252037 – SELinux denials with hald leading to failure of network interfaces

Bug 252037 - SELinux denials with hald leading to failure of network interfaces

Summary: SELinux denials with hald leading to failure of network interfaces

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy-targeted
Sub Component:
Version:	rawhide
Hardware:	x86_64
OS:	Linux
Priority:	low
Severity:	high
Target Milestone:	---
Assignee:	Daniel Walsh
QA Contact:	Ben Levenson
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2007-08-13 20:40 UTC by Adam Huffman
Modified:	2007-11-30 22:12 UTC (History)
CC List:	0 users
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2007-08-14 10:43:56 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Adam Huffman 2007-08-13 20:40:27 UTC

Description of problem:
This evening I updated my laptop from F8 test1 to the latest rawhide packages. 
Upon rebooting neither of the network interfaces would come up.  Further
investigation revealed that there were SELinux denials with haldaemon - when I
changed to permissive mode, I could start haldaemon and the wireless interface
worked:
Summary
    SELinux is preventing /usr/sbin/hald (hald_t) "read" to reload (var_lib_t).

Detailed Description
    SELinux denied access requested by /usr/sbin/hald. It is not expected that
    this access is required by /usr/sbin/hald and this access may signal an
    intrusion attempt. It is also possible that the specific version or
    configuration of the application is causing it to require additional access.

Allowing Access
    Sometimes labeling problems can cause SELinux denials.  You could try to
    restore the default system file context for reload, restorecon -v reload If
    this does not work, there is currently no automatic way to allow this
    access. Instead,  you can generate a local policy module to allow this
    access - see http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you
    can disable SELinux protection altogether. Disabling SELinux protection is
    not recommended. Please file a
    http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package.

Additional Information        

Source Context                root:system_r:hald_t
Target Context                system_u:object_r:var_lib_t
Target Objects                reload [ file ]
Affected RPM Packages         hal-0.5.10-0.git20070731.fc8.1 [application]
Policy RPM                    selinux-policy-3.0.5-5.fc8
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Permissive
Plugin Name                   plugins.catchall_file
Host Name                     vaio
Platform                      Linux vaio 2.6.23-0.101.rc2.git5.fc8 #1 SMP Sun
                              Aug 12 20:38:58 EDT 2007 x86_64 x86_64
Alert Count                   1
First Seen                    Mon Aug 13 21:23:52 2007
Last Seen                     Mon Aug 13 21:23:52 2007
Local ID                      c891cee8-9736-4e0e-8755-f50896b3efb8
Line Numbers                  

Raw Audit Messages            

avc: denied { read } for comm="hald" dev=dm-5 egid=0 euid=0 exe="/usr/sbin/hald"
exit=1 fsgid=0 fsuid=0 gid=0 items=0 name="reload" pid=3243
scontext=root:system_r:hald_t:s0 sgid=0 subj=root:system_r:hald_t:s0 suid=0
tclass=file tcontext=system_u:object_r:var_lib_t:s0 tty=(none) uid=0



Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:

Comment 1 Daniel Walsh 2007-08-14 10:43:56 UTC

restorecon -R -v /var/lib

This is a labeling problem.  I am not sure why the upgrade did not fix the label.

Note You need to log in before you can comment on or make changes to this bug.