491613 – SELinux is preventing devkit-power-da (devicekit_power_t) "sys_nice" devicekit_power_t.

Bug 491613 - SELinux is preventing devkit-power-da (devicekit_power_t) "sys_nice" devicekit_power_t.

Summary: SELinux is preventing devkit-power-da (devicekit_power_t) "sys_nice" deviceki...

Keywords:
Status:	CLOSED RAWHIDE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy-targeted
Sub Component:
Version:	rawhide
Hardware:	i386
OS:	Linux
Priority:	low
Severity:	medium
Target Milestone:	---
Assignee:	Daniel Walsh
QA Contact:	Ben Levenson
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2009-03-23 10:47 UTC by Björn Seifert
Modified:	2009-03-23 17:05 UTC (History)
CC List:	0 users
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2009-03-23 17:05:35 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Björn Seifert 2009-03-23 10:47:02 UTC

Description of problem:
SELinux denied access requested by devkit-power-da. It is not expected that this access is required by devkit-power-da and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access.


Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:
Source Context                system_u:system_r:devicekit_power_t:s0-s0:c0.c1023
Target Context                system_u:system_r:devicekit_power_t:s0-s0:c0.c1023
Target Objects                None [ capability ]
Source                        devkit-power-da
Source Path                   /usr/libexec/devkit-power-daemon
Port                          <Unknown>
Host                          eeepc
Source RPM Packages           DeviceKit-power-006-3.fc11
Target RPM Packages           
Policy RPM                    selinux-policy-3.6.8-3.fc11
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     eeepc
Platform                      Linux eeepc 2.6.29-0.258.rc8.git2.fc11.i586 #1 SMP
                              Mon Mar 16 20:53:59 EDT 2009 i686 i686
Alert Count                   1
First Seen                    Mon 23 Mar 2009 10:40:24 AM CET
Last Seen                     Mon 23 Mar 2009 10:40:24 AM CET
Local ID                      83f0c517-3c11-4a5f-818f-366b9cce2008
Line Numbers                  

Raw Audit Messages            

node=eeepc type=AVC msg=audit(1237801224.9:23): avc:  denied  { sys_nice } for  pid=2680 comm="devkit-power-da" capability=23 scontext=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 tcontext=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 tclass=capability

node=eeepc type=SYSCALL msg=audit(1237801224.9:23): arch=40000003 syscall=3 success=yes exit=211 a0=9 a1=bff73c3c a2=1000 a3=9624b88 items=0 ppid=1 pid=2680 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="devkit-power-da" exe="/usr/libexec/devkit-power-daemon" subj=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 key=(null)

Comment 1 Daniel Walsh 2009-03-23 17:05:35 UTC

You can add these rules for now using

# grep avc /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Note You need to log in before you can comment on or make changes to this bug.