Bug 441433 - SELinux is preventing console-kit-dae (consolekit_t) "read" to ./org.freedesktop.hal.device-access.sound.override (polkit_var_lib_t)
SELinux is preventing console-kit-dae (consolekit_t) "read" to ./org.freedesk...
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: ConsoleKit (Show other bugs)
rawhide
All Linux
low Severity low
: ---
: ---
Assigned To: David Zeuthen
Fedora Extras Quality Assurance
SELinux
: SELinux
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-04-07 22:48 EDT by Andrew Farris
Modified: 2013-03-05 22:55 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-04-08 10:57:53 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
policy module (934 bytes, application/octet-stream)
2008-04-08 01:56 EDT, Andrew Farris
no flags Details

  None (edit)
Description Andrew Farris 2008-04-07 22:48:46 EDT
AVC occurs when attempting to Restart or Shutdown while in Gnome (user does have
correct polkit authorization) and also the same occurs from GDM.  I've restored
context on the file:

-r--rw-r--  500 87 unconfined_u:object_r:polkit_var_lib_t:s0
/var/lib/PolicyKit-public/org.freedesktop.hal.device-access.sound.override

Summary:

SELinux is preventing console-kit-dae (consolekit_t) "read" to
./org.freedesktop.hal.device-access.sound.override (polkit_var_lib_t).

Detailed Description:

SELinux denied access requested by console-kit-dae. It is not expected that this
access is required by console-kit-dae and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.

Allowing Access:

Sometimes labeling problems can cause SELinux denials. You could try to restore
the default system file context for
./org.freedesktop.hal.device-access.sound.override,

restorecon -v './org.freedesktop.hal.device-access.sound.override'

If this does not work, there is currently no automatic way to allow this access.
Instead, you can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                system_u:system_r:consolekit_t:s0-s0:c0.c1023
Target Context                unconfined_u:object_r:polkit_var_lib_t:s0
Target Objects                ./org.freedesktop.hal.device-access.sound.override
                              [ file ]
Source                        console-kit-dae
Source Path                   /usr/sbin/console-kit-daemon
Port                          <Unknown>
Host                          cirithungol
Source RPM Packages           ConsoleKit-0.2.10-3.fc9
Target RPM Packages           
Policy RPM                    selinux-policy-3.3.1-28.fc9
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall_file
Host Name                     cirithungol
Platform                      Linux cirithungol 2.6.25-0.200.rc8.git3.fc9.i686
                              #1 SMP Sat Apr 5 00:00:10 EDT 2008 i686 i686
Alert Count                   37
First Seen                    Wed 02 Apr 2008 12:00:41 AM PDT
Last Seen                     Mon 07 Apr 2008 07:22:12 PM PDT
Local ID                      bade6013-09c9-4ca8-afba-3632172a3fc9
Line Numbers                  

Raw Audit Messages            

host=cirithungol type=AVC msg=audit(1207621332.645:285): avc:  denied  { read }
for  pid=2503 comm="console-kit-dae"
name="org.freedesktop.hal.device-access.sound.override" dev=dm-0 ino=727047
scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023
tcontext=unconfined_u:object_r:polkit_var_lib_t:s0 tclass=file

host=cirithungol type=SYSCALL msg=audit(1207621332.645:285): arch=40000003
syscall=5 success=no exit=-13 a0=8aaea00 a1=8000 a2=0 a3=8000 items=0 ppid=1
pid=2503 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=(none) ses=4294967295 comm="console-kit-dae"
exe="/usr/sbin/console-kit-daemon"
subj=system_u:system_r:consolekit_t:s0-s0:c0.c1023 key=(null)
Comment 1 Andrew Farris 2008-04-08 01:56:25 EDT
Created attachment 301602 [details]
policy module

audit2allow creates this module which works to let me initiate reboot from
gnome menu.

module consolekitrestartfix 1.0;

require {
	type polkit_var_lib_t;
	type consolekit_t;
	class file read;
}

#============= consolekit_t ==============
allow consolekit_t polkit_var_lib_t:file read;
Comment 2 Daniel Walsh 2008-04-08 10:57:53 EDT
This should be in the policy.  If you have multiple policy files in
/etc/selinux/targeted/policy/

Please remove all but the largest number.

I think this is the bug.
Comment 3 Andrew Farris 2008-04-08 18:58:24 EDT
Thanks Dan you were right, there was a left over policy.22 and policy.23.

Note You need to log in before you can comment on or make changes to this bug.