Bug 236089 - SELinux - bluez-utils permission conflict
Summary: SELinux - bluez-utils permission conflict
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: rawhide
Hardware: i386
OS: Linux
medium
low
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
: 236189 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2007-04-11 21:38 UTC by Bryan Agee
Modified: 2007-11-30 22:12 UTC (History)
2 users (show)

Fixed In Version: Current
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2007-07-23 13:45:54 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)

Description Bryan Agee 2007-04-11 21:38:16 UTC
Description of problem:
bluez-utils attempts to read inotify during update, which is not allowed be the
default SELinux policies.

The following is the SELinux Troubleshooter report:

Summary
    SELinux is preventing /usr/sbin/hcid (bluetooth_t) "read" to inotify
    (inotifyfs_t).

Detailed Description
    SELinux denied access requested by /usr/sbin/hcid. It is not expected that
    this access is required by /usr/sbin/hcid and this access may signal an
    intrusion attempt. It is also possible that the specific version or
    configuration of the application is causing it to require additional access.

Allowing Access
    Sometimes labeling problems can cause SELinux denials.  You could try to
    restore the default system file context for inotify, restorecon -v inotify
    If this does not work, there is currently no automatic way to allow this
    access. Instead,  you can generate a local policy module to allow this
    access - see http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you
    can disable SELinux protection altogether. Disabling SELinux protection is
    not recommended. Please file a
    http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package.

Additional Information        

Source Context                system_u:system_r:bluetooth_t
Target Context                system_u:object_r:inotifyfs_t
Target Objects                inotify [ dir ]
Affected RPM Packages         bluez-utils-3.9-1.fc7 [application]
Policy RPM                    selinux-policy-2.5.10-2.fc7
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   False
Enforcing Mode                Enforcing
Plugin Name                   plugins.catchall_file
Host Name                     bryans-lt.vantage-payroll.com
Platform                      Linux bryans-lt.vantage-payroll.com
                              2.6.20-1.3023.fc7 #1 SMP Sun Mar 25 22:12:02 EDT
                              2007 i686 athlon
Alert Count                   169
First Seen                    Wed 11 Apr 2007 02:14:43 PM PDT
Last Seen                     Wed 11 Apr 2007 02:14:43 PM PDT
Local ID                      74899f31-ac7c-4ce1-8f16-125186901af1
Line Numbers                  

Raw Audit Messages            

avc: denied { read } for comm="hcid" dev=inotifyfs egid=0 euid=0
exe="/usr/sbin/hcid" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name="inotify"
path="inotify" pid=2245 scontext=system_u:system_r:bluetooth_t:s0 sgid=0
subj=system_u:system_r:bluetooth_t:s0 suid=0 tclass=dir
tcontext=system_u:object_r:inotifyfs_t:s0 tty=(none) uid=0

Comment 1 Matthew Miller 2007-04-12 12:58:38 UTC
Although it's far from obvious, all Fedora 7 test bugs should be filed against
"devel", not "test#". Moving this, so it doesn't get lost.

This has been a bulk message. We return you now to your regularly scheduled
program, already in progress.

Comment 2 Klaus Pedersen 2007-04-28 23:30:14 UTC
I was also hit by this. There is a hint to fix it in the "allowing Access" section:

> Allowing Access
>     Sometimes labeling problems can cause SELinux denials.  You could try to
>     restore the default system file context for inotify, restorecon -v inotify
                                                           ^^^^^^^^^^^^^^^^^^^^^
This worked for me - as root:
    restorecon -v /proc/sys/fs/inotify

(voodoo?)
 
I have no idea why it works, because apparently there is not security context on
the directory:

ls -dZ /proc/sys/fs/inotify
dr-xr-xr-x  root root                                  /proc/sys/fs/inotify

(this is on fc7-devel with all updates)


Comment 3 David Woodhouse 2007-07-21 11:16:00 UTC
*** Bug 236189 has been marked as a duplicate of this bug. ***

Comment 4 Daniel Walsh 2007-07-23 13:45:54 UTC
This bug is fixed in the latest policy

yum update selinux-policy


Note You need to log in before you can comment on or make changes to this bug.