Bug 227704 - SELinux denial while starting haldaemon
Summary: SELinux denial while starting haldaemon
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy   
(Show other bugs)
Version: rawhide
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Ben Levenson
URL:
Whiteboard:
Keywords:
: 227713 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2007-02-07 17:37 UTC by Nalin Dahyabhai
Modified: 2007-11-30 22:11 UTC (History)
3 users (show)

Fixed In Version: Current
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-08-22 14:15:14 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

Description Nalin Dahyabhai 2007-02-07 17:37:49 UTC
Description of problem:
hal 0.5.9 seems to need to be able to do more things than targeted policy
2.5.2-5.fc7 allowed for previous versions

Version-Release number of selected component (if applicable):
2.5.2-5.fc7

How reproducible:
Always

Steps to Reproduce:
1. try to start the haldaemon service

Additional info:
My audit log shows:
type=AVC msg=audit(1170866731.434:8): avc:  denied  { write } for  pid=3137
comm="hald-generate-f" name="hald" dev=dm-0 ino=6809187
scontext=system_u:system_r:hald_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=dir
type=AVC msg=audit(1170866868.580:19): avc:  denied  { write } for  pid=3513
comm="hald-generate-f" name="hald" dev=dm-0 ino=6809187
scontext=system_u:system_r:hald_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=dir

This appears to be triggered by hald-generate-fdi-cache.

Comment 1 Will Woods 2007-02-07 23:03:32 UTC
*** Bug 227713 has been marked as a duplicate of this bug. ***

Comment 2 Will Woods 2007-02-07 23:05:42 UTC
Here's my audit message:

avc: denied { write } for comm="hald-generate-f" dev=dm-3 egid=0 euid=0
exe="/usr/libexec/hald-generate-fdi-cache" exit=-13 fsgid=0 fsuid=0 gid=0
items=0 name="hald" pid=3570 scontext=user_u:system_r:hald_t:s0 sgid=0
subj=user_u:system_r:hald_t:s0 suid=0 tclass=dir
tcontext=system_u:object_r:var_t:s0 tty=(none) uid=0 

Comment 3 Daniel Walsh 2007-02-12 16:19:00 UTC
Fixed in  selinux-policy-2.5.2-7


Comment 4 Steve 2007-05-10 09:07:15 UTC
(In reply to comment #3)
> Fixed in  selinux-policy-2.5.2-7
> 

I've selinux-policy-2.6.1-1.fc7.

My audit message:
avc:  denied  { write } for  pid=2893 comm="hald-generate-f" name="hald"
dev=dm-0 ino=32670049 scontext=user_u:system_r:hald_t:s0
tcontext=system_u:object_r:var_t:s0 tclass=dir

Comment 5 Steve 2007-05-10 10:05:55 UTC
(In reply to comment #4)
> (In reply to comment #3)
> > Fixed in  selinux-policy-2.5.2-7
> > 
> 
> I've selinux-policy-2.6.1-1.fc7.
> 
> My audit message:
> avc:  denied  { write } for  pid=2893 comm="hald-generate-f" name="hald"
> dev=dm-0 ino=32670049 scontext=user_u:system_r:hald_t:s0
> tcontext=system_u:object_r:var_t:s0 tclass=dir

A "touch /.autorelabel && reboot" did it!



Comment 6 Daniel Walsh 2007-08-22 14:15:14 UTC
Should be fixed in the current release



Note You need to log in before you can comment on or make changes to this bug.