Bug 1123111 - SELinux is preventing /usr/sbin/sensord from using the 'signal' accesses on a process.
Summary: SELinux is preventing /usr/sbin/sensord from using the 'signal' accesses on a...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 19
Hardware: i686
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Lukas Vrabec
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: abrt_hash:292ceff921831160b431a3352c4...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-07-24 22:18 UTC by Joe Zeff
Modified: 2014-12-19 18:29 UTC (History)
4 users (show)

Fixed In Version: selinux-policy-3.12.1-74.30.fc19
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2014-12-19 18:29:35 UTC


Attachments (Terms of Use)

Description Joe Zeff 2014-07-24 22:18:17 UTC
Description of problem:
I am attempting to get sensord.service running properly.
SELinux is preventing /usr/sbin/sensord from using the 'signal' accesses on a process.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that sensord should be allowed signal access on processes labeled sensord_t by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep sensord /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:sensord_t:s0
Target Context                system_u:system_r:sensord_t:s0
Target Objects                 [ process ]
Source                        sensord
Source Path                   /usr/sbin/sensord
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           lm_sensors-sensord-3.3.3-3.fc19.i686
Target RPM Packages           
Policy RPM                    selinux-policy-3.12.1-74.26.fc19.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 3.14.8-100.fc19.i686.PAE #1 SMP
                              Mon Jun 16 22:06:57 UTC 2014 i686 i686
Alert Count                   1
First Seen                    2014-07-24 15:04:50 PDT
Last Seen                     2014-07-24 15:04:50 PDT
Local ID                      96a907a6-c922-469f-b376-c29de2474053

Raw Audit Messages
type=AVC msg=audit(1406239490.804:2399): avc:  denied  { signal } for  pid=22840 comm="sensord" scontext=system_u:system_r:sensord_t:s0 tcontext=system_u:system_r:sensord_t:s0 tclass=process


type=SYSCALL msg=audit(1406239490.804:2399): arch=i386 syscall=tgkill success=no exit=EACCES a0=5938 a1=5938 a2=22 a3=2 items=0 ppid=1 pid=22840 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=sensord exe=/usr/sbin/sensord subj=system_u:system_r:sensord_t:s0 key=(null)

Hash: sensord,sensord_t,sensord_t,process,signal

I have created the policy because it seems reasonable that sensord should have this kind of access.

Additional info:
reporter:       libreport-2.2.2
hashmarkername: setroubleshoot
kernel:         3.14.8-100.fc19.i686.PAE
type:           libreport

Comment 1 Lukas Vrabec 2014-07-25 09:20:14 UTC
Hi Joe, 

Do you know when this happen? What exactly you did?

Comment 2 Miroslav Grepl 2014-07-25 09:42:44 UTC
I don't see a reason to block it.


commit ac7c746e59b5852dccaf30741f869b4eb295a36f
Author: Miroslav Grepl <mgrepl@redhat.com>
Date:   Fri Jul 25 11:40:13 2014 +0200

    Allow sensord to send a signal.

https://github.com/selinux-policy/selinux-policy/commit/ac7c746e59b5852dccaf30741f869b4eb295a36f


Lukas,
could you back port it.

Comment 3 Joe Zeff 2014-07-25 10:20:54 UTC
I've had a few spontaneous reboots, and I'm hoping that if they're hardware related they'll leave a trail in /var/log/messages, so I installed lm_sensors and sensord.  I got this SELinux alert, then another one that I've also reported.  Frankly, I'm astonished that it wasn't reported sooner.

Comment 4 Lukas Vrabec 2014-07-25 11:27:48 UTC
[f19-contrib f1f597d] Allow sensord to send a signal.
 Author: Miroslav Grepl <mgrepl@redhat.com>
 1 file changed, 2 insertions(+)

https://github.com/selinux-policy/selinux-policy/commit/f1f597d42e113b2920523604a9b32209af0ad3c3

Back ported.

Comment 5 Fedora Update System 2014-08-13 12:02:42 UTC
selinux-policy-3.12.1-74.29.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-74.29.fc19

Comment 6 Fedora Update System 2014-08-16 00:27:10 UTC
Package selinux-policy-3.12.1-74.29.fc19:
* should fix your issue,
* was pushed to the Fedora 19 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-74.29.fc19'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2014-9432/selinux-policy-3.12.1-74.29.fc19
then log in and leave karma (feedback).

Comment 7 Fedora Update System 2014-12-03 12:53:31 UTC
selinux-policy-3.12.1-74.30.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-74.30.fc19

Comment 8 Fedora Update System 2014-12-19 18:29:35 UTC
selinux-policy-3.12.1-74.30.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.