Description of problem: After updating to selinux-policy-2.4.6-88.fc6 I am seeing in logs complaints of that sort: denied { use } for pid=3205 comm="hald" name="console" dev=tmpfs on a system with selinux set to "enforcing" and "targeted". 'sealert' has the following to say: Summary SELinux is preventing /usr/sbin/hald (hald_t) "use" access to /dev/console (init_t). Detailed Description SELinux denied access requested by /usr/sbin/hald. It is not expected that this access is required by /usr/sbin/hald and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package. Allowing Access Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for /dev/console, restorecon -v /dev/console. There is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 - or you can disable SELinux protection entirely for the application. Disabling SELinux protection is not recommended. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package. Changing the "hald_disable_trans" boolean to true will disable SELinux protection this application: "setsebool -P hald_disable_trans=1." The following command will allow this access: setsebool -P hald_disable_trans=1 Additional Information: Source Context: system_u:system_r:hald_t Target Context: system_u:system_r:init_t Target Objects: /dev/console [ fd ] Affected RPM Packages: hal-0.5.8.1-6.fc6 [application] Policy RPM: selinux-policy-2.4.6-88.fc6 Selinux Enabled: True Policy Type: targeted MLS Enabled: True Enforcing Mode: Enforcing Plugin Name: plugins.disable_trans Host Name: dyna0.home.front Platform: Linux dyna0.home.front 2.6.22.5-49.fc6 #1 SMP Thu Aug 30 13:47:09 EDT 2007 x86_64 x86_64 Alert Count: 1 Line Numbers: Raw Audit Messages: avc: denied { use } for comm="hald" dev=tmpfs egid=0 euid=0 exe="/usr/sbin/hald" exit=0 fsgid=0 fsuid=0 gid=0 items=0 name="console" path="/dev/console" pid=3237 scontext=system_u:system_r:hald_t:s0 sgid=0 subj=system_u:system_r:hald_t:s0 suid=0 tclass=fd tcontext=system_u:system_r:init_t:s0 tty=(none) uid=0 Version-Release number of selected component (if applicable): selinux-policy-2.4.6-88.fc6 selinux-policy-targeted-2.4.6-88.fc6 hal-0.5.8.1-6.fc6 How reproducible: always and is new after updates
Fixed in selinux-policy-targeted-2.4.6-94.fc6
Bulk closing all bugs in Fedora updates in the modified state. If you bug is not fixed, please reopen.