Bug 1031193 - SELinux is preventing /usr/lib64/enlightenment/modules/cpufreq/linux-gnu-x86_64-0.17.5/freqset from 'write' accesses on the file scaling_governor.
Summary: SELinux is preventing /usr/lib64/enlightenment/modules/cpufreq/linux-gnu-x86_...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 20
Hardware: x86_64
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: abrt_hash:ce6e30fe9aa00dd324974d228d6...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-11-15 21:08 UTC by Michael S.
Modified: 2013-12-06 14:47 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2013-12-06 14:47:29 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)
Untar this package and execute the sh script to install the policy (1.64 KB, application/x-compressed-tar)
2013-11-18 17:55 UTC, Daniel Walsh 		no flags Details
View All

Description Michael S. 2013-11-15 21:08:14 UTC 
Description of problem:
I just started enlightenment 0.17 with a confined user. I guess a specific policy should be writen for that module, if we want to let him change the prequency of the processor ?
SELinux is preventing /usr/lib64/enlightenment/modules/cpufreq/linux-gnu-x86_64-0.17.5/freqset from 'write' accesses on the file scaling_governor.

*****  Plugin catchall (100. confidence) suggests   **************************

If vous pensez que freqset devrait être autorisé à accéder write sur scaling_governor file par défaut.
Then vous devriez rapporter ceci en tant qu'anomalie.
Vous pouvez générer un module de stratégie local pour autoriser cet accès.
Do
autoriser cet accès pour le moment en exécutant :
# grep freqset /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                staff_u:staff_r:staff_t:s0-s0:c0.c1023
Target Context                system_u:object_r:sysfs_t:s0
Target Objects                scaling_governor [ file ]
Source                        freqset
Source Path                   /usr/lib64/enlightenment/modules/cpufreq/linux-
                              gnu-x86_64-0.17.5/freqset
Port                          <Inconnu>
Host                          (removed)
Source RPM Packages           enlightenment-0.17.5-2.fc20.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.12.1-90.fc20.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 3.11.8-300.fc20.x86_64 #1 SMP Wed
                              Nov 13 16:34:27 UTC 2013 x86_64 x86_64
Alert Count                   1
First Seen                    2013-11-15 21:30:37 CET
Last Seen                     2013-11-15 21:30:37 CET
Local ID                      8b6eeb55-70e0-4669-9269-f9479d52decf

Raw Audit Messages
type=AVC msg=audit(1384547437.922:531): avc:  denied  { write } for  pid=2190 comm="freqset" name="scaling_governor" dev="sysfs" ino=15839 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysfs_t:s0 tclass=file


type=SYSCALL msg=audit(1384547437.922:531): arch=x86_64 syscall=open success=no exit=EACCES a0=7fffcb5cddb0 a1=241 a2=1b6 a3=7fffcb5cdb60 items=0 ppid=2146 pid=2190 auid=500 uid=500 gid=500 euid=0 suid=0 fsuid=0 egid=500 sgid=500 fsgid=500 ses=1 tty=(none) comm=freqset exe=/usr/lib64/enlightenment/modules/cpufreq/linux-gnu-x86_64-0.17.5/freqset subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key=(null)

Hash: freqset,staff_t,sysfs_t,file,write

Additional info:
reporter:       libreport-2.1.9
hashmarkername: setroubleshoot
kernel:         3.11.8-300.fc20.x86_64
type:           libreport
Comment 1 Daniel Walsh 2013-11-18 16:33:58 UTC 
Is this a setuid root process?
Comment 2 Daniel Walsh 2013-11-18 17:55:28 UTC 
Created attachment 825769 [details]
Untar this package and execute the sh script to install the policy

THen run some tests to gather avc's
Comment 3 Michael S. 2013-11-19 07:01:21 UTC 
Yes, it is setuid. I am pretty sure it shouldn't need that. 

I will make a test of the policy later, as I need to disconnect my session.
Comment 4 Miroslav Grepl 2013-12-06 14:47:29 UTC 
We have 

freqset	1.0.0

in F20 now.
Note You need to log in before you can comment on or make changes to this bug.