Bug 353611 - SELinux is preventing /sbin/udevd (udev_t) "relabelfrom" to par0 (device_t).
SELinux is preventing /sbin/udevd (udev_t) "relabelfrom" to par0 (device_t).
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
7
i686 Linux
low Severity medium
: ---
: ---
Assigned To: Harald Hoyer
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-10-26 01:30 EDT by Tim McConnell
Modified: 2007-12-10 19:55 EST (History)
0 users

See Also:
Fixed In Version: 2.6.4-59.fc7
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-12-10 19:55:30 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Tim McConnell 2007-10-26 01:30:15 EDT
Description of problem:
Detailed Description
    SELinux denied access requested by /sbin/udevd. It is not expected that this
    access is required by /sbin/udevd and this access may signal an intrusion
    attempt. It is also possible that the specific version or configuration of
    the application is causing it to require additional access.

Allowing Access
    Sometimes labeling problems can cause SELinux denials.  You could try to
    restore the default system file context for par0, restorecon -v par0 If this
    does not work, there is currently no automatic way to allow this access.
    Instead,  you can generate a local policy module to allow this access 

Version-Release number of selected component (if applicable):
selinux-policy-2.6.4-46.fc7

How reproducible:


Steps to Reproduce:
1.
2.
3.
  
Actual results:
restorecon -v par0
lstat(par0) failed: No such file or directory
Expected results:
Command should work or Policy allows access to program

Additional info:
Source Context                system_u:system_r:udev_t:SystemLow-SystemHigh
Target Context                system_u:object_r:device_t
Target Objects                par0 [ lnk_file ]
Affected RPM Packages         udev-115-4.20070921git.fc7 [application]
Policy RPM                    selinux-policy-2.6.4-46.fc7
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   plugins.catchall_file
Host Name                     timmieland.private
Platform                      Linux timmieland.private 2.6.22.9-91.fc7 #1 SMP
                              Thu Sep 27 23:10:59 EDT 2007 i686 athlon
Alert Count                   2
First Seen                    Fri 12 Oct 2007 10:50:07 PM MDT
Last Seen                     Sat 13 Oct 2007 10:17:19 PM MDT
Local ID                      50eedaf9-16a0-4ee7-97b7-9eff9302f09d
Line Numbers                  

Raw Audit Messages            

avc: denied { relabelfrom } for comm="udevd" dev=tmpfs egid=0 euid=0
exe="/sbin/udevd" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name="par0" pid=8940
scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 sgid=0
subj=system_u:system_r:udev_t:s0-s0:c0.c1023 suid=0 tclass=lnk_file
tcontext=system_u:object_r:device_t:s0 tty=(none) uid=0
Comment 1 Daniel Walsh 2007-10-29 23:02:10 EDT
udev should not be relabing from device_t for lnk_file.
Comment 2 Tim McConnell 2007-10-30 23:28:57 EDT
(In reply to comment #1)
> udev should not be relabing from device_t for lnk_file.

Okay, and that means...? 
Comment 3 Bart Oldenhof 2007-11-02 07:29:03 EDT
I got this one, seems like the same bug to me.

Summary
SELinux is preventing /sbin/udevd (udev_t) "relabelfrom" to ramdisk (device_t).

Detailed Description
SELinux denied access requested by /sbin/udevd. It is not expected that this
access is required by /sbin/udevd and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.

Allowing Access
You can generate a local policy module to allow this access - see FAQ Or you can
disable SELinux protection altogether. Disabling SELinux protection is not
recommended. Please file a bug report against this package.

Additional Information
Source Context:  system_u:system_r:udev_t:SystemLow-SystemHighTarget
Context:  system_u:object_r:device_tTarget Objects:  ramdisk [ lnk_file
]Affected RPM Packages:  udev-113-12.fc7 [application]Policy
RPM:  selinux-policy-2.6.4-48.fc7Selinux Enabled:  TruePolicy Type:  targetedMLS
Enabled:  TrueEnforcing Mode:  EnforcingPlugin Name:  plugins.catchallHost
Name:  localhost.localdomainPlatform:  Linux localhost.localdomain
2.6.22.9-91.fc7 #1 SMP Thu Sep 27 23:10:59 EDT 2007 i686 athlonAlert
Count:  1First Seen:  Wed 31 Oct 2007 08:40:34 PM CETLast Seen:  Wed 31 Oct 2007
08:40:34 PM CETLocal ID:  0f27d74a-3ec2-4f0a-963f-58e1847f6b04Line Numbers:  
Raw Audit Messages :
avc: denied { relabelfrom } for comm="udevd" dev=tmpfs egid=0 euid=0
exe="/sbin/udevd" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name="ramdisk" pid=3462
scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 sgid=0
subj=system_u:system_r:udev_t:s0-s0:c0.c1023 suid=0 tclass=lnk_file
tcontext=system_u:object_r:device_t:s0 tty=(none) uid=0 
Comment 4 Daniel Walsh 2007-11-02 09:46:22 EDT
Fixed in selinux-policy-2.6.4-53.fc7

Note You need to log in before you can comment on or make changes to this bug.