Bug 730859

Summary: SELinux is preventing /usr/libexec/udisks-daemon from 'getattr' accesses on the file /LiveOS/ext3fs.img.
Product: [Fedora] Fedora Reporter: Adam Williamson <awilliam>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 16CC: athmanem, dominick.grift, dwalsh, gallit, icj, kkshethin, masami256, mgrepl, mikhail.v.gavrilov, mnowak, sandro, satellitgo
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Unspecified   
Whiteboard: abrt_hash:2674a9f15c052a6ee8c0396e8f48b448963dcc37a446225968dd0204a0560824
Fixed In Version: selinux-policy-3.10.0-21.fc16 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-09-06 23:19:37 EDT Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On:    
Bug Blocks: 713568    

Description Adam Williamson 2011-08-15 21:06:10 EDT
abrt version: 2.0.5
executable:     /usr/bin/python
hashmarkername: setroubleshoot
kernel:         3.0.0-1.fc16.x86_64
reason:         SELinux is preventing /usr/libexec/udisks-daemon from 'getattr' accesses on the file /LiveOS/ext3fs.img.
time:           Mon Aug 15 21:05:02 2011

:SELinux is preventing /usr/libexec/udisks-daemon from 'getattr' accesses on the file /LiveOS/ext3fs.img.
:*****  Plugin restorecon (94.8 confidence) suggests  *************************
:If you want to fix the label. 
:/LiveOS/ext3fs.img default label should be etc_runtime_t.
:Then you can run restorecon.
:# /sbin/restorecon -v /LiveOS/ext3fs.img
:*****  Plugin catchall_labels (5.21 confidence) suggests  ********************
:If you want to allow udisks-daemon to have getattr access on the ext3fs.img file
:Then you need to change the label on /LiveOS/ext3fs.img
:# semanage fcontext -a -t FILE_TYPE '/LiveOS/ext3fs.img'
:where FILE_TYPE is one of the following: devicekit_tmp_t, proc_kmsg_t, mount_exec_t, shell_exec_t, system_dbusd_var_lib_t, krb5_conf_t, abrt_var_run_t, dbusd_etc_t, userdomain, fusermount_exec_t, fsadm_exec_t, mtrr_device_t, domain, sysctl_crypto_t, proc_mdstat_t, proc_net_t, policykit_reload_t, mdadm_exec_t, samba_var_t, etc_runtime_t, abrt_t, lib_t, anon_inodefs_t, net_conf_t, udev_var_run_t, file_type, exec_type, abrt_helper_exec_t, ld_so_t, devicekit_var_lib_t, devicekit_var_run_t, dbusd_etc_t, devicekit_disk_t, userdomain, lvm_exec_t, system_dbusd_var_lib_t, textrel_shlib_t, policykit_auth_exec_t, sysctl_fs_t, rpm_script_tmp_t, bin_t, usr_t, cert_t, device_t, locale_t, etc_t, proc_t, sosreport_tmp_t, sysfs_t, virt_image_type, rpm_tmp_t, ld_so_cache_t, etc_t, devicekit_disk_exec_t, udev_exec_t, sssd_public_t, system_cronjob_var_lib_t, policykit_var_lib_t, krb5_host_rcache_t. 
:Then execute: 
:restorecon -v '/LiveOS/ext3fs.img'
:*****  Plugin catchall (1.44 confidence) suggests  ***************************
:If you believe that udisks-daemon should be allowed getattr access on the ext3fs.img file by default.
:Then you should report this as a bug.
:You can generate a local policy module to allow this access.
:allow this access for now by executing:
:# grep udisks-daemon /var/log/audit/audit.log | audit2allow -M mypol
:# semodule -i mypol.pp
:Additional Information:
:Source Context                system_u:system_r:devicekit_disk_t:s0-s0:c0.c1023
:Target Context                system_u:object_r:unlabeled_t:s0
:Target Objects                /LiveOS/ext3fs.img [ file ]
:Source                        udisks-daemon
:Source Path                   /usr/libexec/udisks-daemon
:Port                          <Unknown>
:Host                          (removed)
:Source RPM Packages           udisks-1.0.3-2.fc16
:Target RPM Packages           
:Policy RPM                    selinux-policy-3.10.0-15.fc16
:Selinux Enabled               True
:Policy Type                   targeted
:Enforcing Mode                Enforcing
:Host Name                     (removed)
:Platform                      Linux (removed) 3.0.0-1.fc16.x86_64 #1
:                              SMP Fri Jul 22 16:09:29 UTC 2011 x86_64 x86_64
:Alert Count                   2
:First Seen                    Mon 15 Aug 2011 09:01:52 PM EDT
:Last Seen                     Mon 15 Aug 2011 09:01:52 PM EDT
:Local ID                      18bac200-d676-48ff-a701-5e7116c0e98c
:Raw Audit Messages
:type=AVC msg=audit(1313456512.547:50): avc:  denied  { getattr } for  pid=1746 comm="udisks-daemon" path="/LiveOS/ext3fs.img" dev=loop2 ino=3 scontext=system_u:system_r:devicekit_disk_t:s0-s0:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file
:type=SYSCALL msg=audit(1313456512.547:50): arch=x86_64 syscall=ioctl success=no exit=EACCES a0=f a1=4c05 a2=7fff3b001930 a3=0 items=0 ppid=1 pid=1746 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=udisks-daemon exe=/usr/libexec/udisks-daemon subj=system_u:system_r:devicekit_disk_t:s0-s0:c0.c1023 key=(null)
:Hash: udisks-daemon,devicekit_disk_t,unlabeled_t,file,getattr
:#============= devicekit_disk_t ==============
:allow devicekit_disk_t unlabeled_t:file getattr;
:audit2allow -R
:#============= devicekit_disk_t ==============
:allow devicekit_disk_t unlabeled_t:file getattr;
Comment 1 Adam Williamson 2011-08-15 21:07:56 EDT
This notification pops up reliably on booting an F16 Alpha RC4 live image. Proposing as a final blocker under criterion "In most cases, there must be no SELinux 'AVC: denied' messages or abrt crash notifications on initial boot and subsequent login". CCing dwalsh, as I'm guessing his fixes to live image creation resp. SELinux may possibly be relevant here.

Fedora Bugzappers volunteer triage team
Comment 2 Daniel Walsh 2011-08-16 08:10:26 EDT
We have a fix for this in 

Comment 3 Robert Lightfoot 2011-08-19 03:14:27 EDT
Still getting with Fedora-16-Alpha-i686-live-Desktop.iso from rc5
Comment 4 Daniel Walsh 2011-08-20 06:55:22 EDT
What policy package do you have installed?

rpm -q selinux-policy
Comment 5 Adam Williamson 2011-08-20 11:30:21 EDT
RC5 has selinux-policy -15, as there were no blocker or NTH bugs fixed by 16 thru 18.

Fedora Bugzappers volunteer triage team
Comment 6 Daniel Walsh 2011-08-22 13:34:09 EDT
Fine this just means this bug will not be fixes in a live OS until we ship Beta?
Comment 7 Adam Williamson 2011-08-22 16:05:25 EDT
Yes. Well, nightlies will be fixed as soon as this goes stable and is included in a tree compose.
Comment 8 Fedora Update System 2011-08-24 07:38:51 EDT
selinux-policy-3.10.0-21.fc16 has been submitted as an update for Fedora 16.
Comment 9 Fedora Update System 2011-08-24 18:45:50 EDT
Package selinux-policy-3.10.0-21.fc16:
* should fix your issue,
* was pushed to the Fedora 16 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-21.fc16'
as soon as you are able to.
Please go to the following url:
then log in and leave karma (feedback).
Comment 10 Fedora Update System 2011-09-06 23:19:00 EDT
selinux-policy-3.10.0-21.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.