Bug 587953 - SELinux is preventing /usr/libexec/hald-probe-storage "read" access to device hwcdrom.
SELinux is preventing /usr/libexec/hald-probe-storage "read" access to device...
Status: CLOSED INSUFFICIENT_DATA
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
13
i386 Linux
low Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Fedora Extras Quality Assurance
setroubleshoot_trace_hash:7d033379889...
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2010-05-01 14:07 EDT by Cássio Magno
Modified: 2010-07-29 12:38 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-07-29 12:38:44 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Cássio Magno 2010-05-01 14:07:23 EDT
Sumário:

SELinux is preventing /usr/libexec/hald-probe-storage "read" access to device
hwcdrom.

Descrição detalhada:

SELinux has denied hald-probe-stor "read" access to device hwcdrom. hwcdrom is
mislabeled, this device has the default label of the /dev directory, which
should not happen. All Character and/or Block Devices should have a label. You
can attempt to change the label of the file using restorecon -v 'hwcdrom'. If
this device remains labeled device_t, then this is a bug in SELinux policy.
Please file a bg report. If you look at the other similar devices labels, ls -lZ
/dev/SIMILAR, and find a type that would work for hwcdrom, you can use chcon -t
SIMILAR_TYPE 'hwcdrom', If this fixes the problem, you can make this permanent
by executing semanage fcontext -a -t SIMILAR_TYPE 'hwcdrom' If the restorecon
changes the context, this indicates that the application that created the
device, created it without using SELinux APIs. If you can figure out which
application created the device, please file a bug report against this
application.

Permitindo acesso:

Attempt restorecon -v 'hwcdrom' or chcon -t SIMILAR_TYPE 'hwcdrom'

Informações adicionais:

Contexto de origem            system_u:system_r:hald_t:s0
Contexto de destino           system_u:object_r:device_t:s0
Objetos de destino            hwcdrom [ blk_file ]
Origem                        hald-probe-stor
Caminho da origem             /usr/libexec/hald-probe-storage
Porta                         <Desconhecido>
Máquina                      (removed)
Pacotes RPM de origem         hal-0.5.14-2.fc13
Pacotes RPM de destino        
RPM da política              selinux-policy-3.7.15-4.fc13
Selinux habilitado            True
Tipo de política             targeted
Modo reforçado               Enforcing
Nome do plugin                device
Nome da máquina              (removed)
Plataforma                    Linux (removed) 2.6.33.1-19.fc13.i686 #1 SMP
                              Sat Mar 20 02:34:04 UTC 2010 i686 i686
Contador de alertas           2
Visto pela primeira vez em    Sáb 01 Mai 2010 14:46:57 BRT
Visto pela última vez em     Sáb 01 Mai 2010 14:53:00 BRT
ID local                      e8625477-7c8d-4a5f-bf0b-2a7cfe327a5d
Números de linha             

Mensagens de auditoria não p 

node=(removed) type=AVC msg=audit(1272736380.969:87): avc:  denied  { read } for  pid=14300 comm="hald-probe-stor" name="hwcdrom" dev=devtmpfs ino=1355565 scontext=system_u:system_r:hald_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=blk_file

node=(removed) type=SYSCALL msg=audit(1272736380.969:87): arch=40000003 syscall=5 success=no exit=-13 a0=bfad6a7c a1=8800 a2=0 a3=bfad6b92 items=0 ppid=1280 pid=14300 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="hald-probe-stor" exe="/usr/libexec/hald-probe-storage" subj=system_u:system_r:hald_t:s0 key=(null)



Hash String generated from  device,hald-probe-stor,hald_t,device_t,blk_file,read
audit2allow suggests:

#============= hald_t ==============
allow hald_t device_t:blk_file read;
Comment 1 Daniel Walsh 2010-05-03 14:01:43 EDT
Should this device be labeled the same as /dev/sr0?

Is it a removable cdrom device?

Note You need to log in before you can comment on or make changes to this bug.