Red Hat Bugzilla – Bug 529206
SELinux is preventing fprintd (fprintd_t) "write" access to device /dev/null.
Last modified: 2010-09-21 06:19:53 EDT
Summary: SELinux is preventing fprintd (fprintd_t) "write" access to device /dev/null. Detailed Description: [SELinux is in permissive mode. This access was not denied.] SELinux has denied the fprintd (fprintd_t) "write" access to device /dev/null. /dev/null is mislabeled, this device has the default label of the /dev directory, which should not happen. All Character and/or Block Devices should have a label. You can attempt to change the label of the file using restorecon -v '/dev/null'. If this device remains labeled device_t, then this is a bug in SELinux policy. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against the selinux-policy package. If you look at the other similar devices labels, ls -lZ /dev/SIMILAR, and find a type that would work for /dev/null, you can use chcon -t SIMILAR_TYPE '/dev/null', If this fixes the problem, you can make this permanent by executing semanage fcontext -a -t SIMILAR_TYPE '/dev/null' If the restorecon changes the context, this indicates that the application that created the device, created it without using SELinux APIs. If you can figure out which application created the device, please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this application. Allowing Access: Attempt restorecon -v '/dev/null' or chcon -t SIMILAR_TYPE '/dev/null' Additional Information: Source Context system_u:system_r:fprintd_t:s0-s0:c0.c1023 Target Context system_u:object_r:device_t:s0 Target Objects /dev/null [ chr_file ] Source fprintd Source Path /usr/libexec/fprintd Port <Unknown> Host (removed) Source RPM Packages fprintd-0.1-15.git04fd09cfa.fc12 Target RPM Packages Policy RPM selinux-policy-3.6.12-82.fc11 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Permissive Plugin Name device Host Name (removed) Platform Linux (removed) 2.6.32-0.14.rc0.git18.fc13.x86_64 #1 SMP Mon Sep 28 19:34:27 EDT 2009 x86_64 x86_64 Alert Count 1 First Seen Sun 11 Oct 2009 02:12:38 BST Last Seen Sun 11 Oct 2009 02:12:38 BST Local ID 62011d54-d0c5-4201-be3b-c80d14a70f82 Line Numbers Raw Audit Messages node=(removed) type=AVC msg=audit(1255223558.2:1988): avc: denied { write } for pid=5967 comm="fprintd" path="/dev/null" dev=tmpfs ino=10433 scontext=system_u:system_r:fprintd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:device_t:s0 tclass=chr_file node=(removed) type=SYSCALL msg=audit(1255223558.2:1988): arch=c000003e syscall=1 success=yes exit=36 a0=2 a1=228e170 a2=24 a3=1 items=0 ppid=1 pid=5967 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="fprintd" exe="/usr/libexec/fprintd" subj=system_u:system_r:fprintd_t:s0-s0:c0.c1023 key=(null) Hash String generated from selinux-policy-3.6.12-82.fc11,device,fprintd,fprintd_t,device_t,chr_file,write audit2allow suggests: #============= fprintd_t ============== allow fprintd_t device_t:chr_file write;
For some reason your /dev/null is mislabeled? udev should have created this with the correct label. Any idea what is going on?
$ ls -lZ /dev/null crw-rw-rw-. root root system_u:object_r:device_t:s0 /dev/null
Should be null_device_t. This would be a bug in udev. matchpathcon /dev/null
udev-145-10.fc12.x86_64 This was an upgrade from F-11.
Well I have no idea why it would break. Could you make sure you have the latest selinux policy and it installed properly yum reinstall selinux-policy-targeted You could try a touch /.autorelabel; reboot also. But udev should be creating the devices with labels that matchpathcon returns.
This bug appears to have been reported against 'rawhide' during the Fedora 12 development cycle. Changing version to '12'. More information and reason for this action is here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping
ping?
I think you can close this.