Bug 495340 - probably (mostly) DeviceKit-related SELinux issues (staff_u and non-staff_u)
probably (mostly) DeviceKit-related SELinux issues (staff_u and non-staff_u)
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
rawhide
All Linux
low Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Fedora Extras Quality Assurance
: SELinux
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2009-04-12 03:40 EDT by Matěj Cepl
Modified: 2009-04-13 10:07 EDT (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-04-13 10:07:46 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
/var/log/audit/audit.log (1.27 MB, text/plain)
2009-04-12 03:40 EDT, Matěj Cepl
no flags Details

  None (edit)
Description Matěj Cepl 2009-04-12 03:40:07 EDT
Created attachment 339218 [details]
/var/log/audit/audit.log

Description of problem:

I was getting a long list of AVC denials related to devkit-disks. After some investigation I came up with this:

[root@viklef SELinux]# grep -i 'device\|devkit' </var/log/audit/audit.log|grep denied|wc -l
131
[root@viklef SELinux]# grep -i 'device\|devkit' </var/log/audit/audit.log|grep denied|audit2allow


#============= NetworkManager_t ==============
allow NetworkManager_t device_t:file read;

#============= devicekit_disk_t ==============
allow devicekit_disk_t self:capability sys_rawio;
allow devicekit_disk_t udev_tbl_t:file { read getattr open };

#============= devicekit_power_t ==============
allow devicekit_power_t boot_t:dir { search getattr };
allow devicekit_power_t boot_t:file { read getattr open };
allow devicekit_power_t proc_net_t:file { read getattr open };

#============= devicekit_t ==============
allow devicekit_t staff_t:dbus send_msg;

#============= setroubleshootd_t ==============
allow setroubleshootd_t device_t:file write;

#============= staff_t ==============
allow staff_t devicekit_disk_t:dbus send_msg;
allow staff_t devicekit_t:dbus send_msg;
[root@viklef SELinux]# 

I am not sure how untangle it into separate bugs, so filing it here (and whole /var/log/audit/audit.log is attached as well)

Version-Release number of selected component (if applicable):
NetworkManager-glib-0.7.0.100-2.git20090408.fc11.x86_64
dbus-glib-0.80-2.fc11.i586
NetworkManager-0.7.0.100-2.git20090408.fc11.x86_64
DeviceKit-power-008-0.1.20090401git.fc11.x86_64
dbus-x11-1.2.12-1.fc11.x86_64
selinux-policy-3.6.12-2.fc11.noarch
dbus-libs-1.2.12-1.fc11.i586
DeviceKit-003-1.x86_64
NetworkManager-vpnc-0.7.0.99-1.fc11.x86_64
dbus-1.2.12-1.fc11.x86_64
dbus-debuginfo-1.2.12-1.fc11.x86_64
dbus-glib-debuginfo-0.80-2.fc11.x86_64
dbus-libs-1.2.12-1.fc11.x86_64
NetworkManager-gnome-0.7.0.100-2.git20090408.fc11.x86_64
selinux-policy-targeted-3.6.12-2.fc11.noarch
dbus-glib-0.80-2.fc11.x86_64
DeviceKit-disks-004-0.6.20090408git.fc11.x86_64
dbus-python-0.83.0-5.fc11.x86_64
Comment 1 Daniel Walsh 2009-04-13 08:31:41 EDT
You seem to have a file named null, that setroubleshoot and NetworkManager want to write to?

Other then  that I will add policy for the other avcs
Comment 2 Daniel Walsh 2009-04-13 10:07:46 EDT
# grep avc /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Fixed in selinux-policy-3.6.12-3.fc11.noarch

Note You need to log in before you can comment on or make changes to this bug.