Bug 312771 - AVCs related to hibernating
AVCs related to hibernating
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
8
x86_64 Linux
low Severity low
: ---
: ---
Assigned To: Daniel Walsh
Ben Levenson
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-09-29 18:47 EDT by Matthew Saltzman
Modified: 2008-01-30 14:06 EST (History)
0 users

See Also:
Fixed In Version: Current
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-01-30 14:06:31 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Matthew Saltzman 2007-09-29 18:47:38 EDT
Description of problem:
Hibernating and resuming my Thinkpad T61 results in several AVCs

Version-Release number of selected component (if applicable):
selinux-policy-targeted-3.0.8-14.fc8

How reproducible:
Always

Steps to Reproduce:
1. Suspend
2. Reusme
3. Check logs and setroubleshoot
  
Actual results:
AVCs

Expected results:
No AVCs

Additional info:

During hibernate:

avc: denied { ptrace } for comm=gnome-keyring-d egid=500 euid=500
exe=/usr/bin/gnome-keyring-daemon exit=28 fsgid=500 fsuid=500 gid=500 items=0
pid=3533 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 sgid=500
subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 suid=500 tclass=process
tcontext=system_u:system_r:unconfined_t:s0 tty=(none) uid=500 

avc: denied { write } for comm=alsactl dev=dm-0 egid=0 euid=0 exe=/sbin/alsactl
exit=3 fsgid=0 fsuid=0 gid=0 items=0 name=asound.state pid=3629
scontext=system_u:system_r:alsa_t:s0 sgid=0 subj=system_u:system_r:alsa_t:s0
suid=0 tclass=file tcontext=system_u:object_r:var_lib_t:s0 tty=(none) uid=0 

Also saw

   Sep 29 18:02:31 valkyrie restorecond: Read error (Interrupted system call)

in /var/log/messages.

During resume:

avc: denied { setsched } for comm=pm-hibernate pid=3537
scontext=system_u:system_r:hald_t:s0 tclass=process
tcontext=system_u:system_r:kernel_t:s0 

avc: denied { search } for comm=alsactl dev=dm-0 egid=0 euid=0 exe=/sbin/alsactl
exit=-2 fsgid=0 fsuid=0 gid=0 items=0 name=root pid=3817
scontext=system_u:system_r:alsa_t:s0 sgid=0 subj=system_u:system_r:alsa_t:s0
suid=0 tclass=dir tcontext=root:object_r:sysadm_home_dir_t:s0 tty=(none) uid=0
Comment 1 Daniel Walsh 2007-10-01 17:16:22 EDT
These should  be fixed in selinux-policy-3.0.8-16
Comment 2 Matthew Saltzman 2007-10-03 12:42:11 EDT
Still an issue with selinux-policy-targeted-3.0.8-16.fc8.

avc: denied { read } for comm=alsactl dev=dm-0 egid=0 euid=0 exe=/sbin/alsactl
exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name=asound.state pid=4386
scontext=system_u:system_r:alsa_t:s0 sgid=0 subj=system_u:system_r:alsa_t:s0
suid=0 tclass=file tcontext=system_u:object_r:etc_runtime_t:s0 tty=(none) uid=0 

avc: denied { setsched } for comm=pm-hibernate egid=0 euid=0 exe=/bin/bash
exit=4 fsgid=0 fsuid=0 gid=0 items=0 pid=4117
scontext=system_u:system_r:hald_t:s0 sgid=0 subj=system_u:system_r:hald_t:s0
suid=0 tclass=process tcontext=system_u:system_r:kernel_t:s0 tty=(none) uid=0 

avc: denied { write } for comm=alsactl dev=dm-0 egid=0 euid=0 exe=/sbin/alsactl
exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name=asound.state pid=4208
scontext=system_u:system_r:alsa_t:s0 sgid=0 subj=system_u:system_r:alsa_t:s0
suid=0 tclass=file tcontext=system_u:object_r:etc_runtime_t:s0 tty=(none) uid=0 
Comment 3 Daniel Walsh 2007-10-03 17:01:36 EDT
Ok Try selinux-policy-targeted-3.0.8-17.fc8

You will either need to remove /etc/asound.state or restorecon it .
Comment 4 Matthew Saltzman 2007-10-05 11:42:29 EDT
The AVCs in Comment #2 still appear.  For the alsa ones, the behavior changed
across the restorecon (see below).  Also still seeing the pm-hibernate AVC.

Before:

avc: denied { read } for comm=alsactl dev=dm-0 egid=0 euid=0 exe=/sbin/alsactl
exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name=asound.state pid=3559
scontext=system_u:system_r:alsa_t:s0 sgid=0 subj=system_u:system_r:alsa_t:s0
suid=0 tclass=file tcontext=system_u:object_r:etc_runtime_t:s0 tty=(none) uid=0 

avc: denied { write } for comm=alsactl dev=dm-0 egid=0 euid=0 exe=/sbin/alsactl
exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name=asound.state pid=3373
scontext=system_u:system_r:alsa_t:s0 sgid=0 subj=system_u:system_r:alsa_t:s0
suid=0 tclass=file tcontext=system_u:object_r:etc_runtime_t:s0 tty=(none) uid=0 

Restorecon results:

# /sbin/restorecon -v asound.state 
/sbin/restorecon reset asound.state context
system_u:object_r:etc_runtime_t:s0->system_u:object_r:etc_t:s0

After:

avc: denied { write } for comm=alsactl dev=dm-0 egid=0 euid=0 exe=/sbin/alsactl
exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name=asound.state pid=3947
scontext=system_u:system_r:alsa_t:s0 sgid=0 subj=system_u:system_r:alsa_t:s0
suid=0 tclass=file tcontext=system_u:object_r:etc_t:s0 tty=(none) uid=0 
Comment 5 Daniel Walsh 2007-10-05 11:59:43 EDT
Argh this is using /etc/alsa/asound.state.

Fixed in selinux-policy-targeted-3.0.8-18.fc8

You can test it by adding the file context path

semanage fcontext -a -t alsa_etc_rw_t /etc/alsa/asound\.state
Comment 6 Matthew Saltzman 2007-10-05 12:19:35 EDT
After running the semanage command and restorecon for /etc/alsa/asound.state,
the alsa AVCs are gone.

The pm-hibernate one is still there, though.

I think this alsa one is also a problem in selinux-policy-targeted-2.6.4-45.fc7.
Comment 7 Daniel Walsh 2007-10-05 14:55:20 EDT
Are you saying you are still seeing the 

hal setsched on kernel issue in rawhide.
Comment 8 Matthew Saltzman 2007-10-05 15:30:08 EDT
F8T3, fully updated as of this morning.

kernel-2.6.23-0.217.rc9.git1.fc8.x86_64
hal-0.5.10-0.git20070925.fc8
selinux-policy-targeted-3.0.8-17.fc8

avc: denied { setsched } for comm=pm-hibernate egid=0 euid=0 exe=/bin/bash
exit=4 fsgid=0 fsuid=0 gid=0 items=0 pid=4042
scontext=system_u:system_r:hald_t:s0 sgid=0 subj=system_u:system_r:hald_t:s0
suid=0 tclass=process tcontext=system_u:system_r:kernel_t:s0 tty=(none) uid=0 
Comment 9 Daniel Walsh 2008-01-30 14:06:31 EST
Bulk closing a old selinux policy bugs that were in the modified state.  If the
bug is still not fixed.  Please reopen.

Note You need to log in before you can comment on or make changes to this bug.