Bug 821268
| Summary: | SELinux is preventing /usr/sbin/lspci from using the 'sys_admin' capabilities. | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Dominic Cleal <dcleal> |
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 17 | CC: | acc-bugz-redhat, antonio.montagnani, arifiauo, collura, dan, dominick.grift, dwalsh, helgesonkeith, jreznik, kevin, mariolinux, metherid, mgrepl, netwizurd, rdieter, renaud.gaglione, tpeplt, trenta |
| Target Milestone: | --- | Keywords: | Reopened |
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Unspecified | ||
| Whiteboard: | abrt_hash:886155125b700de9c77231188640adea40a8c084aa5ac0c619873e8790dcdd81 | ||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2012-06-03 23:30:05 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 810161 | ||
It looks like the fix for bug #810161 causes this. There's a workaround in /etc/profile.d/qt-graphicssystem.sh (provided by qt-settings-4.8-10.fc17.noarch) that runs lspci through grep, and this is being run by gdm I think, causing AVC denials on each boot. *** Bug 821211 has been marked as a duplicate of this bug. *** Fixed in selinux-policy-3.10.0-125.fc17 I wasn't able to reproduce this using kdm + -121 , so maybe gdm-specific somehow Marking as blocker for bug #810161 so this can get considerred for f18 GA too Miroslav, mind if I add selinux-policy-3.10.0-125.fc17 to https://admin.fedoraproject.org/updates/FEDORA-2012-7713 or did you have other things you want fixed in the meantime? oh, nvm, I don't see any -125 builds in koji yet, so I can't test either selinux-policy-3.10.0-125.fc17 has been submitted as an update for Fedora 17. https://admin.fedoraproject.org/updates/FEDORA-2012-7953/selinux-policy-3.10.0-125.fc17 Package selinux-policy-3.10.0-125.fc17: * should fix your issue, * was pushed to the Fedora 17 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-125.fc17' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2012-7953/selinux-policy-3.10.0-125.fc17 then log in and leave karma (feedback). The update doesn't fix this issue for me. Still the same SELinux alert after GDM login. And I get this error on yum install: /usr/share/selinux/devel/include/services/jetty.if: Syntax error on line 197673 jetty_cache_t [type=IDENTIFIER] Gonna leave karma as soon as I remember my password ;) (In reply to comment #10) > The update doesn't fix this issue for me. Still the same SELinux alert after > GDM login. Yes, I still receive this denial: type=AVC msg=audit(1337367403.289:92): avc: denied { sys_admin } for pid=1441 comm="lspci" capability=21 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tclass=capability type=SYSCALL msg=audit(1337367403.289:92): arch=c000003e syscall=17 success=yes exit=64 a0=3 a1=abc3a0 a2=40 a3=0 items=0 ppid=1440 pid=1441 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="lspci" exe="/usr/sbin/lspci" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null) > And I get this error on yum install: > > /usr/share/selinux/devel/include/services/jetty.if: Syntax error on line > 197673 jetty_cache_t [type=IDENTIFIER] Tracked in bug #822320. Fixed in selinux-policy-3.10.0-126.fc17 There was a typo in the policy. Hi guys, First: THANK YOU for all the work you're doing to fix things. Second: I'm also getting this so I went ahead and tried: # yum update --enablerepo=updates-testing selinux-policy-3.10.0-126.fc17 "No package selinux-policy-3.10.0-126.fc17 available." I'll be patient, not to worry. My question is: I jumped from F13 to F17Beta and SELinux errors like this used to trigger a "reporting bug" option out of the SELinux troubleshooter. It would find any already open bug report. I now have to manually look for them... my fear is to open a new bug for nothing. Again Thanks for all your work. from comment#13 > "No package selinux-policy-3.10.0-126.fc17 available." still dont see in updates-testing repo but if want to experiment look for download link at: http://koji.fedoraproject.org/koji/buildinfo?buildID=320274 happy testing :') related bug: https://bugzilla.redhat.com/show_bug.cgi?id=824172 *** Bug 824172 has been marked as a duplicate of this bug. *** selinux-policy-3.10.0-125.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report. selinux-policy-3.10.0-125.fc17 does not work as per comment #10, need at least selinux-policy-3.10.0-126.fc17! I'm getting this unnerving selinux error on every single boot. Please don't feel offended, but why do we have to wait for selinux-policy-3.10.0-126.fc17 for so long? Hi Tuxor Well, some coders do have a life! They're sysadmin for a company during the day or like me during the night (no life:) and mainly for testing and quality assurance so that when you do get it, it works. Usually, not like selinux-policy-3.10.0-125.fc17 which would have cured it 2 weeks ago. Cya and... *** How poor are they that have not patience! What wound did ever heal but by degrees? ~William Shakespeare, Othello, 1604 selinux-policy-3.10.0-128.fc17 has been submitted as an update for Fedora 17. https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-128.fc17 Tuxor, you can read more about how we do updates on http://mgrepl.wordpress.com/2012/04/24/how-do-we-do-selinux-policy-updates/ Also we do new builds very often but as you can read in the blog, we are not able to do new updates with each build. So you can always check http://koji.fedoraproject.org/koji/packageinfo?packageID=32 for new builds. Thanks for your testing. Package selinux-policy-3.10.0-128.fc17: * should fix your issue, * was pushed to the Fedora 17 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-128.fc17' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2012-8720/selinux-policy-3.10.0-128.fc17 then log in and leave karma (feedback). selinux-policy-3.10.0-128.fc17 fixes this issue for me, thanks. selinux-policy-3.10.0-128.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report. |
libreport version: 2.0.10 executable: /usr/bin/python2.7 hashmarkername: setroubleshoot kernel: 3.3.4-5.fc17.x86_64 time: Sun 13 May 2012 18:53:56 BST description: :SELinux is preventing /usr/sbin/lspci from using the 'sys_admin' capabilities. : :***** Plugin catchall_boolean (89.3 confidence) suggests ******************* : :If you want to allow_polyinstantiation :Then you must tell SELinux about this by enabling the 'allow_polyinstantiation' boolean.You can read 'xdm_selinux' man page for more details. :Do :setsebool -P allow_polyinstantiation 1 : :***** Plugin catchall (11.6 confidence) suggests *************************** : :If you believe that lspci should have the sys_admin capability by default. :Then you should report this as a bug. :You can generate a local policy module to allow this access. :Do :allow this access for now by executing: :# grep lspci /var/log/audit/audit.log | audit2allow -M mypol :# semodule -i mypol.pp : :Additional Information: :Source Context system_u:system_r:xdm_t:s0-s0:c0.c1023 :Target Context system_u:system_r:xdm_t:s0-s0:c0.c1023 :Target Objects [ capability ] :Source lspci :Source Path /usr/sbin/lspci :Port <Unknown> :Host (removed) :Source RPM Packages pciutils-3.1.9-1.fc17.x86_64 :Target RPM Packages :Policy RPM selinux-policy-3.10.0-121.fc17.noarch :Selinux Enabled True :Policy Type targeted :Enforcing Mode Enforcing :Host Name (removed) :Platform Linux (removed) 3.3.4-5.fc17.x86_64 #1 SMP Mon May 7 : 17:29:34 UTC 2012 x86_64 x86_64 :Alert Count 27 :First Seen Sat 12 May 2012 21:58:09 BST :Last Seen Sun 13 May 2012 18:51:58 BST :Local ID 2f3fd8ca-8bf7-4e4d-9885-94b266ca4e13 : :Raw Audit Messages :type=AVC msg=audit(1336931518.140:91): avc: denied { sys_admin } for pid=1384 comm="lspci" capability=21 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tclass=capability : : :type=SYSCALL msg=audit(1336931518.140:91): arch=x86_64 syscall=pread success=yes exit=ENONET a0=3 a1=246b3a0 a2=40 a3=0 items=0 ppid=1383 pid=1384 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=lspci exe=/usr/sbin/lspci subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null) : :Hash: lspci,xdm_t,xdm_t,capability,sys_admin : :audit2allowunable to open /sys/fs/selinux/policy: Permission denied : : :audit2allow -Runable to open /sys/fs/selinux/policy: Permission denied : :