Bug 730859 - SELinux is preventing /usr/libexec/udisks-daemon from 'getattr' accesses on the file /LiveOS/ext3fs.img.
Summary: SELinux is preventing /usr/libexec/udisks-daemon from 'getattr' accesses on t...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 16
Hardware: x86_64
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: abrt_hash:2674a9f15c052a6ee8c0396e8f4...
Depends On:
Blocks: F16Blocker, F16FinalBlocker
TreeView+ depends on / blocked
 
Reported: 2011-08-16 01:06 UTC by Adam Williamson
Modified: 2011-09-07 03:19 UTC (History)
12 users (show)

Fixed In Version: selinux-policy-3.10.0-21.fc16
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2011-09-07 03:19:37 UTC


Attachments (Terms of Use)

Description Adam Williamson 2011-08-16 01:06:10 UTC
abrt version: 2.0.5
executable:     /usr/bin/python
hashmarkername: setroubleshoot
kernel:         3.0.0-1.fc16.x86_64
reason:         SELinux is preventing /usr/libexec/udisks-daemon from 'getattr' accesses on the file /LiveOS/ext3fs.img.
time:           Mon Aug 15 21:05:02 2011

description:
:SELinux is preventing /usr/libexec/udisks-daemon from 'getattr' accesses on the file /LiveOS/ext3fs.img.
:
:*****  Plugin restorecon (94.8 confidence) suggests  *************************
:
:If you want to fix the label. 
:/LiveOS/ext3fs.img default label should be etc_runtime_t.
:Then you can run restorecon.
:Do
:# /sbin/restorecon -v /LiveOS/ext3fs.img
:
:*****  Plugin catchall_labels (5.21 confidence) suggests  ********************
:
:If you want to allow udisks-daemon to have getattr access on the ext3fs.img file
:Then you need to change the label on /LiveOS/ext3fs.img
:Do
:# semanage fcontext -a -t FILE_TYPE '/LiveOS/ext3fs.img'
:where FILE_TYPE is one of the following: devicekit_tmp_t, proc_kmsg_t, mount_exec_t, shell_exec_t, system_dbusd_var_lib_t, krb5_conf_t, abrt_var_run_t, dbusd_etc_t, userdomain, fusermount_exec_t, fsadm_exec_t, mtrr_device_t, domain, sysctl_crypto_t, proc_mdstat_t, proc_net_t, policykit_reload_t, mdadm_exec_t, samba_var_t, etc_runtime_t, abrt_t, lib_t, anon_inodefs_t, net_conf_t, udev_var_run_t, file_type, exec_type, abrt_helper_exec_t, ld_so_t, devicekit_var_lib_t, devicekit_var_run_t, dbusd_etc_t, devicekit_disk_t, userdomain, lvm_exec_t, system_dbusd_var_lib_t, textrel_shlib_t, policykit_auth_exec_t, sysctl_fs_t, rpm_script_tmp_t, bin_t, usr_t, cert_t, device_t, locale_t, etc_t, proc_t, sosreport_tmp_t, sysfs_t, virt_image_type, rpm_tmp_t, ld_so_cache_t, etc_t, devicekit_disk_exec_t, udev_exec_t, sssd_public_t, system_cronjob_var_lib_t, policykit_var_lib_t, krb5_host_rcache_t. 
:Then execute: 
:restorecon -v '/LiveOS/ext3fs.img'
:
:
:*****  Plugin catchall (1.44 confidence) suggests  ***************************
:
:If you believe that udisks-daemon should be allowed getattr access on the ext3fs.img file by default.
:Then you should report this as a bug.
:You can generate a local policy module to allow this access.
:Do
:allow this access for now by executing:
:# grep udisks-daemon /var/log/audit/audit.log | audit2allow -M mypol
:# semodule -i mypol.pp
:
:Additional Information:
:Source Context                system_u:system_r:devicekit_disk_t:s0-s0:c0.c1023
:Target Context                system_u:object_r:unlabeled_t:s0
:Target Objects                /LiveOS/ext3fs.img [ file ]
:Source                        udisks-daemon
:Source Path                   /usr/libexec/udisks-daemon
:Port                          <Unknown>
:Host                          (removed)
:Source RPM Packages           udisks-1.0.3-2.fc16
:Target RPM Packages           
:Policy RPM                    selinux-policy-3.10.0-15.fc16
:Selinux Enabled               True
:Policy Type                   targeted
:Enforcing Mode                Enforcing
:Host Name                     (removed)
:Platform                      Linux (removed) 3.0.0-1.fc16.x86_64 #1
:                              SMP Fri Jul 22 16:09:29 UTC 2011 x86_64 x86_64
:Alert Count                   2
:First Seen                    Mon 15 Aug 2011 09:01:52 PM EDT
:Last Seen                     Mon 15 Aug 2011 09:01:52 PM EDT
:Local ID                      18bac200-d676-48ff-a701-5e7116c0e98c
:
:Raw Audit Messages
:type=AVC msg=audit(1313456512.547:50): avc:  denied  { getattr } for  pid=1746 comm="udisks-daemon" path="/LiveOS/ext3fs.img" dev=loop2 ino=3 scontext=system_u:system_r:devicekit_disk_t:s0-s0:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file
:
:
:type=SYSCALL msg=audit(1313456512.547:50): arch=x86_64 syscall=ioctl success=no exit=EACCES a0=f a1=4c05 a2=7fff3b001930 a3=0 items=0 ppid=1 pid=1746 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=udisks-daemon exe=/usr/libexec/udisks-daemon subj=system_u:system_r:devicekit_disk_t:s0-s0:c0.c1023 key=(null)
:
:Hash: udisks-daemon,devicekit_disk_t,unlabeled_t,file,getattr
:
:audit2allow
:
:#============= devicekit_disk_t ==============
:allow devicekit_disk_t unlabeled_t:file getattr;
:
:audit2allow -R
:
:#============= devicekit_disk_t ==============
:allow devicekit_disk_t unlabeled_t:file getattr;
:

Comment 1 Adam Williamson 2011-08-16 01:07:56 UTC
This notification pops up reliably on booting an F16 Alpha RC4 live image. Proposing as a final blocker under criterion "In most cases, there must be no SELinux 'AVC: denied' messages or abrt crash notifications on initial boot and subsequent login". CCing dwalsh, as I'm guessing his fixes to live image creation resp. SELinux may possibly be relevant here.



-- 
Fedora Bugzappers volunteer triage team
https://fedoraproject.org/wiki/BugZappers

Comment 2 Daniel Walsh 2011-08-16 12:10:26 UTC
We have a fix for this in 

selinux-policy-3.10.0-18.fc16

Comment 3 Robert Lightfoot 2011-08-19 07:14:27 UTC
Still getting with Fedora-16-Alpha-i686-live-Desktop.iso from rc5

Comment 4 Daniel Walsh 2011-08-20 10:55:22 UTC
What policy package do you have installed?

rpm -q selinux-policy

Comment 5 Adam Williamson 2011-08-20 15:30:21 UTC
RC5 has selinux-policy -15, as there were no blocker or NTH bugs fixed by 16 thru 18.



-- 
Fedora Bugzappers volunteer triage team
https://fedoraproject.org/wiki/BugZappers

Comment 6 Daniel Walsh 2011-08-22 17:34:09 UTC
Fine this just means this bug will not be fixes in a live OS until we ship Beta?

Comment 7 Adam Williamson 2011-08-22 20:05:25 UTC
Yes. Well, nightlies will be fixed as soon as this goes stable and is included in a tree compose.

Comment 8 Fedora Update System 2011-08-24 11:38:51 UTC
selinux-policy-3.10.0-21.fc16 has been submitted as an update for Fedora 16.
https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-21.fc16

Comment 9 Fedora Update System 2011-08-24 22:45:50 UTC
Package selinux-policy-3.10.0-21.fc16:
* should fix your issue,
* was pushed to the Fedora 16 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-21.fc16'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-21.fc16
then log in and leave karma (feedback).

Comment 10 Fedora Update System 2011-09-07 03:19:00 UTC
selinux-policy-3.10.0-21.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.