Bug 523544 - setroubleshoot: SELinux is preventing /lib/udev/udev-acl "getattr" access on /dev/.udev/db/\x2fdevices\x2fpci0000:00\x2f0000:00:1b.0\x2fsound\x2fcard0\x2fcontrolC0.
Summary: setroubleshoot: SELinux is preventing /lib/udev/udev-acl "getattr" access on ...
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: rawhide
Hardware: i386
OS: Linux
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Fedora Extras Quality Assurance
Whiteboard: setroubleshoot_trace_hash:bdfdbb44e3d...
Depends On:
TreeView+ depends on / blocked
Reported: 2009-09-15 21:16 UTC by Mark Myatt
Modified: 2009-09-19 21:59 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2009-09-16 15:23:53 UTC

Attachments (Terms of Use)

Description Mark Myatt 2009-09-15 21:16:30 UTC
The following was filed automatically by setroubleshoot:


SELinux is preventing /lib/udev/udev-acl "getattr" access on

Detailed Description:

SELinux denied access requested by udev-acl.ck. It is not expected that this
access is required by udev-acl.ck and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Please file a bug

Additional Information:

Source Context                system_u:system_r:consolekit_t:s0-s0:c0.c1023
Target Context                system_u:object_r:udev_tbl_t:s0
Target Objects                /dev/.udev/db/\x2fdevices\x2fpci0000:00\x2f0000:00
                              :1b.0\x2fsound\x2fcard0\x2fcontrolC0 [ file ]
Source                        udev-acl.ck
Source Path                   /lib/udev/udev-acl
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           udev-145-7.fc12
Target RPM Packages           
Policy RPM                    selinux-policy-3.6.31-3.fc12
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     (removed)
Platform                      Linux (removed) #1 SMP Mon
                              Aug 17 16:21:07 EDT 2009 i686 i686
Alert Count                   3
First Seen                    Tue 15 Sep 2009 19:09:31 BST
Last Seen                     Tue 15 Sep 2009 21:59:20 BST
Local ID                      2fd51023-b134-46f1-91be-618aa773e3b4
Line Numbers                  

Raw Audit Messages            

node=(removed) type=AVC msg=audit(1253048360.158:313): avc:  denied  { getattr } for  pid=26401 comm="udev-acl.ck" path="/dev/.udev/db/\x2fdevices\x2fpci0000:00\x2f0000:00:1b.0\x2fsound\x2fcard0\x2fcontrolC0" dev=tmpfs ino=7237 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:object_r:udev_tbl_t:s0 tclass=file

node=(removed) type=SYSCALL msg=audit(1253048360.158:313): arch=40000003 syscall=196 success=no exit=-13 a0=bf9d3ebc a1=bf9d2a58 a2=792ff4 a3=9b7a60c items=0 ppid=1419 pid=26401 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="udev-acl.ck" exe="/lib/udev/udev-acl" subj=system_u:system_r:consolekit_t:s0-s0:c0.c1023 key=(null)

audit2allow suggests:

#============= consolekit_t ==============
allow consolekit_t udev_tbl_t:file getattr;

Comment 1 Mark Myatt 2009-09-15 21:20:28 UTC
Bug occurs some 3 hours after simply downloading and installing numerous updates - over 2,800 - relating to FC12.i686.

Comment 2 Daniel Walsh 2009-09-15 21:34:03 UTC
How is /lib/udev/udev-acl labeled?

ls -lZ /lib/udev/udev-acl 
-rwxr-xr-x. root root system_u:object_r:udev_exec_t:s0 /lib/udev/udev-acl

Consolekit is supposed to transition to udev_t which would allow this if the udev-acl has the right label on it

Comment 3 Mark Myatt 2009-09-16 13:03:54 UTC
Following comment #1 the downloading of fc12.i686 has been a disaster. White screen of death appeared. As a result I have re-installed fc.11 and all works well. The bug referred to does not now appear or apply.

Comment 4 Daniel Walsh 2009-09-16 15:23:53 UTC
Mark if you update to Rawhide(F12), you have to be prepared for disasters.  :^(

Comment 5 Mark Myatt 2009-09-18 19:27:49 UTC
Thanks DW - as a newbie I am not quite sure what you are getting at.  Is it because you favour Red Hat as opposed to Fedora or simply because FC12 is Alpha?

Comment 6 Daniel Walsh 2009-09-18 21:24:50 UTC
No I run rawhide everyday.  Rawhide is a half cooked OS.  So if you grab an OS during the development stage, you got to expect problems.  After all we update it every day.

I like all os's.

RHEL is great for the enterprise.  F10/F11 are great for most users.  Rawhide is for the crazies.  :^)

Comment 7 Mark Myatt 2009-09-19 21:59:13 UTC
Many thanks for comment 6. When I had an "invitation" to upgrade I rather assumed it was fully cooked, as you put it.      I shall wait a long time before I put my toe in that particular water.

Note You need to log in before you can comment on or make changes to this bug.