319521 – SELinux is preventing /sbin/alsactl (alsa_t) "write" to asound.state (etc_t).

Bug 319521 - SELinux is preventing /sbin/alsactl (alsa_t) "write" to asound.state (etc_t).

Summary: SELinux is preventing /sbin/alsactl (alsa_t) "write" to asound.state (etc_t).

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy-targeted
Sub Component:
Version:	7
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Daniel Walsh
QA Contact:	Ben Levenson
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2007-10-05 00:12 UTC by Matthew Saltzman
Modified:	2008-01-30 19:06 UTC (History)
CC List:	1 user (show)
Fixed In Version:	Current
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2008-01-30 19:06:33 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Matthew Saltzman 2007-10-05 00:12:20 UTC

Description of problem:
SELinux is preventing /sbin/alsactl (alsa_t) "write" to asound.state (etc_t).
The SELinux type %TARGET_TYPE, is a generic type for all files in the directory
and very few processes (SELinux Domains) are allowed to write to this SELinux
type. This type of denial usual indicates a mislabeled file. By default a file
created in a directory has the gets the context of the parent directory, but
SELinux policy has rules about the creation of directories, that say if a
process running in one SELinux Domain (D1) creates a file in a directory with a
particular SELinux File Context (F1) the file gets a different File Context
(F2). The policy usually allows the SELinux Domain (D1) the ability to write or
append on (F2). But if for some reason a file (asound.state) was created with
the wrong context, this domain will be denied. The usual solution to this
problem is to reset the file context on the target file, restorecon -v
asound.state. If the file context does not change from etc_t, then this is
probably a bug in policy. Please file a bug report against the selinux-policy
package. If it does change, you can try your application again to see if it
works. The file context could have been mislabeled by editing the file or moving
the file from a different directory, if the file keeps getting mislabeled, check
the init scripts to see if they are doing something to mislabel the file.

Version-Release number of selected component (if applicable):
selinux-policy-targeted-2.6.4-45.fc7

How reproducible:
Aways

Steps to Reproduce:
1. Update selinux-policy-targeted to above release
2.
3.
  
Actual results:
AVCs

Expected results:
No AVCs


Additional info:
avc: denied { write } for comm="alsactl" dev=dm-0 egid=0 euid=0
exe="/sbin/alsactl" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name="asound.state"
pid=24126 scontext=system_u:system_r:alsa_t:s0 sgid=0
subj=system_u:system_r:alsa_t:s0 suid=0 tclass=file
tcontext=system_u:object_r:etc_t:s0 tty=(none) uid=0 

restorecon doesn't work, as /etc/asound.state context is etc_t.

Comment 1 Jason Merrill 2007-10-05 08:51:31 UTC

I'm getting the same issue.  For me, at first /etc/alsa/asound.state was
etc_runtime_t (which was also denied), but restorecon changed it to etc_t.

Source Context:  system_u:system_r:alsa_t
Target Context:  system_u:object_r:etc_runtime_t
Target Objects:  asound.state [ file ]
Affected RPM Packages:  alsa-utils-1.0.14-2.fc7 [application]
Policy RPM:  selinux-policy-2.6.4-45.fc7
Selinux Enabled:  True
Policy Type:  targeted
MLS Enabled:  True
Enforcing Mode:  Enforcing
Plugin Name:  plugins.catchall_file
Host Name:  caliban.home
Platform:  Linux caliban.home 2.6.22.9-91.fc7 #1 SMP Thu Sep 27 23:10:59 EDT
2007 i686 i686
Alert Count:  2
First Seen:  Thu 04 Oct 2007 12:03:20 PM HST
Last Seen:  Thu 04 Oct 2007 01:31:42 PM HST
Local ID:  5410a2a6-eca2-425e-bbcd-4f990fd4365d
Line Numbers:  
Raw Audit Messages :
avc: denied { read } for comm="alsactl" dev=dm-0 egid=0 euid=0
exe="/sbin/alsactl" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name="asound.state"
pid=4780 scontext=system_u:system_r:alsa_t:s0 sgid=0
subj=system_u:system_r:alsa_t:s0 suid=0 tclass=file
tcontext=system_u:object_r:etc_runtime_t:s0 tty=(none) uid=0

Comment 2 Daniel Walsh 2007-10-09 20:22:59 UTC

fixed in selinux-policy-2.6.4-48.fc7.src.rpm

Comment 3 Penelope Fudd 2007-10-11 23:27:32 UTC

I was unable to get selinux-policy-2.6.4-48.fc7.src.rpm to install; it required
policycoreutils-newrole.

Instead, I created alsactl.te, containing the following:
---
module alsactl 1.0;

require {
        type alsa_t;
        type etc_runtime_t;
        class file { read write getattr };
}

#============= alsa_t ==============
allow alsa_t etc_runtime_t:file { read write getattr };
---
The commands required were:
  checkmodule -M -m -o alsactl.mod alsactl.te
  semodule_package -o alsactl.pp -m alsactl.mod
  semodule -i alsactl.pp

This eliminated the AVC error every time I opened my laptop (from suspend or
hibernate).

Comment 4 Daniel Walsh 2007-10-12 13:28:48 UTC

Sorry I should have said selinux-policy-2.6.4-48.fc7

You don't need the src.rpm

Comment 5 Matthew Saltzman 2007-10-14 23:06:50 UTC

selinux-policy-targeted-2.6.4-48.fc7 seems to have fixed the original AVC, but
now when I shut down, I'm seeing:

kernel: audit(1192391350.060:13): avc:  denied  { read } for  pid=1301
comm="salsa" name="asound.state" dev=dm-0 ino=2066393
scontext=system_u:system_r:udev_t:s0-s0:c0.c1023
tcontext=system_u:object_r:alsa_etc_rw_t:s0 tclass=file

Comment 6 Daniel Walsh 2007-10-15 17:50:12 UTC

Fixed in selinux-policy-targeted-2.6.4-49.fc7

udev needs a domtrans to alsactl_t

Comment 7 Daniel Walsh 2008-01-30 19:06:33 UTC

Bulk closing a old selinux policy bugs that were in the modified state.  If the
bug is still not fixed.  Please reopen.

Note You need to log in before you can comment on or make changes to this bug.