Bug 393601 - pm-suspend selinux preventing setsched
pm-suspend selinux preventing setsched
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
7
All Linux
low Severity low
: ---
: ---
Assigned To: Daniel Walsh
Fedora Extras Quality Assurance
:
: 410341 (view as bug list)
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-11-20 23:57 EST by Douglas Campbell
Modified: 2007-12-31 08:41 EST (History)
3 users (show)

See Also:
Fixed In Version: Current
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-12-31 08:41:19 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Douglas Campbell 2007-11-20 23:57:30 EST
Description of problem:
Upon suspend, pm-suspend gets selinux error

Version-Release number of selected component (if applicable):


How reproducible:
This is the first time in 6-8 suspends.

Steps to Reproduce:
1.  Select system/suspend while nonprivileged user
2.  resume from suspend (in my case, by opening lid of laptop).
2.
3.
  
Actual results:
selinux troubleshooting indicates following error:
Summary
    SELinux is preventing pm-suspend (hald_t) "setsched" to <Unknown>
    (kernel_t).

Detailed Description
    SELinux denied access requested by pm-suspend. It is not expected that this
    access is required by pm-suspend and this access may signal an intrusion
    attempt. It is also possible that the specific version or configuration of
    the application is causing it to require additional access.

Allowing Access
    You can generate a local policy module to allow this access - see
    http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can disable
    SELinux protection altogether. Disabling SELinux protection is not
    recommended. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi
    against this package.

Additional Information        

Source Context                system_u:system_r:hald_t
Target Context                system_u:system_r:kernel_t
Target Objects                None [ process ]
Affected RPM Packages         
Policy RPM                    selinux-policy-2.6.4-49.fc7
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   plugins.catchall
Host Name                     ferret
Platform                      Linux ferret 2.6.23.1-21.fc7 #1 SMP Thu Nov 1
                              20:28:15 EDT 2007 x86_64 x86_64
Alert Count                   11
First Seen                    Sun 04 Nov 2007 09:18:55 PM EST
Last Seen                     Mon 19 Nov 2007 10:44:57 PM EST
Local ID                      a47ef03b-b7b5-4943-b2f7-5364b4491dee
Line Numbers                  

Raw Audit Messages            

avc: denied { setsched } for comm="pm-suspend" egid=0 euid=0 exe="/bin/bash"
exit=3 fsgid=0 fsuid=0 gid=0 items=0 pid=4468
scontext=system_u:system_r:hald_t:s0 sgid=0 subj=system_u:system_r:hald_t:s0
suid=0 tclass=process tcontext=system_u:system_r:kernel_t:s0 tty=(none) uid=0




Expected results:
normal resumption without above error

Additional info:
Comment 1 Penelope Fudd 2007-11-21 21:25:56 EST
I just started getting these errors after pup updates today.  One of these rpms
triggered the problem:

openldap-2.3.34-4.fc7.i386.rpm
tetex-fonts-3.0-40.3.fc7.i386.rpm
sip-4.7.1-2.fc7.i386.rpm
cups-libs-1.2.12-8.fc7.i386.rpm
net-snmp-libs-5.4-16.fc7.i386.rpm
kdenetwork-3.5.8-9.fc7.i386.rpm
tetex-dvips-3.0-40.3.fc7.i386.rpm
tetex-3.0-40.3.fc7.i386.rpm
PyQt-3.17.3-3.fc7.i386.rpm
kdegames-3.5.8-4.fc7.i386.rpm
kpowersave-0.7.3-1.fc7.i386.rpm
net-snmp-5.4-16.fc7.i386.rpm
cups-1.2.12-8.fc7.i386.rpm
openldap-clients-2.3.34-4.fc7.i386.rpm
sdparm-1.02-1.fc7.i386.rpm
kvm-36-7.fc7.i386.rpm
sip-devel-4.7.1-2.fc7.i386.rpm
tetex-latex-3.0-40.3.fc7.i386.rpm
kdenetwork-devel-3.5.8-9.fc7.i386.rpm
openldap-devel-2.3.34-4.fc7.i386.rpm
PyQt-devel-3.17.3-3.fc7.i386.rpm
Comment 2 Penelope Fudd 2007-12-13 21:49:30 EST
The alert is happening every time I suspend my laptop.  Does this mean that the
CPU is not going into low-power mode?
Comment 3 Till Maas 2007-12-30 14:44:29 EST
*** Bug 410341 has been marked as a duplicate of this bug. ***
Comment 4 Till Maas 2007-12-30 14:47:28 EST
The selinux masters need to take a look at this, therefore I reassign it to
selinux-policy.
Comment 5 Daniel Walsh 2007-12-31 08:41:19 EST
fixed in selinux-policy-2.6.4-65

Note You need to log in before you can comment on or make changes to this bug.