Description of problem: SELinux is preventing /sbin/alsactl (alsa_t) "write" to asound.state (etc_t). The SELinux type %TARGET_TYPE, is a generic type for all files in the directory and very few processes (SELinux Domains) are allowed to write to this SELinux type. This type of denial usual indicates a mislabeled file. By default a file created in a directory has the gets the context of the parent directory, but SELinux policy has rules about the creation of directories, that say if a process running in one SELinux Domain (D1) creates a file in a directory with a particular SELinux File Context (F1) the file gets a different File Context (F2). The policy usually allows the SELinux Domain (D1) the ability to write or append on (F2). But if for some reason a file (asound.state) was created with the wrong context, this domain will be denied. The usual solution to this problem is to reset the file context on the target file, restorecon -v asound.state. If the file context does not change from etc_t, then this is probably a bug in policy. Please file a bug report against the selinux-policy package. If it does change, you can try your application again to see if it works. The file context could have been mislabeled by editing the file or moving the file from a different directory, if the file keeps getting mislabeled, check the init scripts to see if they are doing something to mislabel the file. Version-Release number of selected component (if applicable): selinux-policy-targeted-2.6.4-45.fc7 How reproducible: Aways Steps to Reproduce: 1. Update selinux-policy-targeted to above release 2. 3. Actual results: AVCs Expected results: No AVCs Additional info: avc: denied { write } for comm="alsactl" dev=dm-0 egid=0 euid=0 exe="/sbin/alsactl" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name="asound.state" pid=24126 scontext=system_u:system_r:alsa_t:s0 sgid=0 subj=system_u:system_r:alsa_t:s0 suid=0 tclass=file tcontext=system_u:object_r:etc_t:s0 tty=(none) uid=0 restorecon doesn't work, as /etc/asound.state context is etc_t.
I'm getting the same issue. For me, at first /etc/alsa/asound.state was etc_runtime_t (which was also denied), but restorecon changed it to etc_t. Source Context: system_u:system_r:alsa_t Target Context: system_u:object_r:etc_runtime_t Target Objects: asound.state [ file ] Affected RPM Packages: alsa-utils-1.0.14-2.fc7 [application] Policy RPM: selinux-policy-2.6.4-45.fc7 Selinux Enabled: True Policy Type: targeted MLS Enabled: True Enforcing Mode: Enforcing Plugin Name: plugins.catchall_file Host Name: caliban.home Platform: Linux caliban.home 2.6.22.9-91.fc7 #1 SMP Thu Sep 27 23:10:59 EDT 2007 i686 i686 Alert Count: 2 First Seen: Thu 04 Oct 2007 12:03:20 PM HST Last Seen: Thu 04 Oct 2007 01:31:42 PM HST Local ID: 5410a2a6-eca2-425e-bbcd-4f990fd4365d Line Numbers: Raw Audit Messages : avc: denied { read } for comm="alsactl" dev=dm-0 egid=0 euid=0 exe="/sbin/alsactl" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name="asound.state" pid=4780 scontext=system_u:system_r:alsa_t:s0 sgid=0 subj=system_u:system_r:alsa_t:s0 suid=0 tclass=file tcontext=system_u:object_r:etc_runtime_t:s0 tty=(none) uid=0
fixed in selinux-policy-2.6.4-48.fc7.src.rpm
I was unable to get selinux-policy-2.6.4-48.fc7.src.rpm to install; it required policycoreutils-newrole. Instead, I created alsactl.te, containing the following: --- module alsactl 1.0; require { type alsa_t; type etc_runtime_t; class file { read write getattr }; } #============= alsa_t ============== allow alsa_t etc_runtime_t:file { read write getattr }; --- The commands required were: checkmodule -M -m -o alsactl.mod alsactl.te semodule_package -o alsactl.pp -m alsactl.mod semodule -i alsactl.pp This eliminated the AVC error every time I opened my laptop (from suspend or hibernate).
Sorry I should have said selinux-policy-2.6.4-48.fc7 You don't need the src.rpm
selinux-policy-targeted-2.6.4-48.fc7 seems to have fixed the original AVC, but now when I shut down, I'm seeing: kernel: audit(1192391350.060:13): avc: denied { read } for pid=1301 comm="salsa" name="asound.state" dev=dm-0 ino=2066393 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:alsa_etc_rw_t:s0 tclass=file
Fixed in selinux-policy-targeted-2.6.4-49.fc7 udev needs a domtrans to alsactl_t
Bulk closing a old selinux policy bugs that were in the modified state. If the bug is still not fixed. Please reopen.