Bug 181489 - haldaemon fails to start when SELinux is enabled
haldaemon fails to start when SELinux is enabled
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
rawhide
All Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
:
: 181522 181542 (view as bug list)
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2006-02-14 11:51 EST by Jeff Needle
Modified: 2007-11-30 17:11 EST (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-02-14 13:57:54 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Jeff Needle 2006-02-14 11:51:36 EST
# service haldaemon start
Starting HAL daemon:                                       [FAILED]

Feb 14 11:51:47 localhost kernel: audit(1139935907.611:110): avc:  denied  {
setgid } for  pid=3337 comm="hald" capability=6
scontext=user_u:system_r:hald_t:s0 tcontext=user_u:system_r:hald_t:s0
tclass=capability

# setenforce 0

# service haldaemon start
Starting HAL daemon:                                       [  OK  ]


# audit2allow -l -i /var/log/messages

allow NetworkManager_t etc_t:file unlink;
allow NetworkManager_t kernel_t:fd use;
allow automount_t kernel_t:fd use;
allow avahi_t kernel_t:fd use;
allow consoletype_t ptmx_t:chr_file { read write };
allow cpuspeed_t kernel_t:fd use;
allow cupsd_config_t kernel_t:fd use;
allow cupsd_t kernel_t:fd use;
allow dhcpc_t etc_t:file write;
allow fsadm_t etc_t:file write;
allow fsadm_t kernel_t:fd use;
allow getty_t kernel_t:fd use;
allow gpm_t kernel_t:fd use;
allow hald_t self:capability setgid;
allow hald_t kernel_t:fd use;
allow hostname_t kernel_t:fd use;
allow hwclock_t kernel_t:fd use;
allow ifconfig_t ptmx_t:chr_file { read write };
allow irqbalance_t kernel_t:fd use;
allow klogd_t kernel_t:fd use;
allow mount_t etc_t:file write;
allow mount_t kernel_t:fd use;
allow netutils_t kernel_t:fd use;
allow pam_console_t ptmx_t:chr_file { read write };
allow portmap_t kernel_t:fd use;
allow readahead_t kernel_t:fd use;
allow restorecon_t ptmx_t:chr_file { read write };
allow rpcd_t kernel_t:fd use;
allow syslogd_t kernel_t:fd use;
allow system_dbusd_t kernel_t:fd use;
allow unconfined_t self:process execstack;
Comment 1 John (J5) Palmieri 2006-02-14 11:55:42 EST
This is due to the latest HAL dropping privileges and using a helper daemon to
execute scripts that need access to root.  David can you elaborate?
Comment 2 Daniel Walsh 2006-02-14 12:09:32 EST
Can't we give me a heads up before these things hit rawhide?  Please check your
code with selinux in enforcing mode before building into rawhide.

Fixed in selinux-policy-2.2.15-1

Dan
Comment 3 John (J5) Palmieri 2006-02-14 13:57:54 EST
Works for me
Comment 4 Jeff Needle 2006-02-14 15:40:35 EST
Yep, works for me too.  And you've gotta love that 18 minute turnaround.
Comment 5 John (J5) Palmieri 2006-02-14 17:20:48 EST
*** Bug 181542 has been marked as a duplicate of this bug. ***
Comment 6 John (J5) Palmieri 2006-02-14 17:21:43 EST
*** Bug 181522 has been marked as a duplicate of this bug. ***

Note You need to log in before you can comment on or make changes to this bug.