Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
For bugs related to Red Hat Enterprise Linux 5 product line. The current stable release is 5.10. For Red Hat Enterprise Linux 6 and above, please visit Red Hat JIRA https://issues.redhat.com/secure/CreateIssue!default.jspa?pid=12332745 to report new issues.

Bug 461645

Summary: Fails to permit hal/pm-utils to run vbetool against /var/run/video.rom on resume
Product: Red Hat Enterprise Linux 5 Reporter: Matthew Garrett <mjg>
Component: selinux-policyAssignee: Daniel Walsh <dwalsh>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: 5.3CC: jfeeney, mkoci, mmalik, syeghiay
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-01-20 21:30:45 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 439256    
Attachments:
Description Flags
AVC report none

Description Matthew Garrett 2008-09-09 17:45:59 UTC 
Created attachment 316222 [details]
AVC report

SELinux prevents vbetool being run against /var/run/video.rom on resume. This is opened and mmaped read/write/execute, so needs the same rules as in Fedora.
Comment 1 Daniel Walsh 2008-09-10 18:28:22 UTC 
Have you tried this with u3 policy?

You can grab preview copy at http://people.redhat.com/dwalsh/SELinux/RHEL5

BTW Who created this file?
Comment 2 Matthew Garrett 2008-09-10 18:49:40 UTC 
Ah, yes, it seems fine with the u3 policy. The file is created by Xorg if using the nv driver in u3 on a system with a g80 or later graphics card.
Comment 3 Matthew Garrett 2008-09-10 18:52:07 UTC 
Wait, sorry about that - dmesg reveals that an avc was raised, but for some reason I didn't get the notification icon. selinux-policy-2.4.6-151.el5 installed.
Comment 4 Daniel Walsh 2008-09-10 20:13:40 UTC 
Fixed in selinux-policy-2.4.6-154.el5
Comment 5 Daniel Walsh 2008-09-10 20:14:07 UTC 
Fixed in selinux-policy-2.4.6-154.el5
Comment 6 RHEL Program Management 2008-09-10 20:17:21 UTC 
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
release.
Comment 8 Matthew Garrett 2008-09-12 14:37:27 UTC 
Confirmed to be fixed in .154
Comment 11 Matthew Garrett 2008-11-04 17:57:26 UTC 
Appears to be failing again - I'm getting permission denied errors when pm-utils attempts to run vbetool /var/run/video.rom in the hald_t context. Running directly as root works fine, as does running with enforcing disabled. However, I'm not seeing any audit errors.
Comment 12 Matthew Garrett 2008-11-04 18:36:11 UTC 
/var/run/video.rom is:

-rwx------  root root system_u:object_r:var_run_t:s0 /var/run/video.rom

From audit.log:

type=AVC msg=audit(1225821343.010:38): avc:  denied  { read write } for  pid=603
5 comm="vbetool" name="video.rom" dev=dm-2 ino=2360071 scontext=system_u:system_
r:vbetool_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file
type=SYSCALL msg=audit(1225821343.010:38): arch=40000003 syscall=5 success=yes e
xit=3 a0=bfd4238b a1=2 a2=bfd40de8 a3=bfd4238b items=0 ppid=6031 pid=6035 auid=4
294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses
=4294967295 comm="vbetool" exe="/usr/sbin/vbetool" subj=system_u:system_r:vbetoo
l_t:s0 key=(null)
type=AVC msg=audit(1225821343.011:39): avc:  denied  { execute } for  pid=6035 c
omm="vbetool" path="/var/run/video.rom" dev=dm-2 ino=2360071 scontext=system_u:s
ystem_r:vbetool_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file
type=SYSCALL msg=audit(1225821343.011:39): arch=40000003 syscall=192 success=yes
 exit=786432 a0=c0000 a1=10000 a2=7 a3=12 items=0 ppid=6031 pid=6035 auid=429496
7295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294
967295 comm="vbetool" exe="/usr/sbin/vbetool" subj=system_u:system_r:vbetool_t:s
0 key=(null)

This is with selinux-policy 2.4.6-170
Comment 13 Daniel Walsh 2008-11-04 18:48:09 UTC 
For some reason /var/run/video.rom has the wrong label on it.  Did xserver create this file? Or something else.

restorecon /var/run/video.rom

Will fix the context, but the question is how is it being mislabeled.
Comment 16 Daniel Walsh 2008-11-06 14:36:30 UTC 
Fixed in selinux-policy-2.4.6-181.el5
Comment 21 errata-xmlrpc 2009-01-20 21:30:45 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2009-0163.html