Bug 461645 - Fails to permit hal/pm-utils to run vbetool against /var/run/video.rom on resume
Fails to permit hal/pm-utils to run vbetool against /var/run/video.rom on resume
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy (Show other bugs)
5.3
All Linux
medium Severity medium
: rc
: ---
Assigned To: Daniel Walsh
:
Depends On:
Blocks: 439256
  Show dependency treegraph
 
Reported: 2008-09-09 13:45 EDT by Matthew Garrett
Modified: 2013-01-10 02:47 EST (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-01-20 16:30:45 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
AVC report (2.74 KB, text/plain)
2008-09-09 13:45 EDT, Matthew Garrett
no flags Details

  None (edit)
Description Matthew Garrett 2008-09-09 13:45:59 EDT
Created attachment 316222 [details]
AVC report

SELinux prevents vbetool being run against /var/run/video.rom on resume. This is opened and mmaped read/write/execute, so needs the same rules as in Fedora.
Comment 1 Daniel Walsh 2008-09-10 14:28:22 EDT
Have you tried this with u3 policy?

You can grab preview copy at http://people.redhat.com/dwalsh/SELinux/RHEL5

BTW Who created this file?
Comment 2 Matthew Garrett 2008-09-10 14:49:40 EDT
Ah, yes, it seems fine with the u3 policy. The file is created by Xorg if using the nv driver in u3 on a system with a g80 or later graphics card.
Comment 3 Matthew Garrett 2008-09-10 14:52:07 EDT
Wait, sorry about that - dmesg reveals that an avc was raised, but for some reason I didn't get the notification icon. selinux-policy-2.4.6-151.el5 installed.
Comment 4 Daniel Walsh 2008-09-10 16:13:40 EDT
Fixed in selinux-policy-2.4.6-154.el5
Comment 5 Daniel Walsh 2008-09-10 16:14:07 EDT
Fixed in selinux-policy-2.4.6-154.el5
Comment 6 RHEL Product and Program Management 2008-09-10 16:17:21 EDT
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
release.
Comment 8 Matthew Garrett 2008-09-12 10:37:27 EDT
Confirmed to be fixed in .154
Comment 11 Matthew Garrett 2008-11-04 12:57:26 EST
Appears to be failing again - I'm getting permission denied errors when pm-utils attempts to run vbetool /var/run/video.rom in the hald_t context. Running directly as root works fine, as does running with enforcing disabled. However, I'm not seeing any audit errors.
Comment 12 Matthew Garrett 2008-11-04 13:36:11 EST
/var/run/video.rom is:

-rwx------  root root system_u:object_r:var_run_t:s0 /var/run/video.rom

From audit.log:

type=AVC msg=audit(1225821343.010:38): avc:  denied  { read write } for  pid=603
5 comm="vbetool" name="video.rom" dev=dm-2 ino=2360071 scontext=system_u:system_
r:vbetool_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file
type=SYSCALL msg=audit(1225821343.010:38): arch=40000003 syscall=5 success=yes e
xit=3 a0=bfd4238b a1=2 a2=bfd40de8 a3=bfd4238b items=0 ppid=6031 pid=6035 auid=4
294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses
=4294967295 comm="vbetool" exe="/usr/sbin/vbetool" subj=system_u:system_r:vbetoo
l_t:s0 key=(null)
type=AVC msg=audit(1225821343.011:39): avc:  denied  { execute } for  pid=6035 c
omm="vbetool" path="/var/run/video.rom" dev=dm-2 ino=2360071 scontext=system_u:s
ystem_r:vbetool_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file
type=SYSCALL msg=audit(1225821343.011:39): arch=40000003 syscall=192 success=yes
 exit=786432 a0=c0000 a1=10000 a2=7 a3=12 items=0 ppid=6031 pid=6035 auid=429496
7295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294
967295 comm="vbetool" exe="/usr/sbin/vbetool" subj=system_u:system_r:vbetool_t:s
0 key=(null)

This is with selinux-policy 2.4.6-170
Comment 13 Daniel Walsh 2008-11-04 13:48:09 EST
For some reason /var/run/video.rom has the wrong label on it.  Did xserver create this file? Or something else.

restorecon /var/run/video.rom

Will fix the context, but the question is how is it being mislabeled.
Comment 16 Daniel Walsh 2008-11-06 09:36:30 EST
Fixed in selinux-policy-2.4.6-181.el5
Comment 21 errata-xmlrpc 2009-01-20 16:30:45 EST
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2009-0163.html

Note You need to log in before you can comment on or make changes to this bug.