Bug 540197 - SELinux is preventing udev-acl.ck (consolekit_t) "getattr" udev_tbl_t.
Summary: SELinux is preventing udev-acl.ck (consolekit_t) "getattr" udev_tbl_t.
Keywords:
Status: CLOSED DUPLICATE of bug 540170
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 12
Hardware: x86_64
OS: Linux
low
medium
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: setroubleshoot_trace_hash:7aafb5c27d3...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-11-22 17:50 UTC by Hin-Tak Leung
Modified: 2009-11-23 15:45 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2009-11-23 15:45:08 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)

Description Hin-Tak Leung 2009-11-22 17:50:02 UTC 
Summary:

SELinux is preventing udev-acl.ck (consolekit_t) "getattr" udev_tbl_t.

Detailed Description:

[udev-acl.ck has a permissive type (consolekit_t). This access was not denied.]

SELinux denied access requested by udev-acl.ck. It is not expected that this
access is required by udev-acl.ck and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                system_u:system_r:consolekit_t:SystemLow-
                              SystemHigh
Target Context                system_u:object_r:udev_tbl_t:SystemLow
Target Objects                /dev/.udev/db/\x2fdevices\x2fpci0000:00\x2f0000:00
                              :14.2\x2fsound\x2fcard0\x2fcontrolC0 [ file ]
Source                        udev-acl.ck
Source Path                   /lib/udev/udev-acl
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           udev-145-12.fc12
Target RPM Packages           
Policy RPM                    selinux-policy-3.6.12-88.fc11
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     (removed)
Platform                      Linux (removed)
                              2.6.31.5-127.fc12.x86_64 #1 SMP Sat Nov 7 21:11:14
                              EST 2009 x86_64 x86_64
Alert Count                   8
First Seen                    Sun 22 Nov 2009 03:53:42 GMT
Last Seen                     Sun 22 Nov 2009 04:56:29 GMT
Local ID                      9a558bdd-9522-4bf3-9218-0c333768193a
Line Numbers                  

Raw Audit Messages            

node=(removed) type=AVC msg=audit(1258865789.311:321): avc:  denied  { getattr } for  pid=1678 comm="udev-acl.ck" path="/dev/.udev/db/\x2fdevices\x2fpci0000:00\x2f0000:00:14.2\x2fsound\x2fcard0\x2fcontrolC0" dev=tmpfs ino=9278 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:object_r:udev_tbl_t:s0 tclass=file

node=(removed) type=SYSCALL msg=audit(1258865789.311:321): arch=c000003e syscall=6 success=yes exit=128 a0=7ffffe4ec9c0 a1=7ffffe4eb520 a2=7ffffe4eb520 a3=e items=0 ppid=1180 pid=1678 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="udev-acl.ck" exe="/lib/udev/udev-acl" subj=system_u:system_r:consolekit_t:s0-s0:c0.c1023 key=(null)



Hash String generated from  selinux-policy-3.6.12-88.fc11,catchall,udev-acl.ck,consolekit_t,udev_tbl_t,file,getattr
audit2allow suggests:

#============= consolekit_t ==============
allow consolekit_t udev_tbl_t:file getattr;
Comment 1 Hin-Tak Leung 2009-11-22 18:37:11 UTC 
This is possibly a consequence of doing yum upgrade though f11 to f12. touch /.autorelabel and reboot probably should be documented in the YumUpgradeFAQ.
Comment 2 Daniel Walsh 2009-11-23 15:45:08 UTC 

*** This bug has been marked as a duplicate of bug 540170 ***
Note You need to log in before you can comment on or make changes to this bug.