516824 – kde: suspend to ram fails, selinux denial

Bug 516824 - kde: suspend to ram fails, selinux denial

Summary: kde: suspend to ram fails, selinux denial

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy-targeted
Sub Component:
Version:	11
Hardware:	All
OS:	Linux
Priority:	low
Severity:	medium
Target Milestone:	---
Assignee:	Miroslav Grepl
QA Contact:	Ben Levenson
Docs Contact:
URL:
Whiteboard:
Duplicates (1):	516908 (view as bug list)
Depends On:
Blocks:	kde-4.3.0
TreeView+	depends on / blocked

Reported:	2009-08-11 15:45 UTC by Rex Dieter
Modified:	2009-08-24 10:06 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2009-08-24 10:06:50 UTC
Type:	---
Dependent Products:

Attachments	(Terms of Use)

Description Rex Dieter 2009-08-11 15:45:47 UTC

Testing kde-4.3.0, and suspend actions fail, simplest test case:
$ solid-powermanagement suspend to_ram

with selinux denial:


Summary:

SELinux is preventing 56dhclient (hald_t) "read" net_conf_t.

Detailed Description:

SELinux denied access requested by 56dhclient. It is not expected that this
access is required by 56dhclient and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                system_u:system_r:hald_t:s0
Target Context                system_u:object_r:net_conf_t:s0
Target Objects                /etc/sysconfig/network-scripts [ dir ]
Source                        56dhclient
Source Path                   /bin/bash
Port                          <Unknown>
Host                          localhost.localdomain
Source RPM Packages           bash-4.0-7.fc11
Target RPM Packages           initscripts-8.95-1
Policy RPM                    selinux-policy-3.6.12-72.fc11
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     localhost.localdomain
Platform                      Linux localhost.localdomain
                              2.6.29.6-217.2.3.fc11.x86_64 #1 SMP Wed Jul 29
                              16:02:42 EDT 2009 x86_64 x86_64
Alert Count                   26
First Seen                    Sat 08 Aug 2009 11:56:30 PM CDT
Last Seen                     Tue 11 Aug 2009 10:41:14 AM CDT
Local ID                      bc93ee43-6db1-4964-a0cb-f584fbae16e3
Line Numbers                  

Raw Audit Messages            

node=localhost.localdomain type=AVC msg=audit(1250005274.832:16): avc:  denied  { read } for  pid=2669 comm="56dhclient" name="network-scripts" dev=dm-0 ino=42 scontext=system_u:system_r:hald_t:s0 tcontext=system_u:object_r:net_conf_t:s0 tclass=dir

node=localhost.localdomain type=SYSCALL msg=audit(1250005274.832:16): arch=c000003e syscall=2 success=no exit=524509144 a0=1b7f540 a1=90800 a2=0 a3=7fff3c332ca0 items=0 ppid=2615 pid=2669 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="56dhclient" exe="/bin/bash" subj=system_u:system_r:hald_t:s0 key=(null)

Comment 1 Kevin Kofler 2009-08-11 22:02:19 UTC

*** Bug 516908 has been marked as a duplicate of this bug. ***

Comment 2 Daniel Walsh 2009-08-11 22:51:57 UTC

Miroslav,

add

	allow $1 net_conf_t:dir list_dir_perms;

to sysnet_read_config

Comment 3 Miroslav Grepl 2009-08-13 15:57:32 UTC

Fixed in selinux-policy-3.6.12-76.fc11

Comment 4 Rex Dieter 2009-08-13 16:59:46 UTC

confirmed mm, mm good.

Can I assume a bodhi update is in the works? :)

Comment 5 Kevin Kofler 2009-08-18 14:33:34 UTC

selinux-policy-3.6.12-78.fc11 is now in updates-testing.

BTW, does anybody know whether F10 is affected by this issue?

Comment 6 Christian Groove 2009-08-18 15:20:05 UTC

I received an update and hibernate and suspend does work again.
Merci!

Comment 7 Sebastian Vahl 2009-08-18 22:58:57 UTC

I've done an F10 test installation and it seems not to be affectet by this (treid with selinux-policy-3.5.13-68 from updates and -69 from updates-testing). I was able to suspend/resume in both test cases with enforcing enabled.

Comment 8 Kevin Kofler 2009-08-24 10:06:50 UTC

selinux-policy-3.6.12-78.fc11 got pushed to stable on August 22, F10 confirmed not affected, closing.

Note You need to log in before you can comment on or make changes to this bug.