Bug 683345 - avc: denied { read } for pid=823 comm="alsactl" name="controlC1" dev=devtmpfs
Summary: avc: denied { read } for pid=823 comm="alsactl" name="controlC1" dev=devtmpfs
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: selinux-policy
Version: 6.1
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Daniel Walsh
QA Contact: BaseOS QE Security Team
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-03-09 07:56 UTC by Jan Pazdziora
Modified: 2014-11-28 13:44 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2011-03-11 15:32:21 UTC
Target Upstream Version:


Attachments (Terms of Use)

Description Jan Pazdziora 2011-03-09 07:56:36 UTC
Description of problem:

When installing RHEL 6 on some systems, I get failed ./Sysinfo in /distribution/install because of AVC denial:

******** SElinux AVC Failures ********
type=1400 audit(1299591440.975:4): avc:  denied  { read } for  pid=823 comm="alsactl" name="controlC1" dev=devtmpfs ino=10736 scontext=system_u:system_r:alsa_t:s0-s0:c0.c1023 tcontext=system_u:object_r:device_t:s0 tclass=chr_file
***** Potential Issues install.log *****

Version-Release number of selected component (if applicable):

Not really sure -- whatever is installed as of yesterday.

How reproducible:

Seen a couple of time, not deterministic thou.

Steps to Reproduce:
1. Install RHEL 6.
2. Check the result of /distribution/install
  
Actual results:

Fail.

Expected results:

Pass.

Additional info:

Comment 2 Marian Csontos 2011-03-09 08:33:01 UTC
This is not a bug in harness nor test: there is an AVC error and test properly reports it.

I am against hiding genuine AVC errors.

All we can do is to take AVC_ERROR into account in sysinfo sub-test.

Please, report a bug against component which causes the problem too, please.

Comment 3 Jan Pazdziora 2011-03-09 09:04:52 UTC
OK, thanks, flipping to RHEL 6 selinux-policy.

Comment 4 Jan Pazdziora 2011-03-09 09:07:10 UTC
# audit2allow
type=1400 audit(1299591440.975:4): avc:  denied  { read } for  pid=823 comm="alsactl" name="controlC1" dev=devtmpfs ino=10736 scontext=system_u:system_r:alsa_t:s0-s0:c0.c1023 tcontext=system_u:object_r:device_t:s0 tclass=chr_file


#============= alsa_t ==============
allow alsa_t device_t:chr_file read;
# find /dev -inum 10736
/dev/snd/controlC1
#

Comment 7 Miroslav Grepl 2011-03-09 12:25:28 UTC
/dev/snd/controlC1 did not get the right label during install


matchpathcon /dev/snd/controlC1
/dev/snd/controlC1	system_u:object_r:sound_device_t:s0

How is the device labeled now?

ls -Z /dev/snd/controlC1

Comment 8 Jan Pazdziora 2011-03-09 12:37:41 UTC
(In reply to comment #7)
> How is the device labeled now?
> 
> ls -Z /dev/snd/controlC1

# ls -Z /dev/snd/controlC1
crw-rw----. root audio system_u:object_r:sound_device_t:s0 /dev/snd/controlC1


Note You need to log in before you can comment on or make changes to this bug.