Bug 518888 - SELinux is preventing hald (hald_t) "getattr" access to device /dev/mtdblock0.
Summary: SELinux is preventing hald (hald_t) "getattr" access to device /dev/mtdblock0.
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 11
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-08-23 22:19 UTC by Michael S.
Modified: 2009-08-28 21:56 UTC (History)
3 users (show)

Fixed In Version: 3.6.12-80.fc11
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2009-08-28 21:56:47 UTC

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Michael S. 2009-08-23 22:19:43 UTC 
Description of problem:

using a script that run this : 

    export loop=$(losetup -f) && \
    losetup $loop $1 && \
    modprobe block2mtd block2mtd=$loop,131072 && \
    sleep 2 && \
    modprobe jffs2 && \
    sleep 2 && \
    modprobe mtdblock && \
    sleep 2 && \
    mount -t jffs2 -o ro /dev/mtdblock0 $2 && \

to mount jffs2 file as a loopback device, i see this error in the logs :


SELinux is preventing hald (hald_t) "getattr" access to device /dev/mtdblock0.

Description détaillée:

SELinux has denied the hald (hald_t) "getattr" access to device /dev/mtdblock0.
/dev/mtdblock0 is mislabeled, this device has the default label of the /dev
directory, which should not happen. All Character and/or Block Devices should
have a label. You can attempt to change the label of the file using restorecon
-v '/dev/mtdblock0'. If this device remains labeled device_t, then this is a bug
in SELinux policy. Please file a bug report
(http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against the selinux-policy
package. If you look at the other similar devices labels, ls -lZ /dev/SIMILAR,
and find a type that would work for /dev/mtdblock0, you can use chcon -t
SIMILAR_TYPE '/dev/mtdblock0', If this fixes the problem, you can make this
permanent by executing semanage fcontext -a -t SIMILAR_TYPE '/dev/mtdblock0' If
the restorecon changes the context, this indicates that the application that
created the device, created it without using SELinux APIs. If you can figure out
which application created the device, please file a bug report
(http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this application.

Autoriser l'accès:

Attempt restorecon -v '/dev/mtdblock0' or chcon -t SIMILAR_TYPE '/dev/mtdblock0'

Informations complémentaires:

Contexte source               system_u:system_r:hald_t:s0
Contexte cible                system_u:object_r:device_t:s0
Objets du contexte            /dev/mtdblock0 [ blk_file ]
source                        hald
Chemin de la source           2F7573722F7362696E2F68616C64202864656C6574656429
Port                          <Inconnu>
Hôte                         akroma.ephaone.org
Paquetages RPM source         
Paquetages RPM cible          
Politique RPM                 selinux-policy-3.6.12-72.fc11
Selinux activé               True
Type de politique             targeted
MLS activé                   True
Mode strict                   Enforcing
Nom du plugin                 device
Nom de l'hôte                akroma.ephaone.org
Plateforme                    Linux akroma.ephaone.org
                              2.6.29.6-213.fc11.i686.PAE #1 SMP Tue Jul 7
                              20:59:29 EDT 2009 i686 i686
Compteur d'alertes            11
Première alerte              sam. 22 août 2009 17:59:35 CEST
Dernière alerte              sam. 22 août 2009 19:53:16 CEST
ID local                      2c12a637-b625-401f-8c15-28f5334356c0
Numéros des lignes           

Messages d'audit bruts        

node=akroma.ephaone.org type=AVC msg=audit(1250963596.144:29391): avc:  denied  { getattr } for  pid=1572 comm="hald" path="/dev/mtdblock0" dev=tmpfs ino=1044226 scontext=system_u:system_r:hald_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=blk_file

node=akroma.ephaone.org type=SYSCALL msg=audit(1250963596.144:29391): arch=40000003 syscall=195 success=no exit=-13 a0=bfe88b2c a1=bfe88aac a2=366ff4 a3=bfe88aac items=0 ppid=1 pid=1572 auid=4294967295 uid=68 gid=68 euid=68 suid=68 fsuid=68 egid=68 sgid=68 fsgid=68 tty=(none) ses=4294967295 comm="hald" exe=2F7573722F7362696E2F68616C64202864656C6574656429 subj=system_u:system_r:hald_t:s0 key=(null)


As I assume that the device is created using the kernel, i guess that's a kernel bug ?
Comment 1 Daniel Walsh 2009-08-24 14:02:38 UTC 
SELinux does not know what a /dev/mtdblock0 is?

Do you ?  Do you know what device it is similar to?
Comment 2 Daniel Walsh 2009-08-24 14:08:31 UTC 
Seems to be similar to a /dev/flash*

So I think we should label

/dev/mtd.*		-b	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
Comment 3 Miroslav Grepl 2009-08-24 15:38:03 UTC 
Fixed in selinux-policy-3.6.12-80.fc11
Comment 4 Fedora Update System 2009-08-24 15:44:39 UTC 
selinux-policy-3.6.12-80.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/selinux-policy-3.6.12-80.fc11
Comment 5 Fedora Update System 2009-08-25 04:26:23 UTC 
selinux-policy-3.6.12-80.fc11 has been pushed to the Fedora 11 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update selinux-policy'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F11/FEDORA-2009-8895
Comment 6 Fedora Update System 2009-08-28 21:56:21 UTC 
selinux-policy-3.6.12-80.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.