Bug 485195 - many many many AVC denials ... DeviceKit SELinux policy missing
many many many AVC denials ... DeviceKit SELinux policy missing
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: DeviceKit (Show other bugs)
rawhide
All Linux
low Severity medium
: ---
: ---
Assigned To: David Zeuthen
Fedora Extras Quality Assurance
: SELinux
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2009-02-12 04:24 EST by Matěj Cepl
Modified: 2013-03-05 22:57 EST (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-02-12 09:27:55 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
ausearch -m AVC |grep devkit (268.95 KB, text/plain)
2009-02-12 04:26 EST, Matěj Cepl
no flags Details

  None (edit)
Description Matěj Cepl 2009-02-12 04:24:15 EST
Description of problem:
DeviceKit generates a lot of AVC denials (see attached /var/log/audit/audit.* and output of ausearch -m AVC |grep devkit).

ausearch -m AVC |grep devkit|audit2allow generates quite persuasive list:

[root@hubmaier ~]# ausearch -m AVC |grep devkit |audit2allow


#============= devicekit_power_t ==============
allow devicekit_power_t NetworkManager_t:dir search;
allow devicekit_power_t NetworkManager_t:file { read getattr open };
allow devicekit_power_t audisp_t:dir search;
allow devicekit_power_t audisp_t:file { read getattr open };
allow devicekit_power_t auditd_t:dir search;
allow devicekit_power_t auditd_t:file { read getattr open };
allow devicekit_power_t automount_t:dir search;
allow devicekit_power_t automount_t:file { read getattr open };
allow devicekit_power_t avahi_t:dir search;
allow devicekit_power_t avahi_t:file { read getattr open };
allow devicekit_power_t bitlbee_t:dir search;
allow devicekit_power_t bitlbee_t:file { read getattr open };
allow devicekit_power_t consolekit_t:dir search;
allow devicekit_power_t consolekit_t:file { read getattr open };
allow devicekit_power_t crond_t:dir search;
allow devicekit_power_t crond_t:file { read getattr open };
allow devicekit_power_t cupsd_t:dir search;
allow devicekit_power_t cupsd_t:file { read getattr open };
allow devicekit_power_t devicekit_t:dir search;
allow devicekit_power_t devicekit_t:file { read getattr open };
allow devicekit_power_t dovecot_auth_t:dir search;
allow devicekit_power_t dovecot_auth_t:file { read getattr open };
allow devicekit_power_t dovecot_t:dir search;
allow devicekit_power_t dovecot_t:file { read getattr open };
allow devicekit_power_t fsdaemon_t:dir search;
allow devicekit_power_t fsdaemon_t:file { read getattr open };
allow devicekit_power_t gpm_t:dir search;
allow devicekit_power_t gpm_t:file { read getattr open };
allow devicekit_power_t hald_acl_t:dir search;
allow devicekit_power_t hald_acl_t:file { read getattr open };
allow devicekit_power_t hald_t:dir search;
allow devicekit_power_t hald_t:file { read getattr open };
allow devicekit_power_t inetd_child_t:dir search;
allow devicekit_power_t inetd_child_t:file { read getattr open };
allow devicekit_power_t initrc_t:dir search;
allow devicekit_power_t initrc_t:file { read getattr open };
allow devicekit_power_t irqbalance_t:dir search;
allow devicekit_power_t irqbalance_t:file { read getattr open };
allow devicekit_power_t kernel_t:dir search;
allow devicekit_power_t kernel_t:file { read getattr open };
allow devicekit_power_t kerneloops_t:dir search;
allow devicekit_power_t kerneloops_t:file { read getattr open };
allow devicekit_power_t ntpd_t:dir search;
allow devicekit_power_t ntpd_t:file { read getattr open };
allow devicekit_power_t postfix_master_t:dir search;
allow devicekit_power_t postfix_master_t:file { read getattr open };
allow devicekit_power_t postfix_qmgr_t:dir search;
allow devicekit_power_t postfix_qmgr_t:file { read getattr open };
allow devicekit_power_t proc_t:file { write read getattr open };
allow devicekit_power_t rpm_t:dir search;
allow devicekit_power_t rpm_t:file { read getattr open };
allow devicekit_power_t setroubleshootd_t:dir search;
allow devicekit_power_t setroubleshootd_t:file { read getattr open };
allow devicekit_power_t soundd_t:dir search;
allow devicekit_power_t soundd_t:file { read getattr open };
allow devicekit_power_t squid_t:dir search;
allow devicekit_power_t squid_t:file { read getattr open };
allow devicekit_power_t sshd_t:dir search;
allow devicekit_power_t sshd_t:file { read getattr open };
allow devicekit_power_t syslogd_t:dir search;
allow devicekit_power_t syslogd_t:file { read getattr open };
allow devicekit_power_t system_dbusd_t:dir search;
allow devicekit_power_t system_dbusd_t:file { read getattr open };
allow devicekit_power_t unconfined_dbusd_t:dir search;
allow devicekit_power_t unconfined_dbusd_t:file { read getattr open };
allow devicekit_power_t virtd_t:dir search;
allow devicekit_power_t virtd_t:file { read getattr open };
allow devicekit_power_t xdm_dbusd_t:dir search;
allow devicekit_power_t xdm_dbusd_t:file { read getattr open };
allow devicekit_power_t xdm_t:dir search;
allow devicekit_power_t xdm_t:file { read getattr open };
allow devicekit_power_t xserver_t:dir search;
allow devicekit_power_t xserver_t:file { read getattr open };

#============= devicekit_t ==============
allow devicekit_t udev_tbl_t:file { read getattr open };
[root@hubmaier ~]#
Comment 2 Matěj Cepl 2009-02-12 04:26:13 EST
Created attachment 331669 [details]
ausearch -m AVC |grep devkit
Comment 3 Daniel Walsh 2009-02-12 09:27:55 EST
Fixed in selinux-policy-3.6.5-3.fc11

Note You need to log in before you can comment on or make changes to this bug.