Bug 584457 - SELinux is preventing gcm-apply "read" access on 001.
SELinux is preventing gcm-apply "read" access on 001.
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
13
x86_64 Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Fedora Extras Quality Assurance
setroubleshoot_trace_hash:190b06c1c46...
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2010-04-21 11:50 EDT by Carl G.
Modified: 2010-06-12 23:46 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-06-12 23:46:51 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Carl G. 2010-04-21 11:50:02 EDT
Summary:

SELinux is preventing gcm-apply "read" access on 001.

Detailed Description:

SELinux denied access requested by gcm-apply. It is not expected that this
access is required by gcm-apply and this access may signal an intrusion attempt.
It is also possible that the specific version or configuration of the
application is causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug
report.

Additional Information:

Source Context                staff_u:staff_r:staff_t:s0
Target Context                system_u:object_r:usb_device_t:s0
Target Objects                001 [ chr_file ]
Source                        gcm-apply
Source Path                   /usr/bin/gcm-apply
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.7.15-4.fc13
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     (removed)
Platform                      Linux BubbleNet.BubbleWork 2.6.33.1-24.fc13.x86_64
                              #1 SMP Tue Mar 30 18:21:22 UTC 2010 x86_64 x86_64
Alert Count                   238
First Seen                    Wed 21 Apr 2010 11:01:21 AM EDT
Last Seen                     Wed 21 Apr 2010 11:22:14 AM EDT
Local ID                      dc7aee13-dfff-4221-9798-3c29ea2cce6f
Line Numbers                  

Raw Audit Messages            

node=BubbleNet.BubbleWork type=AVC msg=audit(1271863334.903:129): avc:  denied  { read } for  pid=2015 comm="gcm-apply" name="001" dev=devtmpfs ino=5741 scontext=staff_u:staff_r:staff_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file



Hash String generated from  catchall,gcm-apply,staff_t,usb_device_t,chr_file,read
audit2allow suggests:

#============= staff_t ==============
allow staff_t usb_device_t:chr_file read;
Comment 1 Carl G. 2010-04-21 12:00:32 EDT
display composition fail to start when it's enabled.
Comment 2 Daniel Walsh 2010-04-21 12:45:04 EDT
Fixed in selinux-policy-3.7.19-1.fc13.noarch
Comment 3 Carl G. 2010-04-22 00:17:18 EDT
rpm -q selinux-policy
selinux-policy-3.7.19-2.fc13.noarch

Still having this issue.
Comment 4 Daniel Walsh 2010-04-22 07:30:25 EDT
What does this output

# sesearch -A -s staff_t -t usb_device_t 
Found 1 semantic av rules:
   allow staff_usertype usb_device_t : chr_file { ioctl read write getattr lock append open } ;
Comment 5 Carl G. 2010-04-22 13:03:06 EDT
(In reply to comment #4)
> What does this output
> 
> # sesearch -A -s staff_t -t usb_device_t 
> Found 1 semantic av rules:
>    allow staff_usertype usb_device_t : chr_file { ioctl read write getattr lock
> append open } ;    
^ this

[carl@BubbleWork ~]$ compiz --replace --debug
compiz (core) - Debug: Could not stat() file /home/carl/.compiz/plugins/libcore.so : No such file or directory
compiz (core) - Debug: Could not stat() file /usr/lib64/compiz/libcore.so : No such file or directory
compiz (core) - Fatal: GLX_EXT_texture_from_pixmap is missing
compiz (core) - Error: Failed to manage screen: 0
compiz (core) - Fatal: No manageable screens found on display :0.0

I don't know why it's not working then, like i stated in the email i send to you, seapplet doesn't report any AVCs and i can't see anything relevant in audit.log && messages.

I just noticed that i can't start compiz when setenforce is set to 1.
Comment 6 Carl G. 2010-04-22 13:04:28 EDT
Okay, nvm about the compiz --debug.

Note You need to log in before you can comment on or make changes to this bug.