Summary: SELinux is preventing /usr/bin/tpb "read" access on nvram. Detailed Description: SELinux denied access requested by tpb. It is not expected that this access is required by tpb and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug report. Additional Information: Source Context xguest_u:xguest_r:xguest_t:s0 Target Context system_u:object_r:nvram_device_t:s0 Target Objects nvram [ chr_file ] Source tpb Source Path /usr/bin/tpb Port <Unknown> Host (removed) Source RPM Packages tpb-0.6.4-12.fc12 Target RPM Packages Policy RPM selinux-policy-3.6.32-73.fc12 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Plugin Name catchall Host Name (removed) Platform Linux (removed) 2.6.31.12-174.2.3.fc12.i686 #1 SMP Mon Jan 18 20:22:46 UTC 2010 i686 i686 Alert Count 2 First Seen Mon 01 Feb 2010 01:56:13 PM PST Last Seen Mon 01 Feb 2010 01:56:14 PM PST Local ID a678c91c-a632-48d6-99f3-b51b27b7796e Line Numbers Raw Audit Messages node=(removed) type=AVC msg=audit(1265061374.317:28674): avc: denied { read } for pid=4542 comm="tpb" name="nvram" dev=tmpfs ino=3040 scontext=xguest_u:xguest_r:xguest_t:s0 tcontext=system_u:object_r:nvram_device_t:s0 tclass=chr_file node=(removed) type=SYSCALL msg=audit(1265061374.317:28674): arch=40000003 syscall=5 success=no exit=-13 a0=83b3858 a1=800 a2=7 a3=83b3a98 items=0 ppid=1 pid=4542 auid=501 uid=501 gid=501 euid=501 suid=501 fsuid=501 egid=501 sgid=501 fsgid=501 tty=(none) ses=11 comm="tpb" exe="/usr/bin/tpb" subj=xguest_u:xguest_r:xguest_t:s0 key=(null) Hash String generated from selinux-policy-3.6.32-73.fc12,catchall,tpb,xguest_t,nvram_device_t,chr_file,read audit2allow suggests: #============= xguest_t ============== allow xguest_t nvram_device_t:chr_file read;
Only unconfined domains currently can read this device. Why does xguest need to read it?
nvram Special File Purpose Provides access to platform-specific nonvolatile RAM used for system boot, configuration, and fatal error information. This access is achieved through the machine I/O device driver. Description The /dev/nvram character special file provides access to the machine device driver for accessing or modifying machine-specific nonvolatile RAM. The appropriate privilege is required to open the nvram special file. The nvram special file is used by machine-specific configuration programs to store or retrieve configuration and boot information using the nonvolatile RAM or ROM provided on the machine. The nvram special file supports open, close, read, and ioctl operations. Note: Application programs should not access the nonvolatile RAM. Since nonvolatile RAM is platform-specific, any reliance on its presence and implementation places portability constraints upon the using application. In addition, accessing the nonvolatile RAM may cause loss of system startup and configuration information. Such a loss could require system administrative or maintenance task work to rebuild or recover. This does not sound like something a confined user should be looking at.
*** Bug 606039 has been marked as a duplicate of this bug. ***