Bug 1004075 - SELinux is preventing /usr/bin/htop from using the 'getsched' accesses on a process.
SELinux is preventing /usr/bin/htop from using the 'getsched' accesses on a p...
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
18
x86_64 Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Lukas Vrabec
Fedora Extras Quality Assurance
abrt_hash:61906e3e69233f8bc3c8db4663f...
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-09-03 16:51 EDT by Garrett Holmstrom
Modified: 2013-10-02 21:18 EDT (History)
4 users (show)

See Also:
Fixed In Version: selinux-policy-3.11.1-105.fc18
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-10-02 21:18:20 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Garrett Holmstrom 2013-09-03 16:51:02 EDT
Description of problem:
htop seems to want getsched for pretty much every process context it can see when it runs.  It still runs fine without it, but should staff_t have permission to do that or should these accesses just be dontaudited?
SELinux is preventing /usr/bin/htop from using the 'getsched' accesses on a process.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that htop should be allowed getsched access on processes labeled udev_t by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep htop /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                staff_u:staff_r:staff_t:s0-s0:c0.c1023
Target Context                system_u:system_r:udev_t:s0-s0:c0.c1023
Target Objects                 [ process ]
Source                        htop
Source Path                   /usr/bin/htop
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           htop-1.0.2-1.fc18.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.11.1-100.fc18.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 3.10.7-100.fc18.x86_64 #1 SMP Thu
                              Aug 15 22:21:29 UTC 2013 x86_64 x86_64
Alert Count                   1
First Seen                    2013-08-21 18:24:49 PDT
Last Seen                     2013-08-21 18:24:49 PDT
Local ID                      82f9e743-f04e-47c5-b619-d6a627f81dcd

Raw Audit Messages
type=AVC msg=audit(1377134689.290:517): avc:  denied  { getsched } for  pid=7697 comm="htop" scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tclass=process


type=SYSCALL msg=audit(1377134689.290:517): arch=x86_64 syscall=ioprio_get success=no exit=EACCES a0=1 a1=1ca a2=fffffffffffffff1 a3=1 items=0 ppid=7561 pid=7697 auid=1000 uid=1000 gid=100 euid=1000 suid=1000 fsuid=1000 egid=100 sgid=100 fsgid=100 ses=1 tty=pts3 comm=htop exe=/usr/bin/htop subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key=(null)

Hash: htop,staff_t,udev_t,process,getsched

audit2allow

#============= staff_t ==============
allow staff_t udev_t:process getsched;

audit2allow -R
require {
	type staff_t;
	type udev_t;
	class process getsched;
}

#============= staff_t ==============
allow staff_t udev_t:process getsched;


Additional info:
reporter:       libreport-2.1.6
hashmarkername: setroubleshoot
kernel:         3.10.10-100.fc18.x86_64
type:           libreport
Comment 1 Daniel Walsh 2013-09-04 09:30:07 EDT
We allow it in Fedora 20.
Comment 2 Lukas Vrabec 2013-09-12 03:57:13 EDT
back ported
Comment 3 Fedora Update System 2013-09-24 12:04:43 EDT
selinux-policy-3.11.1-104.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/selinux-policy-3.11.1-104.fc18
Comment 4 Fedora Update System 2013-09-26 02:09:21 EDT
Package selinux-policy-3.11.1-104.fc18:
* should fix your issue,
* was pushed to the Fedora 18 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.11.1-104.fc18'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-17624/selinux-policy-3.11.1-104.fc18
then log in and leave karma (feedback).
Comment 5 Fedora Update System 2013-09-26 09:23:38 EDT
selinux-policy-3.11.1-105.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/selinux-policy-3.11.1-105.fc18
Comment 6 Fedora Update System 2013-10-02 21:18:20 EDT
selinux-policy-3.11.1-105.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.