Bug 227704 - SELinux denial while starting haldaemon
SELinux denial while starting haldaemon
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
rawhide
All Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Ben Levenson
:
: 227713 (view as bug list)
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-02-07 12:37 EST by Nalin Dahyabhai
Modified: 2007-11-30 17:11 EST (History)
3 users (show)

See Also:
Fixed In Version: Current
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-08-22 10:15:14 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Nalin Dahyabhai 2007-02-07 12:37:49 EST
Description of problem:
hal 0.5.9 seems to need to be able to do more things than targeted policy
2.5.2-5.fc7 allowed for previous versions

Version-Release number of selected component (if applicable):
2.5.2-5.fc7

How reproducible:
Always

Steps to Reproduce:
1. try to start the haldaemon service

Additional info:
My audit log shows:
type=AVC msg=audit(1170866731.434:8): avc:  denied  { write } for  pid=3137
comm="hald-generate-f" name="hald" dev=dm-0 ino=6809187
scontext=system_u:system_r:hald_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=dir
type=AVC msg=audit(1170866868.580:19): avc:  denied  { write } for  pid=3513
comm="hald-generate-f" name="hald" dev=dm-0 ino=6809187
scontext=system_u:system_r:hald_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=dir

This appears to be triggered by hald-generate-fdi-cache.
Comment 1 Will Woods 2007-02-07 18:03:32 EST
*** Bug 227713 has been marked as a duplicate of this bug. ***
Comment 2 Will Woods 2007-02-07 18:05:42 EST
Here's my audit message:

avc: denied { write } for comm="hald-generate-f" dev=dm-3 egid=0 euid=0
exe="/usr/libexec/hald-generate-fdi-cache" exit=-13 fsgid=0 fsuid=0 gid=0
items=0 name="hald" pid=3570 scontext=user_u:system_r:hald_t:s0 sgid=0
subj=user_u:system_r:hald_t:s0 suid=0 tclass=dir
tcontext=system_u:object_r:var_t:s0 tty=(none) uid=0 
Comment 3 Daniel Walsh 2007-02-12 11:19:00 EST
Fixed in  selinux-policy-2.5.2-7
Comment 4 Steve 2007-05-10 05:07:15 EDT
(In reply to comment #3)
> Fixed in  selinux-policy-2.5.2-7
> 

I've selinux-policy-2.6.1-1.fc7.

My audit message:
avc:  denied  { write } for  pid=2893 comm="hald-generate-f" name="hald"
dev=dm-0 ino=32670049 scontext=user_u:system_r:hald_t:s0
tcontext=system_u:object_r:var_t:s0 tclass=dir
Comment 5 Steve 2007-05-10 06:05:55 EDT
(In reply to comment #4)
> (In reply to comment #3)
> > Fixed in  selinux-policy-2.5.2-7
> > 
> 
> I've selinux-policy-2.6.1-1.fc7.
> 
> My audit message:
> avc:  denied  { write } for  pid=2893 comm="hald-generate-f" name="hald"
> dev=dm-0 ino=32670049 scontext=user_u:system_r:hald_t:s0
> tcontext=system_u:object_r:var_t:s0 tclass=dir

A "touch /.autorelabel && reboot" did it!

Comment 6 Daniel Walsh 2007-08-22 10:15:14 EDT
Should be fixed in the current release

Note You need to log in before you can comment on or make changes to this bug.