Bug 864723
Summary: | SELinux is preventing /usr/sbin/plymouthd from 'block_suspend' accesses on the capability2 . | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Neil <neilsbb> | ||||||
Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> | ||||||
Status: | CLOSED CURRENTRELEASE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||||
Severity: | unspecified | Docs Contact: | |||||||
Priority: | unspecified | ||||||||
Version: | 18 | CC: | dominick.grift, dwalsh, eparis, mgrepl, sdsmall | ||||||
Target Milestone: | --- | ||||||||
Target Release: | --- | ||||||||
Hardware: | x86_64 | ||||||||
OS: | Unspecified | ||||||||
Whiteboard: | abrt_hash:628b19b187f12f63f0cb4c47bcfa740810dd81478b3f438a271b46394f61491f | ||||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||||
Doc Text: | Story Points: | --- | |||||||
Clone Of: | Environment: | ||||||||
Last Closed: | 2012-11-21 07:28:30 UTC | Type: | --- | ||||||
Regression: | --- | Mount Type: | --- | ||||||
Documentation: | --- | CRM: | |||||||
Verified Versions: | Category: | --- | |||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||
Embargoed: | |||||||||
Attachments: |
|
Description
Neil
2012-10-10 00:50:16 UTC
Created attachment 624388 [details]
File: type
Created attachment 624389 [details]
File: hashmarkername
We have more and more domains which want this access. The problem is that it is returning success=yes, so we don't really know if they need it or we can dontaudit it or if it is a bug in the kernel. epoll_ctl is triggering block_suspend, does this indicate that domains actually want to block_suspend? Or is it a bug? Or do we not care what domains can block_suspend? I think the relevant code is (from fs/eventpoll.c): /* Check if EPOLLWAKEUP is allowed */ if ((epds.events & EPOLLWAKEUP) && !capable(CAP_BLOCK_SUSPEND)) epds.events &= ~EPOLLWAKEUP; So lack of the capability is not an error but merely clears the EPOLLWAKEUP flag. So dontaudit is definitely an option, but requires examination of the caller to see if they truly want EPOLLWAKEUP semantics (prevent suspend while epoll events are ready). Personally I think this behavior is unfortunate; a syscall should not silently change its behavior based on a permission/capability check without any indication to userspace. Fixed in selinux-policy-3.11.1-37.fc18.noarch selinux-policy-3.11.1-43.fc18 has been submitted as an update for Fedora 18. https://admin.fedoraproject.org/updates/selinux-policy-3.11.1-43.fc18 selinux-policy-3.11.1-46.fc18 has been submitted as an update for Fedora 18. https://admin.fedoraproject.org/updates/selinux-policy-3.11.1-46.fc18 Package selinux-policy-3.11.1-46.fc18: * should fix your issue, * was pushed to the Fedora 18 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.11.1-46.fc18' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2012-16862/selinux-policy-3.11.1-46.fc18 then log in and leave karma (feedback). This appears not to be occuring in the latest Fedora-Beta-TC8 install. |