Summary: SELinux is preventing /usr/libexec/udisks-daemon "read" access on meminfo. Detailed Description: [SELinux is in permissive mode. This access was not denied.] SELinux denied access requested by udisks-daemon. It is not expected that this access is required by udisks-daemon and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Please file a bug report. Additional Information: Source Context system_u:system_r:devicekit_disk_t:s0-s0:c0.c1023 Target Context system_u:object_r:proc_t:s0 Target Objects meminfo [ file ] Source udisks-daemon Source Path /usr/libexec/udisks-daemon Port <Unknown> Host (removed) Source RPM Packages udisks-1.0.0-0.git20091202.2.fc13 Target RPM Packages Policy RPM selinux-policy-3.7.5-5.fc13 Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Plugin Name catchall Host Name (removed) Platform Linux (removed) 2.6.32.2-15.fc13.x86_64 #1 SMP Thu Dec 24 17:12:56 UTC 2009 x86_64 x86_64 Alert Count 2 First Seen Sat 02 Jan 2010 10:40:29 AM EST Last Seen Sat 02 Jan 2010 10:40:29 AM EST Local ID 5a955a2f-e356-4c03-a462-4c7241f877f0 Line Numbers Raw Audit Messages node=(removed) type=AVC msg=audit(1262446829.111:13): avc: denied { read } for pid=2949 comm="udisks-daemon" name="meminfo" dev=proc ino=4026531990 scontext=system_u:system_r:devicekit_disk_t:s0-s0:c0.c1023 tcontext=system_u:object_r:proc_t:s0 tclass=file node=(removed) type=AVC msg=audit(1262446829.111:13): avc: denied { open } for pid=2949 comm="udisks-daemon" name="meminfo" dev=proc ino=4026531990 scontext=system_u:system_r:devicekit_disk_t:s0-s0:c0.c1023 tcontext=system_u:object_r:proc_t:s0 tclass=file node=(removed) type=SYSCALL msg=audit(1262446829.111:13): arch=c000003e syscall=2 success=yes exit=10 a0=31699417b4 a1=0 a2=1b6 a3=2 items=0 ppid=1 pid=2949 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="udisks-daemon" exe="/usr/libexec/udisks-daemon" subj=system_u:system_r:devicekit_disk_t:s0-s0:c0.c1023 key=(null) Hash String generated from selinux-policy-3.7.5-5.fc13,catchall,udisks-daemon,devicekit_disk_t,proc_t,file,read audit2allow suggests: #============= devicekit_disk_t ============== allow devicekit_disk_t proc_t:file { read open };
Occurred sometime during boot and desktop invocation and before any user actions.
Fixed in selinux-policy-3.7.5-6.fc13.noarch
Its back in selinux-policy-3.7.7-1.fc13.noarch
Are you sure this is the avc you are still seeing? rpm -q selinux-policy selinux-policy-3.7.7-1.fc13.noarch sesearch -A -s devicekit_disk_t -t proc_t -c file Found 2 semantic av rules: allow devicekit_disk_t proc_t : file { ioctl read getattr lock open } ; allow devicekit_disk_t file_type : file getattr ; What does # audit2allow -law say?
Hmmmm....artefact from some abrt issues? Will see what happens after a reboot. But first, the info you requested: rpm -q selinux-policy selinux-policy-3.7.7-1.fc13.noarch [kunkelc@P5K-EWIFI ~]$ sesearch -A -s devicekit_disk_t -t proc_t -c file Found 2 semantic av rules: allow devicekit_disk_t file_type : file getattr ; allow devicekit_disk_t proc_t : file { ioctl read getattr lock open } ; # audit2allow -law type=AVC msg=audit(1263485201.557:6): avc: denied { search } for pid=2709 comm="gnome-session" name=".ICE-unix" dev=dm-0 ino=132691 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=dir Was caused by: The boolean allow_polyinstantiation was set incorrectly. Description: Enable polyinstantiated directory support. Allow access by executing: # setsebool -P allow_polyinstantiation 1 type=AVC msg=audit(1263485201.557:7): avc: denied { create } for pid=2709 comm="gnome-session" name="2709" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=sock_file Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. type=AVC msg=audit(1263485201.557:7): avc: denied { add_name } for pid=2709 comm="gnome-session" name="2709" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=dir Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. type=AVC msg=audit(1263485201.557:7): avc: denied { write } for pid=2709 comm="gnome-session" name=".ICE-unix" dev=dm-0 ino=132691 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=dir Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. type=AVC msg=audit(1263485210.548:15): avc: denied { unlink } for pid=2709 comm="gnome-session" name="2709" dev=dm-0 ino=139744 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=sock_file Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. type=AVC msg=audit(1263485210.548:15): avc: denied { remove_name } for pid=2709 comm="gnome-session" name="2709" dev=dm-0 ino=139744 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=dir Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. type=AVC msg=audit(1263485210.548:15): avc: denied { write } for pid=2709 comm="gnome-session" name=".ICE-unix" dev=dm-0 ino=132691 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=dir Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. type=AVC msg=audit(1263485210.548:15): avc: denied { search } for pid=2709 comm="gnome-session" name=".ICE-unix" dev=dm-0 ino=132691 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=dir Was caused by: The boolean allow_polyinstantiation was set incorrectly. Description: Enable polyinstantiated directory support. Allow access by executing: # setsebool -P allow_polyinstantiation 1
Ok so you do not have a bug there. I am working on the bug of what is creating the /tmp/.ICE-unix directory with the wrong label. chcon -t user_tmp_t -R /tmp/.ICE-unix Will fix it. But if you use tmpfs for /tmp, it will be created by a process running as initrc_t, which is wrong. Problem is, I have not been able to figure out what program is running during boot that creates this dir.
Fixed in selinux-policy-3.7.14-1.fc13.noarch
selinux-policy-3.7.14-1.fc13 has been submitted as an update for Fedora 13. http://admin.fedoraproject.org/updates/selinux-policy-3.7.14-1.fc13
selinux-policy-3.7.14-3.fc13 has been pushed to the Fedora 13 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update selinux-policy'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/selinux-policy-3.7.14-3.fc13
This bug appears to have been reported against 'rawhide' during the Fedora 13 development cycle. Changing version to '13'. More information and reason for this action is here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping
selinux-policy-3.7.14-3.fc13 has been pushed to the Fedora 13 stable repository. If problems still persist, please make note of it in this bug report.