Bug 312771 - AVCs related to hibernating
Summary: AVCs related to hibernating
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: 8
Hardware: x86_64
OS: Linux
low
low
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Ben Levenson
URL:
Whiteboard:
Keywords:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2007-09-29 22:47 UTC by Matthew Saltzman
Modified: 2008-01-30 19:06 UTC (History)
0 users

(edit)
Clone Of:
(edit)
Last Closed: 2008-01-30 19:06:31 UTC


Attachments (Terms of Use)

Description Matthew Saltzman 2007-09-29 22:47:38 UTC
Description of problem:
Hibernating and resuming my Thinkpad T61 results in several AVCs

Version-Release number of selected component (if applicable):
selinux-policy-targeted-3.0.8-14.fc8

How reproducible:
Always

Steps to Reproduce:
1. Suspend
2. Reusme
3. Check logs and setroubleshoot
  
Actual results:
AVCs

Expected results:
No AVCs

Additional info:

During hibernate:

avc: denied { ptrace } for comm=gnome-keyring-d egid=500 euid=500
exe=/usr/bin/gnome-keyring-daemon exit=28 fsgid=500 fsuid=500 gid=500 items=0
pid=3533 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 sgid=500
subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 suid=500 tclass=process
tcontext=system_u:system_r:unconfined_t:s0 tty=(none) uid=500 

avc: denied { write } for comm=alsactl dev=dm-0 egid=0 euid=0 exe=/sbin/alsactl
exit=3 fsgid=0 fsuid=0 gid=0 items=0 name=asound.state pid=3629
scontext=system_u:system_r:alsa_t:s0 sgid=0 subj=system_u:system_r:alsa_t:s0
suid=0 tclass=file tcontext=system_u:object_r:var_lib_t:s0 tty=(none) uid=0 

Also saw

   Sep 29 18:02:31 valkyrie restorecond: Read error (Interrupted system call)

in /var/log/messages.

During resume:

avc: denied { setsched } for comm=pm-hibernate pid=3537
scontext=system_u:system_r:hald_t:s0 tclass=process
tcontext=system_u:system_r:kernel_t:s0 

avc: denied { search } for comm=alsactl dev=dm-0 egid=0 euid=0 exe=/sbin/alsactl
exit=-2 fsgid=0 fsuid=0 gid=0 items=0 name=root pid=3817
scontext=system_u:system_r:alsa_t:s0 sgid=0 subj=system_u:system_r:alsa_t:s0
suid=0 tclass=dir tcontext=root:object_r:sysadm_home_dir_t:s0 tty=(none) uid=0

Comment 1 Daniel Walsh 2007-10-01 21:16:22 UTC
These should  be fixed in selinux-policy-3.0.8-16

Comment 2 Matthew Saltzman 2007-10-03 16:42:11 UTC
Still an issue with selinux-policy-targeted-3.0.8-16.fc8.

avc: denied { read } for comm=alsactl dev=dm-0 egid=0 euid=0 exe=/sbin/alsactl
exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name=asound.state pid=4386
scontext=system_u:system_r:alsa_t:s0 sgid=0 subj=system_u:system_r:alsa_t:s0
suid=0 tclass=file tcontext=system_u:object_r:etc_runtime_t:s0 tty=(none) uid=0 

avc: denied { setsched } for comm=pm-hibernate egid=0 euid=0 exe=/bin/bash
exit=4 fsgid=0 fsuid=0 gid=0 items=0 pid=4117
scontext=system_u:system_r:hald_t:s0 sgid=0 subj=system_u:system_r:hald_t:s0
suid=0 tclass=process tcontext=system_u:system_r:kernel_t:s0 tty=(none) uid=0 

avc: denied { write } for comm=alsactl dev=dm-0 egid=0 euid=0 exe=/sbin/alsactl
exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name=asound.state pid=4208
scontext=system_u:system_r:alsa_t:s0 sgid=0 subj=system_u:system_r:alsa_t:s0
suid=0 tclass=file tcontext=system_u:object_r:etc_runtime_t:s0 tty=(none) uid=0 


Comment 3 Daniel Walsh 2007-10-03 21:01:36 UTC
Ok Try selinux-policy-targeted-3.0.8-17.fc8

You will either need to remove /etc/asound.state or restorecon it .

Comment 4 Matthew Saltzman 2007-10-05 15:42:29 UTC
The AVCs in Comment #2 still appear.  For the alsa ones, the behavior changed
across the restorecon (see below).  Also still seeing the pm-hibernate AVC.

Before:

avc: denied { read } for comm=alsactl dev=dm-0 egid=0 euid=0 exe=/sbin/alsactl
exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name=asound.state pid=3559
scontext=system_u:system_r:alsa_t:s0 sgid=0 subj=system_u:system_r:alsa_t:s0
suid=0 tclass=file tcontext=system_u:object_r:etc_runtime_t:s0 tty=(none) uid=0 

avc: denied { write } for comm=alsactl dev=dm-0 egid=0 euid=0 exe=/sbin/alsactl
exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name=asound.state pid=3373
scontext=system_u:system_r:alsa_t:s0 sgid=0 subj=system_u:system_r:alsa_t:s0
suid=0 tclass=file tcontext=system_u:object_r:etc_runtime_t:s0 tty=(none) uid=0 

Restorecon results:

# /sbin/restorecon -v asound.state 
/sbin/restorecon reset asound.state context
system_u:object_r:etc_runtime_t:s0->system_u:object_r:etc_t:s0

After:

avc: denied { write } for comm=alsactl dev=dm-0 egid=0 euid=0 exe=/sbin/alsactl
exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name=asound.state pid=3947
scontext=system_u:system_r:alsa_t:s0 sgid=0 subj=system_u:system_r:alsa_t:s0
suid=0 tclass=file tcontext=system_u:object_r:etc_t:s0 tty=(none) uid=0 

Comment 5 Daniel Walsh 2007-10-05 15:59:43 UTC
Argh this is using /etc/alsa/asound.state.

Fixed in selinux-policy-targeted-3.0.8-18.fc8

You can test it by adding the file context path

semanage fcontext -a -t alsa_etc_rw_t /etc/alsa/asound\.state

Comment 6 Matthew Saltzman 2007-10-05 16:19:35 UTC
After running the semanage command and restorecon for /etc/alsa/asound.state,
the alsa AVCs are gone.

The pm-hibernate one is still there, though.

I think this alsa one is also a problem in selinux-policy-targeted-2.6.4-45.fc7.

Comment 7 Daniel Walsh 2007-10-05 18:55:20 UTC
Are you saying you are still seeing the 

hal setsched on kernel issue in rawhide.


Comment 8 Matthew Saltzman 2007-10-05 19:30:08 UTC
F8T3, fully updated as of this morning.

kernel-2.6.23-0.217.rc9.git1.fc8.x86_64
hal-0.5.10-0.git20070925.fc8
selinux-policy-targeted-3.0.8-17.fc8

avc: denied { setsched } for comm=pm-hibernate egid=0 euid=0 exe=/bin/bash
exit=4 fsgid=0 fsuid=0 gid=0 items=0 pid=4042
scontext=system_u:system_r:hald_t:s0 sgid=0 subj=system_u:system_r:hald_t:s0
suid=0 tclass=process tcontext=system_u:system_r:kernel_t:s0 tty=(none) uid=0 

Comment 9 Daniel Walsh 2008-01-30 19:06:31 UTC
Bulk closing a old selinux policy bugs that were in the modified state.  If the
bug is still not fixed.  Please reopen.


Note You need to log in before you can comment on or make changes to this bug.