Bug 224194 - irqbalance SElinux denial
irqbalance SElinux denial
Status: CLOSED DUPLICATE of bug 219606
Product: Fedora
Classification: Fedora
Component: irqbalance (Show other bugs)
6
All Linux
medium Severity medium
: ---
: ---
Assigned To: Neil Horman
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-01-24 11:16 EST by Mike A. Harris
Modified: 2007-11-30 17:11 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-01-24 13:04:45 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Mike A. Harris 2007-01-24 11:16:25 EST
Description of problem:

Running an FC6 system with no proprietary drivers or third party software
installed, just stock FC6 plus official updates, and some Fedora Extras
stuff plus updates.  I'm using the system default SElinux configuration
unmodified.

Recently, I've been getting a lot of SElinux avc denials for irqbalance
which previously never happened.  It seems as if some package update
along the way (the irqbalance package, or selinux-policy perhaps) has
maybe broken something.  Alternatively, perhaps something was fixed in
an update, which has uncovered other previously hidden bugs.  Not sure
either way, but here is the SElinux denial info from setroubleshoot:



Summary:  SELinux is preventing /usr/sbin/irqbalance (irqbalance_t) "search"
access to net (proc_net_t).

Detailed Description:

SELinux denied access requested by /usr/sbin/irqbalance. It is not expected that
this access is required by /usr/sbin/irqbalance and this access may signal an
intrusion attempt. It is also possible that the specific version or
configuration of the application is causing it to require additional access.
Please file a bug report against this package.Allowing AccessSometimes labeling
problems can cause SELinux denials. You could try to restore the default system
file context for net, restorecon -v net. There is currently no automatic way to
allow this access. Instead, you can generate a local policy module to allow this
access - see FAQ - or you can disable SELinux protection entirely for the
application. Disabling SELinux protection is not recommended. Please file a bug
report against this package. Changing the "irqbalance_disable_trans" boolean to
true will disable SELinux protection this application: "setsebool -P
irqbalance_disable_trans=1."The following command will allow this
access:setsebool -P irqbalance_disable_trans=1Additional InformationSource
Context:  system_u:system_r:irqbalance_tTarget
Context:  system_u:object_r:proc_net_tTarget Objects:  net [ dir ]Affected RPM
Packages:  irqbalance-0.55-2.fc6 [application]Policy
RPM:  selinux-policy-2.4.6-7.fc6Selinux Enabled:  TruePolicy Type:  targetedMLS
Enabled:  TrueEnforcing Mode:  EnforcingPlugin Name:  plugins.disable_transHost
Name:  shuttlePlatform:  Linux shuttle 2.6.18-1.2868.fc6 #1 SMP Fri Dec 15
17:32:54 EST 2006 i686 i686Alert Count:  224361Line Numbers:   Raw Audit
Messages :avc: denied { search } for comm="irqbalance" dev=proc egid=0 euid=0
exe="/usr/sbin/irqbalance" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name="net"
pid=2023 scontext=system_u:system_r:irqbalance_t:s0 sgid=0
subj=system_u:system_r:irqbalance_t:s0 suid=0 tclass=dir
tcontext=system_u:object_r:proc_net_t:s0 tty=(none) uid=0


Apologies for the jumbled together info, I cut and pasted it from
setroubleshootd.  If there is a better way of gathering this data that is
more cut and paste friendly in a single cut-n-pasting, let me know and I'll
do that in the future.

If any additional information is required, let me know and  I'll supply
it ASAP.
Comment 1 Neil Horman 2007-01-24 13:04:45 EST

*** This bug has been marked as a duplicate of 219606 ***

Note You need to log in before you can comment on or make changes to this bug.