTC 
selinux-policy-3.9.3-1.fc14 has been pushed to the Fedora 14 stable repository.  If problems still persist, please make note of it in this bug report.