Bug 495300 - preventing devkit-disks-he (devicekit_disk_t) "read" udev_tbl_t
preventing devkit-disks-he (devicekit_disk_t) "read" udev_tbl_t
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
All Linux
low Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Fedora Extras Quality Assurance
Depends On:
  Show dependency treegraph
Reported: 2009-04-11 08:26 EDT by Tomasz Torcz
Modified: 2009-04-13 14:03 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2009-04-13 10:08:10 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Tomasz Torcz 2009-04-11 08:26:51 EDT
SELinux is preventing devkit-disks-he (devicekit_disk_t) "read" udev_tbl_t.

Additional Information:

Source Context                system_u:system_r:devicekit_disk_t:s0-s0:c0.c1023
Target Context                system_u:object_r:udev_tbl_t:s0
Target Objects                \x2fdevices\x2fpci0000:00\x2f0000:00:1f.2\x2fhost0
                              \x2ftarget0:0:0\x2f0:0:0:0\x2fblock\x2fsda [ file
Source                        devkit-disks-he
Source Path                   /usr/libexec/devkit-disks-helper-ata-smart-collect
Source RPM Packages           DeviceKit-disks-004-0.6.20090408git.fc11
Policy RPM                    selinux-policy-3.6.12-2.fc11
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Alert Count                   10
First Seen                    Fri Apr 10 18:09:17 2009
Last Seen                     Sat Apr 11 14:00:16 2009

Raw Audit Messages            

node=sandworm.fordon.pl.eu.org type=AVC msg=audit(1239451216.104:49161): avc:  denied  { read } for  pid=9423 comm="devkit-disks-he" name="\x2fdevices\x2fpci0000:00\x2f0000:00:1f.2\x2fhost0\x2ftarget0:0:0\x2f0:0:0:0\x2fblock\x2fsda" dev=tmpfs ino=8096 scontext=system_u:system_r:devicekit_disk_t:s0-s0:c0.c1023 tcontext=system_u:object_r:udev_tbl_t:s0 tclass=file

node=sandworm.fordon.pl.eu.org type=SYSCALL msg=audit(1239451216.104:49161): arch=c000003e syscall=2 success=yes exit=4 a0=7fff367c6a40 a1=0 a2=1b6 a3=238 items=0 ppid=4789 pid=9423 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="devkit-disks-he" exe="/usr/libexec/devkit-disks-helper-ata-smart-collect" subj=system_u:system_r:devicekit_disk_t:s0-s0:c0.c1023 key=(null)
Comment 1 Daniel Walsh 2009-04-13 10:08:10 EDT
# grep avc /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Fixed in selinux-policy-3.6.12-3.fc11.noarch
Comment 2 Tomasz Torcz 2009-04-13 11:04:54 EDT
Thanks Daniel. I know how to locally change my policy, but shouldn't stock Fedora install not generate any denials?
Comment 3 Daniel Walsh 2009-04-13 14:03:00 EDT
Yes, that is why I have put a fix out for this.  

devicekit_disk_t is a permissive domain right now, so nothing is actually getting denied.  If you want to stop the message you could install custom policy.

Best to just grab the latest policy package.

Note You need to log in before you can comment on or make changes to this bug.