Bug 250447 - SELinux is preventing /usr/sbin/hald (hald_t) "getattr" access to device /dev/drbd0
Summary: SELinux is preventing /usr/sbin/hald (hald_t) "getattr" access to device /dev...
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy (Show other bugs)
(Show other bugs)
Version: 5.0
Hardware: i386 Linux
low
medium
Target Milestone: ---
: ---
Assignee: Daniel Walsh
QA Contact:
URL:
Whiteboard:
Keywords:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2007-08-01 17:42 UTC by jt
Modified: 2008-05-21 16:05 UTC (History)
1 user (show)

Fixed In Version: RHBA-2008-0465
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-05-21 16:05:23 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2008:0465 normal SHIPPED_LIVE selinux-policy bug fix update 2008-05-20 14:36:31 UTC

Description jt 2007-08-01 17:42:43 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6

Description of problem:
This is the output from from the following command:

sealert -l a8fc1d5a-19e8-4377-a80a-bd1e92eb907b

<output>
Summary
    SELinux is preventing /usr/sbin/hald (hald_t) "getattr" access to device
    /dev/drbd1.

Detailed Description
    SELinux has denied the /usr/sbin/hald (hald_t) "getattr" access to device
    /dev/drbd1. /dev/drbd1 is mislabeled, this device has the default label of
    the /dev directory, which should not happen.  All Character and/or Block
    Devices should have a label. You can attempt to change the label of the file
    using restorecon -v /dev/drbd1. If this device remains labeled device_t,
    then this is a bug in SELinux policy. Please file a
    http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against the selinux-policy
    package. If you look at the other similar devices labels, ls -lZ
    /dev/SIMILAR, and find a type that would work for /dev/drbd1, you can use
    chcon -t SIMILAR_TYPE /dev/drbd1, If this fixes the problem, you can make
    this permanent by executing semanage fcontext -a -t SIMILAR_TYPE /dev/drbd1
    If the restorecon changes the context, this indicates that the application
    that created the device, created it without using SELinux APIs.  If you can
    figure out which application created the device, please file a
    http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this application.

Allowing Access
    Attempt restorecon -v /dev/drbd1 or chcon -t SIMILAR_TYPE /dev/drbd1

Additional Information        

Source Context                system_u:system_r:hald_t
Target Context                system_u:object_r:device_t
Target Objects                /dev/drbd1 [ blk_file ]
Affected RPM Packages         hal-0.5.8.1-19.el5 [application]
Policy RPM                    selinux-policy-2.4.6-30.el5
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   plugins.device
Host Name                     golden.santekdev.com
Platform                      Linux golden.santekdev.com
                              2.6.18-8.1.8.el5.centos.plus #1 SMP Mon Jul 16
                              08:49:50 EDT 2007 i686 athlon
Alert Count                   35
Line Numbers                  

Raw Audit Messages            

avc: denied { getattr } for comm="hald" dev=tmpfs egid=68 euid=68
exe="/usr/sbin/hald" exit=-13 fsgid=68 fsuid=68 gid=68 items=0 name="drbd1"
path="/dev/drbd1" pid=2443 scontext=system_u:system_r:hald_t:s0 sgid=68
subj=system_u:system_r:hald_t:s0 suid=68 tclass=blk_file
tcontext=system_u:object_r:device_t:s0 tty=(none) uid=68
</output>

Version-Release number of selected component (if applicable):
hal-0.5.8.1-19.el5 

How reproducible:
Always


Steps to Reproduce:
1. reboot machine
2. 
3.

Actual Results:
Check /var/log/messages and find these errors:

SELinux is preventing /usr/sbin/hald (hald_t) "getattr" access to device /dev/drbd0
SELinux is preventing /usr/sbin/hald (hald_t) "getattr" access to device /dev/drbd1

Expected Results:


Additional info:
I have tried the following command:

restorecon -v /dev/drbd1

with no success

Comment 1 Daniel Walsh 2007-12-21 15:04:41 UTC
This is a problem in SELinux labeling and probably is not causing a problem.  I
will fix the labeling in selinux-policy-2.4.6-108.el5

Comment 2 RHEL Product and Program Management 2007-12-21 15:14:20 UTC
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
release.

Comment 7 errata-xmlrpc 2008-05-21 16:05:23 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2008-0465.html



Note You need to log in before you can comment on or make changes to this bug.