Bug 1282104 - SELinux is preventing /usr/sbin/upsmon from 'open' accesses on the chr_file /dev/random.
Summary: SELinux is preventing /usr/sbin/upsmon from 'open' accesses on the chr_file /...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 22
Hardware: x86_64
OS: Unspecified
medium
medium
Target Milestone: ---
Assignee: Vit Mojzis
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: abrt_hash:905ae501a824de30823f4f5348e...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-11-14 22:40 UTC by Rich Fellinger
Modified: 2016-05-10 17:57 UTC (History)
5 users (show)

Fixed In Version: selinux-policy-3.13.1-128.24.fc22 selinux-policy-3.13.1-128.28.fc22
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-05-10 17:57:21 UTC


Attachments (Terms of Use)

Description Rich Fellinger 2015-11-14 22:40:55 UTC
Description of problem:
The problem happens when upsmon is installed and started and selinux is enabled on the system
SELinux is preventing /usr/sbin/upsmon from 'open' accesses on the chr_file /dev/random.

*****  Plugin catchall_boolean (89.3 confidence) suggests   ******************

If you want to allow authlogin to nsswitch use ldap
Then you must tell SELinux about this by enabling the 'authlogin_nsswitch_use_ldap' boolean.
You can read 'None' man page for more details.
Do
setsebool -P authlogin_nsswitch_use_ldap 1

*****  Plugin catchall (11.6 confidence) suggests   **************************

If you believe that upsmon should be allowed open access on the random chr_file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep upsmon /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:nut_upsmon_t:s0
Target Context                system_u:object_r:random_device_t:s0
Target Objects                /dev/random [ chr_file ]
Source                        upsmon
Source Path                   /usr/sbin/upsmon
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           nut-client-2.7.3-2.fc22.x86_64
                              nut-2.7.3-2.fc22.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-128.18.fc22.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 4.2.5-201.fc22.x86_64 #1 SMP Wed
                              Oct 28 20:00:23 UTC 2015 x86_64 x86_64
Alert Count                   1
First Seen                    2015-11-14 16:39:32 CST
Last Seen                     2015-11-14 16:39:32 CST
Local ID                      1f70bccc-c3db-4da6-a57a-94bf8e4bcbd5

Raw Audit Messages
type=AVC msg=audit(1447540772.979:1495): avc:  denied  { open } for  pid=18587 comm="upsmon" path="/dev/random" dev="devtmpfs" ino=1032 scontext=system_u:system_r:nut_upsmon_t:s0 tcontext=system_u:object_r:random_device_t:s0 tclass=chr_file permissive=0


type=SYSCALL msg=audit(1447540772.979:1495): arch=x86_64 syscall=open success=no exit=EACCES a0=7f22258de179 a1=900 a2=489b a3=120 items=0 ppid=18586 pid=18587 auid=4294967295 uid=57 gid=57 euid=57 suid=57 fsuid=57 egid=57 sgid=57 fsgid=57 tty=(none) ses=4294967295 comm=upsmon exe=/usr/sbin/upsmon subj=system_u:system_r:nut_upsmon_t:s0 key=(null)

Hash: upsmon,nut_upsmon_t,random_device_t,chr_file,open

Version-Release number of selected component:
selinux-policy-3.13.1-128.18.fc22.noarch

Additional info:
reporter:       libreport-2.6.3
hashmarkername: setroubleshoot
kernel:         4.2.5-201.fc22.x86_64
type:           libreport

Comment 2 Fedora Update System 2016-01-18 13:20:15 UTC
selinux-policy-3.13.1-128.25.fc22 has been submitted as an update to Fedora 22. https://bodhi.fedoraproject.org/updates/FEDORA-2016-825869e1a4

Comment 3 Fedora Update System 2016-01-20 03:53:33 UTC
selinux-policy-3.13.1-128.25.fc22 has been pushed to the Fedora 22 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-825869e1a4

Comment 4 Fedora Update System 2016-02-15 17:47:10 UTC
selinux-policy-3.13.1-128.27.fc22 has been submitted as an update to Fedora 22. https://bodhi.fedoraproject.org/updates/FEDORA-2016-ce419c9cab

Comment 5 Fedora Update System 2016-02-17 06:26:20 UTC
selinux-policy-3.13.1-128.27.fc22 has been pushed to the Fedora 22 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-ce419c9cab

Comment 6 Fedora Update System 2016-02-18 12:28:08 UTC
selinux-policy-3.13.1-128.28.fc22 has been submitted as an update to Fedora 22. https://bodhi.fedoraproject.org/updates/FEDORA-2016-ce419c9cab

Comment 7 Fedora Update System 2016-02-21 18:29:15 UTC
selinux-policy-3.13.1-128.28.fc22 has been pushed to the Fedora 22 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-ce419c9cab

Comment 8 Fedora Update System 2016-05-10 17:56:01 UTC
selinux-policy-3.13.1-128.28.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.