Bug 220115 - Selinux denials with hald
Selinux denials with hald
Status: CLOSED NEXTRELEASE
Product: Fedora
Classification: Fedora
Component: hal (Show other bugs)
6
x86_64 Linux
medium Severity medium
: ---
: ---
Assigned To: David Zeuthen
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2006-12-18 17:43 EST by Adam Huffman
Modified: 2013-03-05 22:48 EST (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-12-21 10:06:56 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
setroubleshoot error report (2.46 KB, application/octet-stream)
2006-12-18 17:43 EST, Adam Huffman
no flags Details

  None (edit)
Description Adam Huffman 2006-12-18 17:43:36 EST
Description of problem:
I am seeing repeated selinux denials of hald related to autofs.

Version-Release number of selected component (if applicable):
0.5.8.1-5.fc6

How reproducible:


Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:
Comment 1 Adam Huffman 2006-12-18 17:43:36 EST
Created attachment 143960 [details]
setroubleshoot error report
Comment 2 David Zeuthen 2006-12-18 18:24:16 EST
What actions did you perform to trigger this behaviour? Thanks.
Comment 3 Adam Huffman 2006-12-18 18:43:37 EST
Well, I didn't really do anything, but I think it's caused by an NFS automount
that was already mounted.  In other words, the denial warning didn't appear
directly in response to my action.

If it makes any difference, I had resumed from standby (it's a laptop) and had
to restart NetworkManager in order to pickup the wireless network again.  I
didn't do anything directly related to the automounted NFS directory, though.
Comment 4 Adam Huffman 2006-12-18 20:45:41 EST
Just noticed that it does seem to be triggered when gnome-vfs is invoked by (for
instance) an open file dialog window in Firefox.
Comment 5 Sergio Pascual 2006-12-20 05:41:34 EST
I have a music dir in an nfs share mounted by autofs. When I open the file
browser of the music application in order to load a new music list, this selinux
denial is triggered.
Comment 6 Jeroen Beerstra 2006-12-29 21:03:00 EST
I get this, usually on boot:

Summary

SELinux is preventing /usr/sbin/hald (hald_t) "getattr" access to /etc/auto.misc
(automount_etc_t).

Detailed Description

SELinux denied access requested by /usr/sbin/hald. It is not expected that this
access is required by /usr/sbin/hald and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access. Please file a bug report
against this package.Allowing AccessSometimes labeling problems can cause
SELinux denials. You could try to restore the default system file context for
/etc/auto.misc, restorecon -v /etc/auto.misc. There is currently no automatic
way to allow this access. Instead, you can generate a local policy module to
allow this access - see FAQ - or you can disable SELinux protection entirely for
the application. Disabling SELinux protection is not recommended. Please file a
bug report against this package. Changing the "hald_disable_trans" boolean to
true will disable SELinux protection this application: "setsebool -P
hald_disable_trans=1."The following command will allow this access:setsebool -P
hald_disable_trans=1

Additional Information

Source Context:  system_u:system_r:hald_tTarget
Context:  system_u:object_r:automount_etc_tTarget Objects:  /etc/auto.misc [
file ]Affected RPM Packages:  hal-0.5.8.1-5.fc6
[application]autofs-5.0.1-0.rc2.36 [target]Policy RPM:  selinux-policy-2.4.6-7.fc6
Selinux Enabled:  True
Policy Type:  targeted
MLS Enabled:  True
Enforcing Mode:  Enforcing
Plugin Name:  plugins.disable_trans
Host Name:  neo.lokaal.net
Platform:  Linux neo.lokaal.net 2.6.18-1.2849.fc6 #1 SMP Fri Nov 10 12:34:46 EST
2006 x86_64 x86_64
Alert Count:  192
Line Numbers:   

Raw Audit Messages :

avc: denied { getattr } for comm="hald" dev=hda1 egid=68 euid=68
exe="/usr/sbin/hald" exit=-13 fsgid=68 fsuid=68 gid=68 items=0 name="auto.misc"
path="/etc/auto.misc" pid=3033 scontext=system_u:system_r:hald_t:s0 sgid=68
subj=system_u:system_r:hald_t:s0 suid=68 tclass=file
tcontext=system_u:object_r:automount_etc_t:s0 tty=(none) uid=68
Comment 7 Daniel Walsh 2007-12-21 10:06:56 EST
This is now allowed in the upstream versions and since FC6 is no longer
supported.  Closing Next Release.

Note You need to log in before you can comment on or make changes to this bug.