Bug 506128 - SELinux is preventing udev-acl (udev_t) "read" consolekit_var_run_t.
SELinux is preventing udev-acl (udev_t) "read" consolekit_var_run_t.
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
rawhide
All Linux
low Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2009-06-15 13:08 EDT by Jerry Amundson
Modified: 2009-06-15 15:40 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-06-15 15:40:49 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Jerry Amundson 2009-06-15 13:08:13 EDT
Description of problem:
SELinux is preventing udev-acl (udev_t) "read" consolekit_var_run_t. 

Version-Release number of selected component (if applicable):
Source RPM Packages           udev-extras-20090516-0.5.20090601git.fc12
Policy RPM                    selinux-policy-3.6.15-1.fc12

How reproducible:
once

Steps to Reproduce:
1.in kde, plugged in usb dvd writer
2.
3.
  
Actual results:
avc

Expected results:
no avc

Additional info:

Summary:

SELinux is preventing udev-acl (udev_t) "read" consolekit_var_run_t.

Detailed Description:

[SELinux is in permissive mode, the operation would have been denied but was
permitted due to permissive mode.]

SELinux denied access requested by udev-acl. It is not expected that this access
is required by udev-acl and this access may signal an intrusion attempt. It is
also possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                system_u:system_r:udev_t:s0-s0:c0.c1023
Target Context                system_u:object_r:consolekit_var_run_t:s0
Target Objects                database [ file ]
Source                        udev-acl
Source Path                   /lib/udev/udev-acl
Port                          <Unknown>
Host                          jerry-opti755
Source RPM Packages           udev-extras-20090516-0.5.20090601git.fc12
Target RPM Packages           
Policy RPM                    selinux-policy-3.6.15-1.fc12
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Permissive
Plugin Name                   catchall
Host Name                     jerry-opti755
Platform                      Linux jerry-opti755
                              2.6.30-0.1.2.32.rc8.xendom0.fc12.x86_64 #1 SMP Thu
                              Jun 4 17:46:39 EDT 2009 x86_64 x86_64
Alert Count                   2
First Seen                    Mon 15 Jun 2009 12:04:15 PM CDT
Last Seen                     Mon 15 Jun 2009 12:04:15 PM CDT
Local ID                      0bf154eb-da06-4ec3-8645-f99883a9a386
Line Numbers                  

Raw Audit Messages            

node=jerry-opti755 type=AVC msg=audit(1245085455.354:40446): avc:  denied  { read } for  pid=4242 comm="udev-acl" name="database" dev=dm-1 ino=16586 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:consolekit_var_run_t:s0 tclass=file

node=jerry-opti755 type=AVC msg=audit(1245085455.354:40446): avc:  denied  { open } for  pid=4242 comm="udev-acl" name="database" dev=dm-1 ino=16586 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:consolekit_var_run_t:s0 tclass=file

node=jerry-opti755 type=SYSCALL msg=audit(1245085455.354:40446): arch=c000003e syscall=2 success=yes exit=3 a0=401d70 a1=0 a2=0 a3=7fff4895fee0 items=0 ppid=4225 pid=4242 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="udev-acl" exe="/lib/udev/udev-acl" subj=system_u:system_r:udev_t:s0-s0:c0.c1023 key=(null)
Comment 1 Jerry Amundson 2009-06-15 13:08:45 EDT
Summary:

SELinux is preventing udevd (udev_t) "getattr" consolekit_var_run_t.

Detailed Description:

[SELinux is in permissive mode, the operation would have been denied but was
permitted due to permissive mode.]

SELinux denied access requested by udevd. It is not expected that this access is
required by udevd and this access may signal an intrusion attempt. It is also
possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                system_u:system_r:udev_t:s0-s0:c0.c1023
Target Context                system_u:object_r:consolekit_var_run_t:s0
Target Objects                /var/run/ConsoleKit/database [ file ]
Source                        udevd
Source Path                   /sbin/udevd
Port                          <Unknown>
Host                          jerry-opti755
Source RPM Packages           udev-142-4.fc12
Target RPM Packages           
Policy RPM                    selinux-policy-3.6.15-1.fc12
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Permissive
Plugin Name                   catchall
Host Name                     jerry-opti755
Platform                      Linux jerry-opti755
                              2.6.30-0.1.2.32.rc8.xendom0.fc12.x86_64 #1 SMP Thu
                              Jun 4 17:46:39 EDT 2009 x86_64 x86_64
Alert Count                   1
First Seen                    Mon 15 Jun 2009 12:04:15 PM CDT
Last Seen                     Mon 15 Jun 2009 12:04:15 PM CDT
Local ID                      6aec44ac-33d4-42ed-8867-f25d9d0736a6
Line Numbers                  

Raw Audit Messages            

node=jerry-opti755 type=AVC msg=audit(1245085455.336:40445): avc:  denied  { getattr } for  pid=4225 comm="udevd" path="/var/run/ConsoleKit/database" dev=dm-1 ino=16586 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:consolekit_var_run_t:s0 tclass=file

node=jerry-opti755 type=SYSCALL msg=audit(1245085455.336:40445): arch=c000003e syscall=4 success=yes exit=0 a0=7fff65cd9760 a1=7fff65cd82c0 a2=7fff65cd82c0 a3=1 items=0 ppid=172 pid=4225 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="udevd" exe="/sbin/udevd" subj=system_u:system_r:udev_t:s0-s0:c0.c1023 key=(null)
Comment 2 Daniel Walsh 2009-06-15 15:40:49 EDT
Fixed in selinux-policy-3.6.16-1.fc11.noarch

Note You need to log in before you can comment on or make changes to this bug.