Description of problem: SELinux is preventing udev-acl (udev_t) "read" consolekit_var_run_t. Version-Release number of selected component (if applicable): Source RPM Packages udev-extras-20090516-0.5.20090601git.fc12 Policy RPM selinux-policy-3.6.15-1.fc12 How reproducible: once Steps to Reproduce: 1.in kde, plugged in usb dvd writer 2. 3. Actual results: avc Expected results: no avc Additional info: Summary: SELinux is preventing udev-acl (udev_t) "read" consolekit_var_run_t. Detailed Description: [SELinux is in permissive mode, the operation would have been denied but was permitted due to permissive mode.] SELinux denied access requested by udev-acl. It is not expected that this access is required by udev-acl and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context system_u:system_r:udev_t:s0-s0:c0.c1023 Target Context system_u:object_r:consolekit_var_run_t:s0 Target Objects database [ file ] Source udev-acl Source Path /lib/udev/udev-acl Port <Unknown> Host jerry-opti755 Source RPM Packages udev-extras-20090516-0.5.20090601git.fc12 Target RPM Packages Policy RPM selinux-policy-3.6.15-1.fc12 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Permissive Plugin Name catchall Host Name jerry-opti755 Platform Linux jerry-opti755 2.6.30-0.1.2.32.rc8.xendom0.fc12.x86_64 #1 SMP Thu Jun 4 17:46:39 EDT 2009 x86_64 x86_64 Alert Count 2 First Seen Mon 15 Jun 2009 12:04:15 PM CDT Last Seen Mon 15 Jun 2009 12:04:15 PM CDT Local ID 0bf154eb-da06-4ec3-8645-f99883a9a386 Line Numbers Raw Audit Messages node=jerry-opti755 type=AVC msg=audit(1245085455.354:40446): avc: denied { read } for pid=4242 comm="udev-acl" name="database" dev=dm-1 ino=16586 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:consolekit_var_run_t:s0 tclass=file node=jerry-opti755 type=AVC msg=audit(1245085455.354:40446): avc: denied { open } for pid=4242 comm="udev-acl" name="database" dev=dm-1 ino=16586 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:consolekit_var_run_t:s0 tclass=file node=jerry-opti755 type=SYSCALL msg=audit(1245085455.354:40446): arch=c000003e syscall=2 success=yes exit=3 a0=401d70 a1=0 a2=0 a3=7fff4895fee0 items=0 ppid=4225 pid=4242 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="udev-acl" exe="/lib/udev/udev-acl" subj=system_u:system_r:udev_t:s0-s0:c0.c1023 key=(null)
Summary: SELinux is preventing udevd (udev_t) "getattr" consolekit_var_run_t. Detailed Description: [SELinux is in permissive mode, the operation would have been denied but was permitted due to permissive mode.] SELinux denied access requested by udevd. It is not expected that this access is required by udevd and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context system_u:system_r:udev_t:s0-s0:c0.c1023 Target Context system_u:object_r:consolekit_var_run_t:s0 Target Objects /var/run/ConsoleKit/database [ file ] Source udevd Source Path /sbin/udevd Port <Unknown> Host jerry-opti755 Source RPM Packages udev-142-4.fc12 Target RPM Packages Policy RPM selinux-policy-3.6.15-1.fc12 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Permissive Plugin Name catchall Host Name jerry-opti755 Platform Linux jerry-opti755 2.6.30-0.1.2.32.rc8.xendom0.fc12.x86_64 #1 SMP Thu Jun 4 17:46:39 EDT 2009 x86_64 x86_64 Alert Count 1 First Seen Mon 15 Jun 2009 12:04:15 PM CDT Last Seen Mon 15 Jun 2009 12:04:15 PM CDT Local ID 6aec44ac-33d4-42ed-8867-f25d9d0736a6 Line Numbers Raw Audit Messages node=jerry-opti755 type=AVC msg=audit(1245085455.336:40445): avc: denied { getattr } for pid=4225 comm="udevd" path="/var/run/ConsoleKit/database" dev=dm-1 ino=16586 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:consolekit_var_run_t:s0 tclass=file node=jerry-opti755 type=SYSCALL msg=audit(1245085455.336:40445): arch=c000003e syscall=4 success=yes exit=0 a0=7fff65cd9760 a1=7fff65cd82c0 a2=7fff65cd82c0 a3=1 items=0 ppid=172 pid=4225 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="udevd" exe="/sbin/udevd" subj=system_u:system_r:udev_t:s0-s0:c0.c1023 key=(null)
Fixed in selinux-policy-3.6.16-1.fc11.noarch