540926 – SELinux is preventing /usr/sbin/hald "getattr" access to device /dev/etherd/e1.0.

Bug 540926 - SELinux is preventing /usr/sbin/hald "getattr" access to device /dev/etherd/e1.0.

Summary: SELinux is preventing /usr/sbin/hald "getattr" access to device /dev/etherd/e...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	12
Hardware:	x86_64
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Daniel Walsh
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:	setroubleshoot_trace_hash:e3a579992c1...
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2009-11-24 14:34 UTC by Tomasz Torcz
Modified:	2010-08-20 01:46 UTC (History)
CC List:	4 users (show)
Fixed In Version:	selinux-policy-3.6.32-120.fc12
Clone Of:
Environment:
Last Closed:	2009-12-07 22:46:44 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Tomasz Torcz 2009-11-24 14:34:32 UTC

Podsumowanie:

SELinux is preventing /usr/sbin/hald "getattr" access to device
/dev/etherd/e1.0.
This is aoe (ATA-over-Ethernet, modprobe aoe) block device and should be labelled as such.

Dodatkowe informacje:

Kontekst źródłowy          system_u:system_r:hald_t:s0
Kontekst docelowy             system_u:object_r:device_t:s0
Obiekty docelowe              /dev/etherd/e1.0 [ blk_file ]
Źródło                     hald
Ścieżka źródłowa         /usr/sbin/hald (deleted)
Port                          <Nieznane>
Komputer                      (removed)
Źródłowe pakiety RPM       hal-0.5.13-9.fc12
Docelowe pakiety RPM          
Pakiet RPM polityki           selinux-policy-3.6.32-41.fc12
SELinux jest włączony       True
Typ polityki                  targeted
Tryb wymuszania               Enforcing
Nazwa wtyczki                 device
Nazwa komputera               (removed)
Platforma                     Linux (removed) 2.6.31.5-127.fc12.x86_64 #1 SMP
                              Sat Nov 7 21:11:14 EST 2009 x86_64 x86_64
Liczba alarmów               19
Po raz pierwszy               pon, 2 lis 2009, 14:39:23
Po raz ostatni                pon, 23 lis 2009, 16:48:42
Lokalny identyfikator         556c1df4-7369-435a-a095-ffa132137afa
Liczba wierszy                

Surowe komunikaty audytu      

node=(removed) type=AVC msg=audit(1258991322.523:3384): avc:  denied  { getattr } for  pid=7797 comm="hald" path="/dev/etherd/e1.0" dev=tmpfs ino=76899 scontext=system_u:system_r:hald_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=blk_file

node=(removed) type=SYSCALL msg=audit(1258991322.523:3384): arch=c000003e syscall=4 success=no exit=-13 a0=7ffffcafbea0 a1=7ffffcafbdd0 a2=7ffffcafbdd0 a3=3 items=0 ppid=1 pid=7797 auid=4294967295 uid=68 gid=68 euid=68 suid=68 fsuid=68 egid=68 sgid=68 fsgid=68 tty=(none) ses=4294967295 comm="hald" exe="/usr/sbin/hald" subj=system_u:system_r:hald_t:s0 key=(null)



Hash String generated from  selinux-policy-3.6.32-41.fc12,device,hald,hald_t,device_t,blk_file,getattr
audit2allow suggests:

#============= hald_t ==============
allow hald_t device_t:blk_file getattr;

Comment 1 Daniel Walsh 2009-11-24 14:57:30 UTC

I will add this mapping to -50 package.

/dev/etherd/.+		-b		gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)

You can test this locally be executing

# semanage fcontext -a -t fixed_disk_device_t -f -b "/dev/etherd/.+"

Fixed in selinux-policy-3.6.32-50.fc12.noarch

Comment 2 Tomasz Torcz 2009-11-24 15:21:28 UTC

Thank you for prompt action. I suspect that this policy would be too broad. /dev/etherd/ contains some control files also:

# ls -lZ /dev/etherd/
c-w--w----. root disk system_u:object_r:device_t:s0    discover
brw-rw----. root disk system_u:object_r:device_t:s0    e1.0
cr--r-----. root disk system_u:object_r:device_t:s0    err
c-w--w----. root disk system_u:object_r:device_t:s0    flush
c-w--w----. root disk system_u:object_r:device_t:s0    interfaces
c-w--w----. root disk system_u:object_r:device_t:s0    revalidate


As far as I know only e*.* files are disk drives. First number is shelf number which could go quite high; second number is slot, which is limited to 16 I think.

Comment 3 Daniel Walsh 2009-11-24 15:38:44 UTC

Well the context will only match blk devices,  so this is only a problem if blkdevices exist in this path that are not fixed devices.  

The question I have is what should I label the chr devices.  Do you know of devices that match the functionality of these.

Comment 4 Tomasz Torcz 2009-11-24 15:57:59 UTC

Hm, I'm mere user of AOE. For similar special control devices I found, with corresponding label:

 system_u:object_r:device_t:s0    /dev/btrfs-control
 system_u:object_r:lvm_control_t:s0 /dev/mapper/control
 system_u:object_r:fixed_disk_device_t:s0 /dev/raw/rawctl

So no real consistency here. Nb. tightening aoe policy would probably require changing labels in aoetools-23-3.fc12.x86_64 package.

Comment 5 Daniel Walsh 2009-11-24 16:29:22 UTC

For now I am going to label them all lvm_control.

Comment 6 Fedora Update System 2009-12-01 16:51:47 UTC

selinux-policy-3.6.32-52.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/selinux-policy-3.6.32-52.fc12

Comment 7 Fedora Update System 2009-12-03 04:58:49 UTC

selinux-policy-3.6.32-52.fc12 has been pushed to the Fedora 12 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update selinux-policy'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F12/FEDORA-2009-12549

Comment 8 Fedora Update System 2009-12-03 20:29:55 UTC

selinux-policy-3.6.32-55.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/selinux-policy-3.6.32-55.fc12

Comment 9 Fedora Update System 2009-12-04 23:48:16 UTC

selinux-policy-3.6.32-55.fc12 has been pushed to the Fedora 12 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update selinux-policy'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F12/FEDORA-2009-12650

Comment 10 Fedora Update System 2009-12-08 07:54:56 UTC

selinux-policy-3.6.32-55.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 11 Fedora Update System 2010-08-05 13:20:39 UTC

selinux-policy-3.6.32-120.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/selinux-policy-3.6.32-120.fc12

Comment 12 Fedora Update System 2010-08-20 01:40:52 UTC

selinux-policy-3.6.32-120.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.