Bug 461645 - Fails to permit hal/pm-utils to run vbetool against /var/run/video.rom on resume
Fails to permit hal/pm-utils to run vbetool against /var/run/video.rom on resume
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy (Show other bugs)
All Linux
medium Severity medium
: rc
: ---
Assigned To: Daniel Walsh
Depends On:
Blocks: 439256
  Show dependency treegraph
Reported: 2008-09-09 13:45 EDT by Matthew Garrett
Modified: 2013-01-10 02:47 EST (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2009-01-20 16:30:45 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
AVC report (2.74 KB, text/plain)
2008-09-09 13:45 EDT, Matthew Garrett
no flags Details

  None (edit)
Description Matthew Garrett 2008-09-09 13:45:59 EDT
Created attachment 316222 [details]
AVC report

SELinux prevents vbetool being run against /var/run/video.rom on resume. This is opened and mmaped read/write/execute, so needs the same rules as in Fedora.
Comment 1 Daniel Walsh 2008-09-10 14:28:22 EDT
Have you tried this with u3 policy?

You can grab preview copy at http://people.redhat.com/dwalsh/SELinux/RHEL5

BTW Who created this file?
Comment 2 Matthew Garrett 2008-09-10 14:49:40 EDT
Ah, yes, it seems fine with the u3 policy. The file is created by Xorg if using the nv driver in u3 on a system with a g80 or later graphics card.
Comment 3 Matthew Garrett 2008-09-10 14:52:07 EDT
Wait, sorry about that - dmesg reveals that an avc was raised, but for some reason I didn't get the notification icon. selinux-policy-2.4.6-151.el5 installed.
Comment 4 Daniel Walsh 2008-09-10 16:13:40 EDT
Fixed in selinux-policy-2.4.6-154.el5
Comment 5 Daniel Walsh 2008-09-10 16:14:07 EDT
Fixed in selinux-policy-2.4.6-154.el5
Comment 6 RHEL Product and Program Management 2008-09-10 16:17:21 EDT
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
Comment 8 Matthew Garrett 2008-09-12 10:37:27 EDT
Confirmed to be fixed in .154
Comment 11 Matthew Garrett 2008-11-04 12:57:26 EST
Appears to be failing again - I'm getting permission denied errors when pm-utils attempts to run vbetool /var/run/video.rom in the hald_t context. Running directly as root works fine, as does running with enforcing disabled. However, I'm not seeing any audit errors.
Comment 12 Matthew Garrett 2008-11-04 13:36:11 EST
/var/run/video.rom is:

-rwx------  root root system_u:object_r:var_run_t:s0 /var/run/video.rom

From audit.log:

type=AVC msg=audit(1225821343.010:38): avc:  denied  { read write } for  pid=603
5 comm="vbetool" name="video.rom" dev=dm-2 ino=2360071 scontext=system_u:system_
r:vbetool_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file
type=SYSCALL msg=audit(1225821343.010:38): arch=40000003 syscall=5 success=yes e
xit=3 a0=bfd4238b a1=2 a2=bfd40de8 a3=bfd4238b items=0 ppid=6031 pid=6035 auid=4
294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses
=4294967295 comm="vbetool" exe="/usr/sbin/vbetool" subj=system_u:system_r:vbetoo
l_t:s0 key=(null)
type=AVC msg=audit(1225821343.011:39): avc:  denied  { execute } for  pid=6035 c
omm="vbetool" path="/var/run/video.rom" dev=dm-2 ino=2360071 scontext=system_u:s
ystem_r:vbetool_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file
type=SYSCALL msg=audit(1225821343.011:39): arch=40000003 syscall=192 success=yes
 exit=786432 a0=c0000 a1=10000 a2=7 a3=12 items=0 ppid=6031 pid=6035 auid=429496
7295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294
967295 comm="vbetool" exe="/usr/sbin/vbetool" subj=system_u:system_r:vbetool_t:s
0 key=(null)

This is with selinux-policy 2.4.6-170
Comment 13 Daniel Walsh 2008-11-04 13:48:09 EST
For some reason /var/run/video.rom has the wrong label on it.  Did xserver create this file? Or something else.

restorecon /var/run/video.rom

Will fix the context, but the question is how is it being mislabeled.
Comment 16 Daniel Walsh 2008-11-06 09:36:30 EST
Fixed in selinux-policy-2.4.6-181.el5
Comment 21 errata-xmlrpc 2009-01-20 16:30:45 EST
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.


Note You need to log in before you can comment on or make changes to this bug.