Bug 250447 - SELinux is preventing /usr/sbin/hald (hald_t) "getattr" access to device /dev/drbd0
SELinux is preventing /usr/sbin/hald (hald_t) "getattr" access to device /dev...
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy (Show other bugs)
5.0
i386 Linux
low Severity medium
: ---
: ---
Assigned To: Daniel Walsh
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-08-01 13:42 EDT by jt
Modified: 2008-05-21 12:05 EDT (History)
1 user (show)

See Also:
Fixed In Version: RHBA-2008-0465
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-05-21 12:05:23 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description jt 2007-08-01 13:42:43 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6

Description of problem:
This is the output from from the following command:

sealert -l a8fc1d5a-19e8-4377-a80a-bd1e92eb907b

<output>
Summary
    SELinux is preventing /usr/sbin/hald (hald_t) "getattr" access to device
    /dev/drbd1.

Detailed Description
    SELinux has denied the /usr/sbin/hald (hald_t) "getattr" access to device
    /dev/drbd1. /dev/drbd1 is mislabeled, this device has the default label of
    the /dev directory, which should not happen.  All Character and/or Block
    Devices should have a label. You can attempt to change the label of the file
    using restorecon -v /dev/drbd1. If this device remains labeled device_t,
    then this is a bug in SELinux policy. Please file a
    http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against the selinux-policy
    package. If you look at the other similar devices labels, ls -lZ
    /dev/SIMILAR, and find a type that would work for /dev/drbd1, you can use
    chcon -t SIMILAR_TYPE /dev/drbd1, If this fixes the problem, you can make
    this permanent by executing semanage fcontext -a -t SIMILAR_TYPE /dev/drbd1
    If the restorecon changes the context, this indicates that the application
    that created the device, created it without using SELinux APIs.  If you can
    figure out which application created the device, please file a
    http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this application.

Allowing Access
    Attempt restorecon -v /dev/drbd1 or chcon -t SIMILAR_TYPE /dev/drbd1

Additional Information        

Source Context                system_u:system_r:hald_t
Target Context                system_u:object_r:device_t
Target Objects                /dev/drbd1 [ blk_file ]
Affected RPM Packages         hal-0.5.8.1-19.el5 [application]
Policy RPM                    selinux-policy-2.4.6-30.el5
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   plugins.device
Host Name                     golden.santekdev.com
Platform                      Linux golden.santekdev.com
                              2.6.18-8.1.8.el5.centos.plus #1 SMP Mon Jul 16
                              08:49:50 EDT 2007 i686 athlon
Alert Count                   35
Line Numbers                  

Raw Audit Messages            

avc: denied { getattr } for comm="hald" dev=tmpfs egid=68 euid=68
exe="/usr/sbin/hald" exit=-13 fsgid=68 fsuid=68 gid=68 items=0 name="drbd1"
path="/dev/drbd1" pid=2443 scontext=system_u:system_r:hald_t:s0 sgid=68
subj=system_u:system_r:hald_t:s0 suid=68 tclass=blk_file
tcontext=system_u:object_r:device_t:s0 tty=(none) uid=68
</output>

Version-Release number of selected component (if applicable):
hal-0.5.8.1-19.el5 

How reproducible:
Always


Steps to Reproduce:
1. reboot machine
2. 
3.

Actual Results:
Check /var/log/messages and find these errors:

SELinux is preventing /usr/sbin/hald (hald_t) "getattr" access to device /dev/drbd0
SELinux is preventing /usr/sbin/hald (hald_t) "getattr" access to device /dev/drbd1

Expected Results:


Additional info:
I have tried the following command:

restorecon -v /dev/drbd1

with no success
Comment 1 Daniel Walsh 2007-12-21 10:04:41 EST
This is a problem in SELinux labeling and probably is not causing a problem.  I
will fix the labeling in selinux-policy-2.4.6-108.el5
Comment 2 RHEL Product and Program Management 2007-12-21 10:14:20 EST
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
release.
Comment 7 errata-xmlrpc 2008-05-21 12:05:23 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2008-0465.html

Note You need to log in before you can comment on or make changes to this bug.