Bug 303741 - selinux-policy update clashes with hal preventing /dev/console access
Summary: selinux-policy update clashes with hal preventing /dev/console access
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 6
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2007-09-24 17:55 UTC by Michal Jaegermann
Modified: 2008-01-30 19:18 UTC (History)
0 users

Fixed In Version: Current
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2008-01-30 19:18:27 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)

Description Michal Jaegermann 2007-09-24 17:55:20 UTC
Description of problem:

After updating to selinux-policy-2.4.6-88.fc6 I am seeing
in logs complaints of that sort:
denied  { use } for  pid=3205 comm="hald" name="console" dev=tmpfs
on a system with selinux set to "enforcing" and "targeted".

'sealert' has the following to say:

Summary
    SELinux is preventing /usr/sbin/hald (hald_t) "use" access to /dev/console
    (init_t).

Detailed Description
    SELinux denied access requested by /usr/sbin/hald. It is not expected that
    this access is required by /usr/sbin/hald and this access may signal an
    intrusion attempt. It is also possible that the specific version or
    configuration of the application is causing it to require additional access.
   Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this
   package.

Allowing Access
    Sometimes labeling problems can cause SELinux denials.  You could try to
    restore the default system file context for /dev/console, restorecon -v
    /dev/console. There is currently no automatic way to allow this access.
    Instead, you can generate a local policy module to allow this access - see
    http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 - or you can
    disable SELinux protection entirely for the application. Disabling SELinux
    protection is not recommended. Please file a
    http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package.
    Changing the "hald_disable_trans" boolean to true will disable SELinux
    protection this application: "setsebool -P hald_disable_trans=1."

    The following command will allow this access:
    setsebool -P hald_disable_trans=1

Additional Information:

Source Context:               system_u:system_r:hald_t
Target Context:               system_u:system_r:init_t
Target Objects:               /dev/console [ fd ]
Affected RPM Packages:        hal-0.5.8.1-6.fc6 [application]
Policy RPM:                   selinux-policy-2.4.6-88.fc6
Selinux Enabled:              True
Policy Type:                  targeted
MLS Enabled:                  True
Enforcing Mode:               Enforcing
Plugin Name:                  plugins.disable_trans
Host Name:                    dyna0.home.front
Platform:                     Linux dyna0.home.front 2.6.22.5-49.fc6 #1 SMP Thu
Aug 30 13:47:09 EDT 2007 x86_64 x86_64
Alert Count:                  1
Line Numbers:

Raw Audit Messages:

avc: denied { use } for comm="hald" dev=tmpfs egid=0 euid=0 exe="/usr/sbin/hald"
exit=0 fsgid=0 fsuid=0 gid=0 items=0 name="console" path="/dev/console" pid=3237
scontext=system_u:system_r:hald_t:s0 sgid=0 subj=system_u:system_r:hald_t:s0
suid=0 tclass=fd tcontext=system_u:system_r:init_t:s0 tty=(none) uid=0

Version-Release number of selected component (if applicable):
selinux-policy-2.4.6-88.fc6
selinux-policy-targeted-2.4.6-88.fc6
hal-0.5.8.1-6.fc6

How reproducible:
always and is new after updates

Comment 1 Daniel Walsh 2007-09-24 20:51:05 UTC
Fixed in selinux-policy-targeted-2.4.6-94.fc6

Comment 2 Daniel Walsh 2008-01-30 19:18:27 UTC
Bulk closing all bugs in Fedora updates in the modified state.  If you bug is
not fixed, please reopen.


Note You need to log in before you can comment on or make changes to this bug.