Bug 164612 - avc: denied comm="hwclock"
avc: denied comm="hwclock"
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
4
All Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2005-07-29 05:58 EDT by Ralf Corsepius
Modified: 2007-11-30 17:11 EST (History)
0 users

See Also:
Fixed In Version: 1.25.3-12
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-08-19 04:31:24 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Ralf Corsepius 2005-07-29 05:58:11 EDT
Description of problem:

During system bootup hwclock seems to be denied access to the system:

# dmesg | grep hwclock
audit(1122625864.373:2): avc:  denied  { create } for  pid=1441 comm="hwclock"
scontext=system_u:system_r:hwclock_t tcontext=system_u:system_r:hwclock_t
tclass=netlink_audit_socket
audit(1122625863.999:3): avc:  denied  { write } for  pid=1441 comm="hwclock"
scontext=system_u:system_r:hwclock_t tcontext=system_u:system_r:hwclock_t
tclass=netlink_audit_socket
audit(1122625863.999:4): avc:  denied  { nlmsg_relay } for  pid=1441
comm="hwclock" scontext=system_u:system_r:hwclock_t
tcontext=system_u:system_r:hwclock_t tclass=netlink_audit_socket
audit(1122625863.999:5): avc:  denied  { read } for  pid=1441 comm="hwclock"
scontext=system_u:system_r:hwclock_t tcontext=system_u:system_r:hwclock_t
tclass=netlink_audit_socket


Version-Release number of selected component (if applicable):
selinux-policy-targeted-1.25.3-6

How reproducible:
Deterministical on one particular machine

Additional info:
This is the same machine exposing 
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=163977
Comment 1 Daniel Walsh 2005-07-29 06:07:50 EDT
Fixed in selinux-policy-targeted-1.25.3-9
Comment 2 Charles C. Van Tilburg 2005-07-29 09:21:13 EDT
also...
audit(1122622171.549:3): avc:  denied  { getattr } for  pid=1611
comm="fsck.reiserfs" name="radio0" dev=tmpfs ino=5624
scontext=system_u:system_r:fsadm_t tcontext=system_u:object_r:v4l_device_t
tclass=chr_file

Comment 3 Charles C. Van Tilburg 2005-07-29 10:49:07 EDT
Jul 29 06:40:07 axp kernel: audit(1122633576.122:3): avc:  denied  { getattr }
for  pid=1517 comm="fsck.reiserfs" name="audio1" dev=tmpfs ino=5228
scontext=system_u:system_r:fsadm_t tcontext=system_u:object_r:sound_device_t
tclass=chr_file

not all of these seem to make it into the messages file... I've seen at least
one with name="dsp"... ?!

there is some other complaining at system shutdown which is also not logged.

1.25.3-9 is not coming over the net yet... at least from kernel.org
Comment 4 Charles C. Van Tilburg 2005-07-29 10:51:46 EDT
FWIW, this is all I find which I believe happens during shutdown:

Jul 29 10:38:33 axp auditd[2025]: The audit daemon is exiting
Jul 29 10:38:33 axp kernel: audit: *NO* daemon at audit_pid=2025
Jul 29 10:38:33 axp kernel: audit(1122647913.970:10225520): arch=40000003
syscall=102 success=no exit=-22 a0=b a1=bfb349e0 a2=80510f8 a3=bfb38cd8 items=0
pid=10937 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 comm="auditctl" exe="/sbin/auditctl"
Jul 29 10:38:33 axp kernel: audit(1122647913.970:10225520):
saddr=100000000000000000000000
Jul 29 10:38:33 axp kernel: audit(1122647913.970:10225520): nargs=6 a0=3
a1=bfb36b3c a2=10 a3=0 a4=bfb38cd8 a5=c
Jul 29 10:38:34 axp kernel: audit(1122647914.071:10225533): SELinux: 
unrecognized netlink message type=1009 for sclass=49
Jul 29 10:38:34 axp kernel: audit(1122647914.071:10225533): arch=40000003
syscall=102 success=no exit=-22 a0=b a1=bfb349d0 a2=80510f8 a3=bfb38cc8 items=0
pid=10937 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 comm="auditctl" exe="/sbin/auditctl"
Jul 29 10:38:34 axp kernel: audit(1122647914.071:10225533):
saddr=100000000000000000000000
Jul 29 10:38:34 axp kernel: audit(1122647914.071:10225533): nargs=6 a0=3
a1=bfb36b2c a2=10 a3=0 a4=bfb38cc8 a5=c
Comment 5 Jonathan Claxton 2005-08-02 16:21:19 EDT
I have just noticed about this bug and want to add more info...

I got the selinux policy update today and it still does not allow hwclock to work...

I did a few things to check why and here are the steps....

[root@jzc ~]# setenforce 0
[root@jzc ~]# hwclock --show
Tue 02 Aug 2005 01:04:10 PM MST  -0.069945 seconds
[root@jzc ~]# setenforce 1
[root@jzc ~]# hwclock --show

NOTE: My clock is set to local time. 

Selinux is blocking hwclock's access to the hardware clock.

Also, at boot time, this message pops out...

audit(1122972407.947:2): avc:  denied  { create } for  pid=1281 comm="hwclock"
scontext=system_u:system_r:hwclock_t tcontext=system_u:system_r:hwclock_t
tclass=netlink_audit_socket

Comment 6 Jonathan Claxton 2005-08-02 16:28:36 EDT
Just to clairfy the output, it should be like below.....

[root@jzc ~]# setenforce 0
[root@jzc ~]# hwclock --show
Tue 02 Aug 2005 01:04:10 PM MST  -0.069945 seconds
[root@jzc ~]# setenforce 1
[root@jzc ~]# hwclock --show
[root@jzc ~]#

(forgot to add that last line)

Comment 7 Jonathan Claxton 2005-08-02 17:24:25 EDT
Just took another policy update and it still dosen't work...

[root@jzc ~]# setenforce 0
[root@jzc ~]# audit2allow -l -d -o $SELINUX_SRC/domains/misc/local.te
[root@jzc ~]# hwclock --show
Tue 02 Aug 2005 02:20:09 PM MST  -0.279594 seconds
[root@jzc ~]# setenforce 1
[root@jzc ~]# hwclock --show
[root@jzc ~]#
----------------------------------------
[root@jzc ~]# rpm -qi  selinux-policy-targeted
Name        : selinux-policy-targeted      Relocations: /usr
Version     : 1.25.3                            Vendor: Red Hat, Inc.
Release     : 9                             Build Date: Thu 28 Jul 2005 08:58:47
AM MST
Install Date: Tue 02 Aug 2005 02:18:49 PM MST      Build Host:
porky.build.redhat.com
Comment 8 Daniel Walsh 2005-08-02 20:49:34 EDT
Fixed in selinux-policy-targeted-1.25.3-12
Comment 9 Jonathan Claxton 2005-08-11 15:39:36 EDT
Took another update of selinux-policy-targeted and now the hwclock command works. :)

[root@jzc ~]# hwclock --show
Thu 11 Aug 2005 12:37:02 PM MST  -0.677996 seconds
[root@jzc ~]# rpm -q  selinux-policy-targeted
selinux-policy-targeted-1.25.3-12


Note You need to log in before you can comment on or make changes to this bug.