Bug 529206 - SELinux is preventing fprintd (fprintd_t) "write" access to device /dev/null.
SELinux is preventing fprintd (fprintd_t) "write" access to device /dev/null.
Product: Fedora
Classification: Fedora
Component: udev (Show other bugs)
x86_64 Linux
medium Severity medium
: ---
: ---
Assigned To: Harald Hoyer
Fedora Extras Quality Assurance
Depends On:
  Show dependency treegraph
Reported: 2009-10-15 09:37 EDT by Bastien Nocera
Modified: 2010-09-21 06:19 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2010-09-21 06:19:53 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Bastien Nocera 2009-10-15 09:37:02 EDT

SELinux is preventing fprintd (fprintd_t) "write" access to device /dev/null.

Detailed Description:

[SELinux is in permissive mode. This access was not denied.]

SELinux has denied the fprintd (fprintd_t) "write" access to device /dev/null.
/dev/null is mislabeled, this device has the default label of the /dev
directory, which should not happen. All Character and/or Block Devices should
have a label. You can attempt to change the label of the file using restorecon
-v '/dev/null'. If this device remains labeled device_t, then this is a bug in
SELinux policy. Please file a bug report
(http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against the selinux-policy
package. If you look at the other similar devices labels, ls -lZ /dev/SIMILAR,
and find a type that would work for /dev/null, you can use chcon -t SIMILAR_TYPE
'/dev/null', If this fixes the problem, you can make this permanent by executing
semanage fcontext -a -t SIMILAR_TYPE '/dev/null' If the restorecon changes the
context, this indicates that the application that created the device, created it
without using SELinux APIs. If you can figure out which application created the
device, please file a bug report
(http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this application.

Allowing Access:

Attempt restorecon -v '/dev/null' or chcon -t SIMILAR_TYPE '/dev/null'

Additional Information:

Source Context                system_u:system_r:fprintd_t:s0-s0:c0.c1023
Target Context                system_u:object_r:device_t:s0
Target Objects                /dev/null [ chr_file ]
Source                        fprintd
Source Path                   /usr/libexec/fprintd
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           fprintd-0.1-15.git04fd09cfa.fc12
Target RPM Packages           
Policy RPM                    selinux-policy-3.6.12-82.fc11
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Permissive
Plugin Name                   device
Host Name                     (removed)
Platform                      Linux (removed)
                              2.6.32-0.14.rc0.git18.fc13.x86_64 #1 SMP Mon Sep
                              28 19:34:27 EDT 2009 x86_64 x86_64
Alert Count                   1
First Seen                    Sun 11 Oct 2009 02:12:38 BST
Last Seen                     Sun 11 Oct 2009 02:12:38 BST
Local ID                      62011d54-d0c5-4201-be3b-c80d14a70f82
Line Numbers                  

Raw Audit Messages            

node=(removed) type=AVC msg=audit(1255223558.2:1988): avc:  denied  { write } for  pid=5967 comm="fprintd" path="/dev/null" dev=tmpfs ino=10433 scontext=system_u:system_r:fprintd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:device_t:s0 tclass=chr_file

node=(removed) type=SYSCALL msg=audit(1255223558.2:1988): arch=c000003e syscall=1 success=yes exit=36 a0=2 a1=228e170 a2=24 a3=1 items=0 ppid=1 pid=5967 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="fprintd" exe="/usr/libexec/fprintd" subj=system_u:system_r:fprintd_t:s0-s0:c0.c1023 key=(null)

Hash String generated from  selinux-policy-3.6.12-82.fc11,device,fprintd,fprintd_t,device_t,chr_file,write
audit2allow suggests:

#============= fprintd_t ==============
allow fprintd_t device_t:chr_file write;
Comment 1 Daniel Walsh 2009-10-15 10:13:03 EDT
For some reason your /dev/null is mislabeled?  udev should have created this with the correct label.  Any idea what is going on?
Comment 2 Bastien Nocera 2009-10-15 11:02:34 EDT
$ ls -lZ /dev/null 
crw-rw-rw-. root root system_u:object_r:device_t:s0    /dev/null
Comment 3 Daniel Walsh 2009-10-15 11:06:53 EDT
Should be null_device_t.  This would be a bug in udev.

matchpathcon /dev/null
Comment 4 Bastien Nocera 2009-10-15 11:27:44 EDT

This was an upgrade from F-11.
Comment 5 Daniel Walsh 2009-10-15 11:40:50 EDT
Well I have no idea why it would break.  

Could you make sure you have the latest selinux policy and it installed properly

yum reinstall selinux-policy-targeted

You could try a touch /.autorelabel; reboot also.

But udev should be creating the devices with labels that matchpathcon returns.
Comment 6 Bug Zapper 2009-11-16 08:43:13 EST
This bug appears to have been reported against 'rawhide' during the Fedora 12 development cycle.
Changing version to '12'.

More information and reason for this action is here:
Comment 7 Harald Hoyer 2010-01-26 06:08:31 EST
Comment 8 Daniel Walsh 2010-01-27 09:26:59 EST
I think you can close this.

Note You need to log in before you can comment on or make changes to this bug.