Bug 220224 - SELinux is preventing /sbin/lvm.static (lvm_t) "getattr" to /dev/shm/pulse-shm-3668705703 (tmpfs_t).
Summary: SELinux is preventing /sbin/lvm.static (lvm_t) "getattr" to /dev/shm/pulse-sh...
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: 6
Hardware: i386
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Ben Levenson
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2006-12-19 19:55 UTC by Eric Moret
Modified: 2007-11-30 22:11 UTC (History)
1 user (show)

Fixed In Version: selinux-policy-2.4.6-25
Clone Of:
Environment:
Last Closed: 2007-07-19 22:41:54 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)

Description Eric Moret 2006-12-19 19:55:40 UTC
Description of problem:
When running pulseaudio on FC6 with the SELinux targeted policy in enforcing
mode, there seems to be some missing access in the default policy. Maybe? Also
maybe this bug should be opened against targeted policy and not pulseaudio. Feel
free to reassign in that case!

$ ls -laZ /dev/shm/pulse-shm-3668705703
-r--------  emoret nscn user_u:object_r:tmpfs_t /dev/shm/pulse-shm-3668705703

Version-Release number of selected component (if applicable):
pulseaudio-0.9.5-2.fc6
kernel-2.6.18-1.2849.fc6
lvm2-2.02.06-4

How reproducible:
Not sure under wich condition pulseaudio tries to access the shared memory.

Steps to Reproduce:
1.
2.
3.
  
Actual results:
Detailed Description
SELinux denied access requested by /sbin/lvm.static. It is not expected that
this access is required by /sbin/lvm.static and this access may signal an
intrusion attempt. It is also possible that the specific version or
configuration of the application is causing it to require additional access.
Allowing Access
Sometimes labeling problems can cause SELinux denials. You could try to restore
the default system file context for /dev/shm/pulse-shm-3668705703, restorecon -v
/dev/shm/pulse-shm-3668705703 If this does not work, there is currently no
automatic way to allow this access. Instead, you can generate a local policy
module to allow this access - see FAQ Or you can disable SELinux protection
altogether. Disabling SELinux protection is not recommended. Please file a bug
report against this package.
Raw Audit Messages :
avc: denied { getattr } for comm="lvm.static" dev=tmpfs egid=0 euid=0
exe="/sbin/lvm.static" exit=-13 fsgid=0 fsuid=0 gid=0 items=0
name="pulse-shm-3668705703" path="/dev/shm/pulse-shm-3668705703" pid=13355
scontext=user_u:system_r:lvm_t:s0 sgid=0 subj=user_u:system_r:lvm_t:s0 suid=0
tclass=file tcontext=user_u:object_r:tmpfs_t:s0 tty=(none) uid=0 

Expected results:
No denial from selinux

Additional info:

Comment 1 Pierre Ossman 2006-12-22 16:48:40 UTC
Ehm... how does lvm get involved in this?

Anyway, I'm afraid I'm rather blissful about how the policy is set up, so I'm
reassigning there. It can be moved back if it turns out that pulse is doing
something stupid.

Comment 2 Daniel Walsh 2007-01-11 22:02:34 UTC
Fixed in selinux-policy-2.4.6-25


Note You need to log in before you can comment on or make changes to this bug.