Created attachment 443775 [details] selinux-alert.1.log Description of problem: In an F14 VM, I get three selinux alerts after attempting to suspend. Suspend fails and the desktop immediately returns. Version-Release number of selected component (if applicable): selinux-policy-3.9.0-2.fc14 hdparm-9.27-1.fc13 kernel-2.6.35.4-12.fc14.x86_64 How reproducible: Always. Steps to Reproduce: 1. Install F14 to a VM, boot, update. 2. Relabel on reboot. 3. Login and attempt to suspend. I'm using "qemu-kvm -hda f14-alpha.img -m 512m" Actual results: The suspend fails and the desktop immediately returns. Three selinux alerts are reported. Expected results: No selinux alerts. Additional info: node=fir type=AVC msg=audit(1283875150.620:20): avc: denied { read } for pid=1898 comm="hdparm" path="/var/run/pm-utils/locks/pm-suspend.lock" dev=dm-0 ino=260379 scontext=system_u:system_r:fsadm_t:s0 tcontext=system_u:object_r:hald_var_run_t:s0 tclass=file node=fir type=SYSCALL msg=audit(1283875150.620:20): arch=c000003e syscall=59 success=yes exit=0 a0=2655d00 a1=2656150 a2=26579b0 a3=20 items=0 ppid=1897 pid=1898 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="hdparm" exe="/sbin/hdparm" subj=system_u:system_r:fsadm_t:s0 key=(null)
Created attachment 443865 [details] selinux-alert.2.log SELinux is preventing /bin/bash "getattr" access on /. 98video-quirk-d has a permissive type (devicekit_power_t). This access was not denied.
Created attachment 443913 [details] selinux-alert.3.log Summary: SELinux has prevented vbetool from performing an unsafe memory operation. Detailed Description: SELinux denied an operation requested by vbetool, a program used to alter video hardware state. This program is known to use an unsafe operation on system memory but so are a number of malware/exploit programs which masquerade as vbetool. This tool is used to reset video state when a machine resumes from a suspend. If your machine is not resuming properly your only choice is to allow this operation and reduce your system security against such malware.
qemu is running on an F13 system: [stephent@walnut ~]$ rpm -qa 'qemu*' | sort qemu-common-0.12.5-1.fc13.x86_64 qemu-img-0.12.5-1.fc13.x86_64 qemu-kvm-0.12.5-1.fc13.x86_64 qemu-system-x86-0.12.5-1.fc13.x86_64
Steven do not open three bugs all in the same report. The first one is a problem reported against pm-utils. It is leaking a file descriptor. The vbetool one is a bug in vbetool which should not need that access. Also an existing bug on vbetool has been opened on this one. The devicekit_power_t one is fixed in the latest policy.
(In reply to comment #4) > Steven do not open three bugs all in the same report. The first one is a > problem reported against pm-utils. It is leaking a file descriptor. The > vbetool one is a bug in vbetool which should not need that access. Also an > existing bug on vbetool has been opened on this one. > > The devicekit_power_t one is fixed in the latest policy. OK, thanks. Since they all had the same proximate cause I collected them here. If you need me to spin off separate bugs next time, please just ask and suggest the components.
No since they are all covered I will just close this bug as fixed in the next release. Fixed in selinux-policy-3.9.3-1.fc14
selinux-policy-3.9.3-1.fc14 has been submitted as an update for Fedora 14. https://admin.fedoraproject.org/updates/selinux-policy-3.9.3-1.fc14
(In reply to comment #7) > selinux-policy-3.9.3-1.fc14 has been submitted as an update for Fedora 14. > https://admin.fedoraproject.org/updates/selinux-policy-3.9.3-1.fc14 Thanks, Dan. The devicekit_power_t alert does not occur after suspend fails in a VM.
Please update karma.
selinux-policy-3.9.3-1.fc14 has been pushed to the Fedora 14 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update selinux-policy'. You can provide feedback for this update here: https://admin.fedoraproject.org/updates/selinux-policy-3.9.3-1.fc14
selinux-policy-3.9.3-1.fc14 has been pushed to the Fedora 14 stable repository. If problems still persist, please make note of it in this bug report.