683345 – avc: denied { read } for pid=823 comm="alsactl" name="controlC1" dev=devtmpfs

Bug 683345 - avc: denied { read } for pid=823 comm="alsactl" name="controlC1" dev=devtmpfs

Summary: avc: denied { read } for pid=823 comm="alsactl" name="controlC1" dev=devtmpfs

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	6.1
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Daniel Walsh
QA Contact:	BaseOS QE Security Team
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2011-03-09 07:56 UTC by Jan Pazdziora
Modified:	2014-11-28 13:44 UTC (History)
CC List:	7 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2011-03-11 15:32:21 UTC
Target Upstream Version:

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Jan Pazdziora 2011-03-09 07:56:36 UTC

Description of problem:

When installing RHEL 6 on some systems, I get failed ./Sysinfo in /distribution/install because of AVC denial:

******** SElinux AVC Failures ********
type=1400 audit(1299591440.975:4): avc:  denied  { read } for  pid=823 comm="alsactl" name="controlC1" dev=devtmpfs ino=10736 scontext=system_u:system_r:alsa_t:s0-s0:c0.c1023 tcontext=system_u:object_r:device_t:s0 tclass=chr_file
***** Potential Issues install.log *****

Version-Release number of selected component (if applicable):

Not really sure -- whatever is installed as of yesterday.

How reproducible:

Seen a couple of time, not deterministic thou.

Steps to Reproduce:
1. Install RHEL 6.
2. Check the result of /distribution/install
  
Actual results:

Fail.

Expected results:

Pass.

Additional info:

Comment 2 Marian Csontos 2011-03-09 08:33:01 UTC

This is not a bug in harness nor test: there is an AVC error and test properly reports it.

I am against hiding genuine AVC errors.

All we can do is to take AVC_ERROR into account in sysinfo sub-test.

Please, report a bug against component which causes the problem too, please.

Comment 3 Jan Pazdziora 2011-03-09 09:04:52 UTC

OK, thanks, flipping to RHEL 6 selinux-policy.

Comment 4 Jan Pazdziora 2011-03-09 09:07:10 UTC

# audit2allow
type=1400 audit(1299591440.975:4): avc:  denied  { read } for  pid=823 comm="alsactl" name="controlC1" dev=devtmpfs ino=10736 scontext=system_u:system_r:alsa_t:s0-s0:c0.c1023 tcontext=system_u:object_r:device_t:s0 tclass=chr_file


#============= alsa_t ==============
allow alsa_t device_t:chr_file read;
# find /dev -inum 10736
/dev/snd/controlC1
#

Comment 7 Miroslav Grepl 2011-03-09 12:25:28 UTC

/dev/snd/controlC1 did not get the right label during install


matchpathcon /dev/snd/controlC1
/dev/snd/controlC1	system_u:object_r:sound_device_t:s0

How is the device labeled now?

ls -Z /dev/snd/controlC1

Comment 8 Jan Pazdziora 2011-03-09 12:37:41 UTC

(In reply to comment #7)
> How is the device labeled now?
> 
> ls -Z /dev/snd/controlC1

# ls -Z /dev/snd/controlC1
crw-rw----. root audio system_u:object_r:sound_device_t:s0 /dev/snd/controlC1

Note You need to log in before you can comment on or make changes to this bug.