Bug 584640 - SELinux is preventing /usr/libexec/hald-addon-storage "read" access to device sdb.
Summary: SELinux is preventing /usr/libexec/hald-addon-storage "read" access to device...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 12
Hardware: i386
OS: Linux
low
medium
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: setroubleshoot_trace_hash:632aacc5d98...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-04-22 05:20 UTC by kingbiotech
Modified: 2010-07-09 00:22 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2010-07-09 00:22:40 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)

Description kingbiotech 2010-04-22 05:20:59 UTC 
Summary:

SELinux is preventing /usr/libexec/hald-addon-storage "read" access to device
sdb.

Detailed Description:

SELinux has denied hald-addon-stor "read" access to device sdb. sdb is
mislabeled, this device has the default label of the /dev directory, which
should not happen. All Character and/or Block Devices should have a label. You
can attempt to change the label of the file using restorecon -v 'sdb'. If this
device remains labeled device_t, then this is a bug in SELinux policy. Please
file a bg report. If you look at the other similar devices labels, ls -lZ
/dev/SIMILAR, and find a type that would work for sdb, you can use chcon -t
SIMILAR_TYPE 'sdb', If this fixes the problem, you can make this permanent by
executing semanage fcontext -a -t SIMILAR_TYPE 'sdb' If the restorecon changes
the context, this indicates that the application that created the device,
created it without using SELinux APIs. If you can figure out which application
created the device, please file a bug report against this application.

Allowing Access:

Attempt restorecon -v 'sdb' or chcon -t SIMILAR_TYPE 'sdb'

Additional Information:

Source Context                system_u:system_r:hald_t:s0
Target Context                system_u:object_r:device_t:s0
Target Objects                sdb [ blk_file ]
Source                        hald-addon-stor
Source Path                   /usr/libexec/hald-addon-storage
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           hal-0.5.13-9.fc12
Target RPM Packages           
Policy RPM                    selinux-policy-3.6.32-108.fc12
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Plugin Name                   device
Host Name                     (removed)
Platform                      Linux (removed) 2.6.32.11-99.fc12.i686 #1 SMP Mon
                              Apr 5 16:32:08 EDT 2010 i686 i686
Alert Count                   4
First Seen                    Wed 21 Apr 2010 12:40:57 PM IST
Last Seen                     Wed 21 Apr 2010 12:40:59 PM IST
Local ID                      95149d6e-b227-47d7-9d31-eff30e937360
Line Numbers                  

Raw Audit Messages            

node=(removed) type=AVC msg=audit(1271833859.2:864): avc:  denied  { read } for  pid=9782 comm="hald-addon-stor" name="sdb" dev=devtmpfs ino=162658 scontext=system_u:system_r:hald_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=blk_file

node=(removed) type=SYSCALL msg=audit(1271833859.2:864): arch=40000003 syscall=5 success=no exit=-13 a0=916241e a1=8000 a2=0 a3=9168480 items=0 ppid=1395 pid=9782 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="hald-addon-stor" exe="/usr/libexec/hald-addon-storage" subj=system_u:system_r:hald_t:s0 key=(null)



Hash String generated from  device,hald-addon-stor,hald_t,device_t,blk_file,read
audit2allow suggests:

#============= hald_t ==============
allow hald_t device_t:blk_file read;
Comment 1 Daniel Walsh 2010-04-22 11:34:35 UTC 
 kingbiotech What is the label on sdb?

ls -lZ /dev/sdb

This looks like it is fixed in 

setroubleshoot-2.2.112-1.fc12       

If not earlier.
Note You need to log in before you can comment on or make changes to this bug.