Bug 1123423 - SELinux is preventing /usr/sbin/alsactl from 'read' accesses on the lnk_file /var/lock.
Summary: SELinux is preventing /usr/sbin/alsactl from 'read' accesses on the lnk_file ...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 21
Hardware: x86_64
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: abrt_hash:00ae93b89a84dad4907ab72d104...
: 1123469 1123647 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-07-25 15:19 UTC by Elad Alfassa
Modified: 2014-09-10 02:45 UTC (History)
20 users (show)

Fixed In Version: selinux-policy-3.13.1-78.fc21
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2014-09-10 02:45:42 UTC


Attachments (Terms of Use)

Description Elad Alfassa 2014-07-25 15:19:05 UTC
Description of problem:
SELinux is preventing /usr/sbin/alsactl from 'read' accesses on the lnk_file /var/lock.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that alsactl should be allowed read access on the lock lnk_file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep alsactl /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:alsa_t:s0
Target Context                system_u:object_r:var_lock_t:s0
Target Objects                /var/lock [ lnk_file ]
Source                        alsactl
Source Path                   /usr/sbin/alsactl
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           alsa-utils-1.0.28-1.fc21.x86_64
Target RPM Packages           filesystem-3.2-26.fc21.x86_64
Policy RPM                    selinux-policy-3.13.1-66.fc21.noarch selinux-
                              policy-3.13.1-67.fc21.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 3.16.0-0.rc6.git0.1.fc22.1.x86_64
                              #1 SMP Mon Jul 21 18:18:25 UTC 2014 x86_64 x86_64
Alert Count                   1
First Seen                    2014-07-25 17:18:32 CEST
Last Seen                     2014-07-25 17:18:32 CEST
Local ID                      eec88119-af2b-4672-bdf0-30bd0211cebc

Raw Audit Messages
type=AVC msg=audit(1406301512.576:162): avc:  denied  { read } for  pid=4796 comm="alsactl" name="lock" dev="sdb3" ino=140166 scontext=system_u:system_r:alsa_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=lnk_file permissive=0


type=SYSCALL msg=audit(1406301512.576:162): arch=x86_64 syscall=open success=no exit=EACCES a0=7f162c82a7b3 a1=c2 a2=1a4 a3=0 items=0 ppid=1 pid=4796 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=alsactl exe=/usr/sbin/alsactl subj=system_u:system_r:alsa_t:s0 key=(null)

Hash: alsactl,alsa_t,var_lock_t,lnk_file,read

Version-Release number of selected component:
selinux-policy-3.13.1-66.fc21.noarch
selinux-policy-3.13.1-67.fc21.noarch

Additional info:
reporter:       libreport-2.2.3
hashmarkername: setroubleshoot
kernel:         3.16.0-0.rc6.git0.1.fc22.1.x86_64
type:           libreport

Comment 1 sangu 2014-07-25 15:54:09 UTC
Description of problem:
While updating alsa packages in today development

Version-Release number of selected component:
selinux-policy-3.13.1-67.fc21.noarch

Additional info:
reporter:       libreport-2.2.3
hashmarkername: setroubleshoot
kernel:         3.16.0-0.rc6.git0.1.fc21.1.x86_64
type:           libreport

Comment 2 Miroslav Grepl 2014-07-30 11:51:28 UTC
Does alsa create a lock file? Are you able to reproduce it with

# semanage permissive -a alsa_t

reproduce and

# ausearch -m avc -ts recent
# semanage permissive -d alsa_t

Comment 3 Giovanni Campagna 2014-07-30 14:39:03 UTC
Description of problem:
Happened during an upgrade

Version-Release number of selected component:
selinux-policy-3.13.1-67.fc21.noarch

Additional info:
reporter:       libreport-2.2.3
hashmarkername: setroubleshoot
kernel:         3.16.0-0.rc5.git1.1.fc21.x86_64
type:           libreport

Comment 4 Robbie Harwood 2014-07-30 22:15:19 UTC
In permissive,

# ausearch -m avc -ts recent -c alsactl
----
time->Wed Jul 30 18:12:25 2014
type=PROCTITLE msg=audit(1406758345.153:484): proctitle=2F7573722F7362696E2F616C736163746C002D73002D6E003139002D63002D4500414C53415F434F4E4649475F504154483D2F6574632F616C73612F616C736163746C2E636F6E66002D2D696E697466696C653D2F6C69622F616C73612F696E69742F30306D61696E00726461656D6F6E
type=SYSCALL msg=audit(1406758345.153:484): arch=c000003e syscall=2 success=yes exit=11 a0=7fb0047c47b3 a1=2 a2=7fffdc09b6fb a3=0 items=0 ppid=1 pid=758 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="alsactl" exe="/usr/sbin/alsactl" subj=system_u:system_r:alsa_t:s0 key=(null)
type=AVC msg=audit(1406758345.153:484): avc:  denied  { open } for  pid=758 comm="alsactl" path="/run/lock/asound.state.lock" dev="tmpfs" ino=19719 scontext=system_u:system_r:alsa_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=file permissive=1

Comment 5 Miroslav Grepl 2014-07-31 08:01:28 UTC
commit 651672a21efbb36daa2ce5284aa0c03325940d6f
Author: Miroslav Grepl <mgrepl@redhat.com>
Date:   Thu Jul 31 09:58:27 2014 +0200

    Allow alsa to create lock file to see if it fixes #1123423.

Comment 6 birger 2014-07-31 08:37:48 UTC
Description of problem:
happens during login

Version-Release number of selected component:
selinux-policy-3.13.1-67.fc21.noarch

Additional info:
reporter:       libreport-2.2.3
hashmarkername: setroubleshoot
kernel:         3.16.0-0.rc7.git1.1.fc21.x86_64
type:           libreport

Comment 7 Miroslav Grepl 2014-07-31 08:46:03 UTC
*** Bug 1123647 has been marked as a duplicate of this bug. ***

Comment 8 Miroslav Grepl 2014-07-31 13:30:58 UTC
*** Bug 1123469 has been marked as a duplicate of this bug. ***

Comment 9 Fedora Update System 2014-08-28 14:10:41 UTC
selinux-policy-3.13.1-77.fc21 has been submitted as an update for Fedora 21.
https://admin.fedoraproject.org/updates/selinux-policy-3.13.1-77.fc21

Comment 10 Fedora Update System 2014-08-28 16:42:25 UTC
Package selinux-policy-3.13.1-77.fc21:
* should fix your issue,
* was pushed to the Fedora 21 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.13.1-77.fc21'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2014-9873/selinux-policy-3.13.1-77.fc21
then log in and leave karma (feedback).

Comment 11 Fedora Update System 2014-09-02 19:29:25 UTC
selinux-policy-3.13.1-78.fc21 has been submitted as an update for Fedora 21.
https://admin.fedoraproject.org/updates/selinux-policy-3.13.1-78.fc21

Comment 12 Fedora Update System 2014-09-10 02:45:42 UTC
selinux-policy-3.13.1-78.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.