| Summary: | SELinux is preventing /usr/sbin/pcscd from 'read' accesses on the file c189:128. | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Kamil Páral <kparal> |
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
| Status: | CLOSED DUPLICATE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 15 | CC: | dwalsh, mgrepl, thomas.mey |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | setroubleshoot_trace_hash:70eef23010a6be6e5b10a3b8b5bddde606179098af2d10c20b54f8708df71e49 | ||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2011-04-04 19:58:54 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
I was in the middle of yum update on Fedora 15. Where is "c189:128" file located? Strangely enough, I can't find it. Maybe it was present only while updating? But I'm searching in offline-attached disk, I'll repeat when I boot it again. Could this also be related to /run directory getting mislabeled? # find / -name 'c189:128' /run/udev/data/c189:128 /var/run/udev/data/c189:128 Btw, why is there no file location in the report in the first case? That would speed up reports like this. Kernel needs additional cycles in order to get better reports. IE Performance is hindered. Kamil, I wanted to know what they are labelled. ls -lZ /run/udev/data/c189:128 $ ls -lZ /run/udev/data/c189:128 -rw-r--r--. root root system_u:object_r:tmpfs_t:s0 /run/udev/data/c189:128 Same here all/many(?) file beneath /run/udev/ seems to get mislabeled.
Here one more error:
Raw-Audit-Meldungen
type=AVC msg=audit(1301731779.135:39): avc: denied { read } for pid=885 comm="modem-manager" name="c5:0" dev=tmpfs ino=6129 scontext=system_u:system_r:modemmanager_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=file
type=SYSCALL msg=audit(1301731779.135:39): arch=i386 syscall=open success=no exit=EACCES a0=bf9f1a4c a1=88000 a2=1b6 a3=0 items=1 ppid=1 pid=885 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=modem-manager exe=/usr/sbin/modem-manager subj=system_u:system_r:modemmanager_t:s0-s0:c0.c1023 key=(null)
type=CWD msg=audit(1301731779.135:39): cwd=/
type=PATH msg=audit(1301731779.135:39): item=0 name=/run/udev/data/c5:0 inode=6129 dev=00:12 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:default_t:s0
Also these two seems to get mislabeled:
restorecon reset /run/nscd context system_u:object_r:var_run_t:s0->system_u:object_r:nscd_var_run_t:s0
restorecon reset /run/systemd/ask-password-block/4:1 context system_u:object_r:init_var_run_t:s0->system_u:object_r:systemd_device_t:s0
*** This bug has been marked as a duplicate of bug 682527 *** |
SELinux is preventing /usr/sbin/pcscd from 'read' accesses on the file c189:128. ***** Plugin catchall_labels (83.8 confidence) suggests ******************** If you want to allow pcscd to have read access on the c189:128 file Then you need to change the label on c189:128 Do # semanage fcontext -a -t FILE_TYPE 'c189:128' where FILE_TYPE is one of the following: etc_runtime_t, openct_var_run_t, pcscd_var_run_t, abrt_var_run_t, sysctl_crypto_t, system_dbusd_var_lib_t, cert_t, pcscd_t, abrt_t, lib_t, device_t, locale_t, etc_t, afs_cache_t, abrt_helper_exec_t, proc_t, sysfs_t, usbfs_t, ld_so_t, textrel_shlib_t, fail2ban_var_lib_t, udev_tbl_t, rpm_script_tmp_t, pcscd_exec_t, dbusd_etc_t, user_cron_spool_t, ld_so_cache_t, net_conf_t, root_t. Then execute: restorecon -v 'c189:128' ***** Plugin catchall (17.1 confidence) suggests *************************** If you believe that pcscd should be allowed read access on the c189:128 file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep pcscd /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:pcscd_t:s0 Target Context system_u:object_r:default_t:s0 Target Objects c189:128 [ file ] Source pcscd Source Path /usr/sbin/pcscd Port <Unknown> Host (removed) Source RPM Packages pcsc-lite-1.7.1-1.fc15 Target RPM Packages Policy RPM selinux-policy-3.9.16-6.fc15 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 2.6.38-1.fc15.x86_64 #1 SMP Tue Mar 15 05:29:00 UTC 2011 x86_64 x86_64 Alert Count 3 First Seen Thu 31 Mar 2011 12:32:47 PM CEST Last Seen Thu 31 Mar 2011 12:32:47 PM CEST Local ID db4ead7a-64c4-417d-960b-d53dfe0b4c7e Raw Audit Messages type=AVC msg=audit(1301567567.624:97): avc: denied { read } for pid=4762 comm="pcscd" name="c189:128" dev=tmpfs ino=63723 scontext=system_u:system_r:pcscd_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=file type=SYSCALL msg=audit(1301567567.624:97): arch=x86_64 syscall=open success=no exit=EACCES a0=7fffddbd4450 a1=80000 a2=1b6 a3=0 items=0 ppid=4761 pid=4762 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=pcscd exe=/usr/sbin/pcscd subj=system_u:system_r:pcscd_t:s0 key=(null) Hash: pcscd,pcscd_t,default_t,file,read audit2allow #============= pcscd_t ============== allow pcscd_t default_t:file read; audit2allow -R #============= pcscd_t ============== allow pcscd_t default_t:file read;