584457 – SELinux is preventing gcm-apply "read" access on 001.

Bug 584457 - SELinux is preventing gcm-apply "read" access on 001.

Summary: SELinux is preventing gcm-apply "read" access on 001.

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	13
Hardware:	x86_64
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Daniel Walsh
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:	setroubleshoot_trace_hash:190b06c1c46...
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2010-04-21 15:50 UTC by Carl G.
Modified:	2010-06-13 03:46 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2010-06-13 03:46:51 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Carl G. 2010-04-21 15:50:02 UTC

Summary:

SELinux is preventing gcm-apply "read" access on 001.

Detailed Description:

SELinux denied access requested by gcm-apply. It is not expected that this
access is required by gcm-apply and this access may signal an intrusion attempt.
It is also possible that the specific version or configuration of the
application is causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug
report.

Additional Information:

Source Context                staff_u:staff_r:staff_t:s0
Target Context                system_u:object_r:usb_device_t:s0
Target Objects                001 [ chr_file ]
Source                        gcm-apply
Source Path                   /usr/bin/gcm-apply
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.7.15-4.fc13
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     (removed)
Platform                      Linux BubbleNet.BubbleWork 2.6.33.1-24.fc13.x86_64
                              #1 SMP Tue Mar 30 18:21:22 UTC 2010 x86_64 x86_64
Alert Count                   238
First Seen                    Wed 21 Apr 2010 11:01:21 AM EDT
Last Seen                     Wed 21 Apr 2010 11:22:14 AM EDT
Local ID                      dc7aee13-dfff-4221-9798-3c29ea2cce6f
Line Numbers                  

Raw Audit Messages            

node=BubbleNet.BubbleWork type=AVC msg=audit(1271863334.903:129): avc:  denied  { read } for  pid=2015 comm="gcm-apply" name="001" dev=devtmpfs ino=5741 scontext=staff_u:staff_r:staff_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file



Hash String generated from  catchall,gcm-apply,staff_t,usb_device_t,chr_file,read
audit2allow suggests:

#============= staff_t ==============
allow staff_t usb_device_t:chr_file read;

Comment 1 Carl G. 2010-04-21 16:00:32 UTC

display composition fail to start when it's enabled.

Comment 2 Daniel Walsh 2010-04-21 16:45:04 UTC

Fixed in selinux-policy-3.7.19-1.fc13.noarch

Comment 3 Carl G. 2010-04-22 04:17:18 UTC

rpm -q selinux-policy
selinux-policy-3.7.19-2.fc13.noarch

Still having this issue.

Comment 4 Daniel Walsh 2010-04-22 11:30:25 UTC

What does this output

# sesearch -A -s staff_t -t usb_device_t 
Found 1 semantic av rules:
   allow staff_usertype usb_device_t : chr_file { ioctl read write getattr lock append open } ;

Comment 5 Carl G. 2010-04-22 17:03:06 UTC

(In reply to comment #4)
> What does this output
> 
> # sesearch -A -s staff_t -t usb_device_t 
> Found 1 semantic av rules:
>    allow staff_usertype usb_device_t : chr_file { ioctl read write getattr lock
> append open } ;    
^ this

[carl@BubbleWork ~]$ compiz --replace --debug
compiz (core) - Debug: Could not stat() file /home/carl/.compiz/plugins/libcore.so : No such file or directory
compiz (core) - Debug: Could not stat() file /usr/lib64/compiz/libcore.so : No such file or directory
compiz (core) - Fatal: GLX_EXT_texture_from_pixmap is missing
compiz (core) - Error: Failed to manage screen: 0
compiz (core) - Fatal: No manageable screens found on display :0.0

I don't know why it's not working then, like i stated in the email i send to you, seapplet doesn't report any AVCs and i can't see anything relevant in audit.log && messages.

I just noticed that i can't start compiz when setenforce is set to 1.

Comment 6 Carl G. 2010-04-22 17:04:28 UTC

Okay, nvm about the compiz --debug.

Note You need to log in before you can comment on or make changes to this bug.