Bug 220224 - SELinux is preventing /sbin/lvm.static (lvm_t) "getattr" to /dev/shm/pulse-shm-3668705703 (tmpfs_t).
SELinux is preventing /sbin/lvm.static (lvm_t) "getattr" to /dev/shm/pulse-sh...
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Ben Levenson
Depends On:
  Show dependency treegraph
Reported: 2006-12-19 14:55 EST by Eric Moret
Modified: 2007-11-30 17:11 EST (History)
1 user (show)

See Also:
Fixed In Version: selinux-policy-2.4.6-25
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2007-07-19 18:41:54 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Eric Moret 2006-12-19 14:55:40 EST
Description of problem:
When running pulseaudio on FC6 with the SELinux targeted policy in enforcing
mode, there seems to be some missing access in the default policy. Maybe? Also
maybe this bug should be opened against targeted policy and not pulseaudio. Feel
free to reassign in that case!

$ ls -laZ /dev/shm/pulse-shm-3668705703
-r--------  emoret nscn user_u:object_r:tmpfs_t /dev/shm/pulse-shm-3668705703

Version-Release number of selected component (if applicable):

How reproducible:
Not sure under wich condition pulseaudio tries to access the shared memory.

Steps to Reproduce:
Actual results:
Detailed Description
SELinux denied access requested by /sbin/lvm.static. It is not expected that
this access is required by /sbin/lvm.static and this access may signal an
intrusion attempt. It is also possible that the specific version or
configuration of the application is causing it to require additional access.
Allowing Access
Sometimes labeling problems can cause SELinux denials. You could try to restore
the default system file context for /dev/shm/pulse-shm-3668705703, restorecon -v
/dev/shm/pulse-shm-3668705703 If this does not work, there is currently no
automatic way to allow this access. Instead, you can generate a local policy
module to allow this access - see FAQ Or you can disable SELinux protection
altogether. Disabling SELinux protection is not recommended. Please file a bug
report against this package.
Raw Audit Messages :
avc: denied { getattr } for comm="lvm.static" dev=tmpfs egid=0 euid=0
exe="/sbin/lvm.static" exit=-13 fsgid=0 fsuid=0 gid=0 items=0
name="pulse-shm-3668705703" path="/dev/shm/pulse-shm-3668705703" pid=13355
scontext=user_u:system_r:lvm_t:s0 sgid=0 subj=user_u:system_r:lvm_t:s0 suid=0
tclass=file tcontext=user_u:object_r:tmpfs_t:s0 tty=(none) uid=0 

Expected results:
No denial from selinux

Additional info:
Comment 1 Pierre Ossman 2006-12-22 11:48:40 EST
Ehm... how does lvm get involved in this?

Anyway, I'm afraid I'm rather blissful about how the policy is set up, so I'm
reassigning there. It can be moved back if it turns out that pulse is doing
something stupid.
Comment 2 Daniel Walsh 2007-01-11 17:02:34 EST
Fixed in selinux-policy-2.4.6-25

Note You need to log in before you can comment on or make changes to this bug.