Description of problem: I just started enlightenment 0.17 with a confined user. I guess a specific policy should be writen for that module, if we want to let him change the prequency of the processor ? SELinux is preventing /usr/lib64/enlightenment/modules/cpufreq/linux-gnu-x86_64-0.17.5/freqset from 'write' accesses on the file scaling_governor. ***** Plugin catchall (100. confidence) suggests ************************** If vous pensez que freqset devrait être autorisé à accéder write sur scaling_governor file par défaut. Then vous devriez rapporter ceci en tant qu'anomalie. Vous pouvez générer un module de stratégie local pour autoriser cet accès. Do autoriser cet accès pour le moment en exécutant : # grep freqset /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context staff_u:staff_r:staff_t:s0-s0:c0.c1023 Target Context system_u:object_r:sysfs_t:s0 Target Objects scaling_governor [ file ] Source freqset Source Path /usr/lib64/enlightenment/modules/cpufreq/linux- gnu-x86_64-0.17.5/freqset Port <Inconnu> Host (removed) Source RPM Packages enlightenment-0.17.5-2.fc20.x86_64 Target RPM Packages Policy RPM selinux-policy-3.12.1-90.fc20.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 3.11.8-300.fc20.x86_64 #1 SMP Wed Nov 13 16:34:27 UTC 2013 x86_64 x86_64 Alert Count 1 First Seen 2013-11-15 21:30:37 CET Last Seen 2013-11-15 21:30:37 CET Local ID 8b6eeb55-70e0-4669-9269-f9479d52decf Raw Audit Messages type=AVC msg=audit(1384547437.922:531): avc: denied { write } for pid=2190 comm="freqset" name="scaling_governor" dev="sysfs" ino=15839 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysfs_t:s0 tclass=file type=SYSCALL msg=audit(1384547437.922:531): arch=x86_64 syscall=open success=no exit=EACCES a0=7fffcb5cddb0 a1=241 a2=1b6 a3=7fffcb5cdb60 items=0 ppid=2146 pid=2190 auid=500 uid=500 gid=500 euid=0 suid=0 fsuid=0 egid=500 sgid=500 fsgid=500 ses=1 tty=(none) comm=freqset exe=/usr/lib64/enlightenment/modules/cpufreq/linux-gnu-x86_64-0.17.5/freqset subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key=(null) Hash: freqset,staff_t,sysfs_t,file,write Additional info: reporter: libreport-2.1.9 hashmarkername: setroubleshoot kernel: 3.11.8-300.fc20.x86_64 type: libreport
Is this a setuid root process?
Created attachment 825769 [details] Untar this package and execute the sh script to install the policy THen run some tests to gather avc's
Yes, it is setuid. I am pretty sure it shouldn't need that. I will make a test of the policy later, as I need to disconnect my session.
We have freqset 1.0.0 in F20 now.