Bug 752749
| Summary: | SELinux is preventing /usr/libexec/devkit-power-daemon from read access on the chr_file 001. | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | Matěj Cepl <mcepl> |
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
| Status: | CLOSED DUPLICATE | QA Contact: | BaseOS QE Security Team <qe-baseos-security> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 6.2 | CC: | dwalsh, mmalik |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2011-11-10 11:34:40 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
I was doing absolutely nothing with USB port, but most likely it was somewhere around the moemtn when the notebook was resuming from suspend-to-RAM. This happened just before the original AVC denial. Just to be complete.
SELinux is preventing /usr/libexec/devkit-power-daemon from 'read, write' accesses on the chr_file 001.
***** Plugin catchall (100. confidence) suggests ***************************
If you believe that devkit-power-daemon should be allowed read write access on the 001 chr_file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep devkit-power-da /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
Additional Information:
Kontext zdroje system_u:system_r:devicekit_power_t:s0-s0:c0.c1023
Kontext cíle system_u:object_r:usb_device_t:s0
Objekty cíle 001 [ chr_file ]
Zdroj devkit-power-da
Cesta zdroje /usr/libexec/devkit-power-daemon
Port <Neznámé>
Počítač mitmanek.ceplovi.cz
RPM balíčky zdroje DeviceKit-power-014-3.el6
RPM balíčky cíle
RPM politiky selinux-policy-3.7.19-125.el6
Selinux povolen True
Typ politiky targeted
Vynucovací režim Enforcing
Název počítače mitmanek.ceplovi.cz
Platforma Linux mitmanek.ceplovi.cz 2.6.32-214.el6.x86_64 #1
SMP Tue Oct 25 19:48:00 EDT 2011 x86_64 x86_64
Počet upozornění 10
Poprvé viděno Čt 10. listopad 2011, 10:52:02 CET
Naposledy viděno Čt 10. listopad 2011, 10:52:03 CET
Místní ID 6078a7e9-2e84-44d8-a1f0-7298dd9c4ddf
Původní zprávy auditu
type=AVC msg=audit(1320918723.180:43996): avc: denied { read write } for pid=2976 comm="devkit-power-da" name="001" dev=devtmpfs ino=5382 scontext=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file
type=SYSCALL msg=audit(1320918723.180:43996): arch=x86_64 syscall=open success=no exit=EACCES a0=7fffb13cff40 a1=2 a2=7fffb13cff54 a3=fffffffd items=0 ppid=1 pid=2976 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=devkit-power-da exe=/usr/libexec/devkit-power-daemon subj=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 key=(null)
Hash: devkit-power-da,devicekit_power_t,usb_device_t,chr_file,read,write
audit2allow
#============= devicekit_power_t ==============
allow devicekit_power_t usb_device_t:chr_file { read write };
audit2allow -R
#============= devicekit_power_t ==============
allow devicekit_power_t usb_device_t:chr_file { read write };
Matej, please use the latest build. -126 release. *** This bug has been marked as a duplicate of bug 752453 *** |
SELinux is preventing /usr/libexec/devkit-power-daemon from read access on the chr_file 001. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that devkit-power-daemon should be allowed read access on the 001 chr_file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep devkit-power-da /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Kontext zdroje system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 Kontext cíle system_u:object_r:usb_device_t:s0 Objekty cíle 001 [ chr_file ] Zdroj devkit-power-da Cesta zdroje /usr/libexec/devkit-power-daemon Port <Neznámé> Počítač mitmanek.ceplovi.cz RPM balíčky zdroje DeviceKit-power-014-3.el6 RPM balíčky cíle RPM politiky selinux-policy-3.7.19-125.el6 Selinux povolen True Typ politiky targeted Vynucovací režim Enforcing Název počítače mitmanek.ceplovi.cz Platforma Linux mitmanek.ceplovi.cz 2.6.32-214.el6.x86_64 #1 SMP Tue Oct 25 19:48:00 EDT 2011 x86_64 x86_64 Počet upozornění 10 Poprvé viděno Čt 10. listopad 2011, 10:52:02 CET Naposledy viděno Čt 10. listopad 2011, 10:52:03 CET Místní ID 162493be-ce80-4417-8556-e9b68fe125a0 Původní zprávy auditu type=AVC msg=audit(1320918723.180:43997): avc: denied { read } for pid=2976 comm="devkit-power-da" name="001" dev=devtmpfs ino=5382 scontext=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file type=SYSCALL msg=audit(1320918723.180:43997): arch=x86_64 syscall=open success=no exit=EACCES a0=7fffb13cff40 a1=0 a2=d a3=fffffffd items=0 ppid=1 pid=2976 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=devkit-power-da exe=/usr/libexec/devkit-power-daemon subj=system_u:system_r:devicekit_power_t:s0-s0:c0.c1023 key=(null) Hash: devkit-power-da,devicekit_power_t,usb_device_t,chr_file,read audit2allow #============= devicekit_power_t ============== allow devicekit_power_t usb_device_t:chr_file read; audit2allow -R #============= devicekit_power_t ============== allow devicekit_power_t usb_device_t:chr_file read;