Bug 303741 - selinux-policy update clashes with hal preventing /dev/console access
selinux-policy update clashes with hal preventing /dev/console access
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
All Linux
low Severity low
: ---
: ---
Assigned To: Daniel Walsh
Fedora Extras Quality Assurance
Depends On:
  Show dependency treegraph
Reported: 2007-09-24 13:55 EDT by Michal Jaegermann
Modified: 2008-01-30 14:18 EST (History)
0 users

See Also:
Fixed In Version: Current
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2008-01-30 14:18:27 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Michal Jaegermann 2007-09-24 13:55:20 EDT
Description of problem:

After updating to selinux-policy-2.4.6-88.fc6 I am seeing
in logs complaints of that sort:
denied  { use } for  pid=3205 comm="hald" name="console" dev=tmpfs
on a system with selinux set to "enforcing" and "targeted".

'sealert' has the following to say:

    SELinux is preventing /usr/sbin/hald (hald_t) "use" access to /dev/console

Detailed Description
    SELinux denied access requested by /usr/sbin/hald. It is not expected that
    this access is required by /usr/sbin/hald and this access may signal an
    intrusion attempt. It is also possible that the specific version or
    configuration of the application is causing it to require additional access.
   Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this

Allowing Access
    Sometimes labeling problems can cause SELinux denials.  You could try to
    restore the default system file context for /dev/console, restorecon -v
    /dev/console. There is currently no automatic way to allow this access.
    Instead, you can generate a local policy module to allow this access - see
    http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 - or you can
    disable SELinux protection entirely for the application. Disabling SELinux
    protection is not recommended. Please file a
    http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package.
    Changing the "hald_disable_trans" boolean to true will disable SELinux
    protection this application: "setsebool -P hald_disable_trans=1."

    The following command will allow this access:
    setsebool -P hald_disable_trans=1

Additional Information:

Source Context:               system_u:system_r:hald_t
Target Context:               system_u:system_r:init_t
Target Objects:               /dev/console [ fd ]
Affected RPM Packages:        hal- [application]
Policy RPM:                   selinux-policy-2.4.6-88.fc6
Selinux Enabled:              True
Policy Type:                  targeted
MLS Enabled:                  True
Enforcing Mode:               Enforcing
Plugin Name:                  plugins.disable_trans
Host Name:                    dyna0.home.front
Platform:                     Linux dyna0.home.front #1 SMP Thu
Aug 30 13:47:09 EDT 2007 x86_64 x86_64
Alert Count:                  1
Line Numbers:

Raw Audit Messages:

avc: denied { use } for comm="hald" dev=tmpfs egid=0 euid=0 exe="/usr/sbin/hald"
exit=0 fsgid=0 fsuid=0 gid=0 items=0 name="console" path="/dev/console" pid=3237
scontext=system_u:system_r:hald_t:s0 sgid=0 subj=system_u:system_r:hald_t:s0
suid=0 tclass=fd tcontext=system_u:system_r:init_t:s0 tty=(none) uid=0

Version-Release number of selected component (if applicable):

How reproducible:
always and is new after updates
Comment 1 Daniel Walsh 2007-09-24 16:51:05 EDT
Fixed in selinux-policy-targeted-2.4.6-94.fc6
Comment 2 Daniel Walsh 2008-01-30 14:18:27 EST
Bulk closing all bugs in Fedora updates in the modified state.  If you bug is
not fixed, please reopen.

Note You need to log in before you can comment on or make changes to this bug.