Bug 1031193 - SELinux is preventing /usr/lib64/enlightenment/modules/cpufreq/linux-gnu-x86_64-0.17.5/freqset from 'write' accesses on the file scaling_governor.
SELinux is preventing /usr/lib64/enlightenment/modules/cpufreq/linux-gnu-x86_...
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
x86_64 Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Miroslav Grepl
Fedora Extras Quality Assurance
Depends On:
  Show dependency treegraph
Reported: 2013-11-15 16:08 EST by Michael Scherer
Modified: 2013-12-06 09:47 EST (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2013-12-06 09:47:29 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Untar this package and execute the sh script to install the policy (1.64 KB, application/x-compressed-tar)
2013-11-18 12:55 EST, Daniel Walsh
no flags Details

  None (edit)
Description Michael Scherer 2013-11-15 16:08:14 EST
Description of problem:
I just started enlightenment 0.17 with a confined user. I guess a specific policy should be writen for that module, if we want to let him change the prequency of the processor ?
SELinux is preventing /usr/lib64/enlightenment/modules/cpufreq/linux-gnu-x86_64-0.17.5/freqset from 'write' accesses on the file scaling_governor.

*****  Plugin catchall (100. confidence) suggests   **************************

If vous pensez que freqset devrait être autorisé à accéder write sur scaling_governor file par défaut.
Then vous devriez rapporter ceci en tant qu'anomalie.
Vous pouvez générer un module de stratégie local pour autoriser cet accès.
autoriser cet accès pour le moment en exécutant :
# grep freqset /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                staff_u:staff_r:staff_t:s0-s0:c0.c1023
Target Context                system_u:object_r:sysfs_t:s0
Target Objects                scaling_governor [ file ]
Source                        freqset
Source Path                   /usr/lib64/enlightenment/modules/cpufreq/linux-
Port                          <Inconnu>
Host                          (removed)
Source RPM Packages           enlightenment-0.17.5-2.fc20.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.12.1-90.fc20.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 3.11.8-300.fc20.x86_64 #1 SMP Wed
                              Nov 13 16:34:27 UTC 2013 x86_64 x86_64
Alert Count                   1
First Seen                    2013-11-15 21:30:37 CET
Last Seen                     2013-11-15 21:30:37 CET
Local ID                      8b6eeb55-70e0-4669-9269-f9479d52decf

Raw Audit Messages
type=AVC msg=audit(1384547437.922:531): avc:  denied  { write } for  pid=2190 comm="freqset" name="scaling_governor" dev="sysfs" ino=15839 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysfs_t:s0 tclass=file

type=SYSCALL msg=audit(1384547437.922:531): arch=x86_64 syscall=open success=no exit=EACCES a0=7fffcb5cddb0 a1=241 a2=1b6 a3=7fffcb5cdb60 items=0 ppid=2146 pid=2190 auid=500 uid=500 gid=500 euid=0 suid=0 fsuid=0 egid=500 sgid=500 fsgid=500 ses=1 tty=(none) comm=freqset exe=/usr/lib64/enlightenment/modules/cpufreq/linux-gnu-x86_64-0.17.5/freqset subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key=(null)

Hash: freqset,staff_t,sysfs_t,file,write

Additional info:
reporter:       libreport-2.1.9
hashmarkername: setroubleshoot
kernel:         3.11.8-300.fc20.x86_64
type:           libreport
Comment 1 Daniel Walsh 2013-11-18 11:33:58 EST
Is this a setuid root process?
Comment 2 Daniel Walsh 2013-11-18 12:55:28 EST
Created attachment 825769 [details]
Untar this package and execute the sh script to install the policy

THen run some tests to gather avc's
Comment 3 Michael Scherer 2013-11-19 02:01:21 EST
Yes, it is setuid. I am pretty sure it shouldn't need that. 

I will make a test of the policy later, as I need to disconnect my session.
Comment 4 Miroslav Grepl 2013-12-06 09:47:29 EST
We have 

freqset	1.0.0

in F20 now.

Note You need to log in before you can comment on or make changes to this bug.