Bug 821268 - SELinux is preventing /usr/sbin/lspci from using the 'sys_admin' capabilities.
SELinux is preventing /usr/sbin/lspci from using the 'sys_admin' capabilities.
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
17
x86_64 Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Miroslav Grepl
Fedora Extras Quality Assurance
abrt_hash:886155125b700de9c7723118864...
: Reopened
: 821211 824172 (view as bug list)
Depends On:
Blocks: 810161
  Show dependency treegraph
 
Reported: 2012-05-13 13:54 EDT by Dominic Cleal
Modified: 2012-06-03 19:30 EDT (History)
18 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-06-03 19:30:05 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Dominic Cleal 2012-05-13 13:54:13 EDT
libreport version: 2.0.10
executable:     /usr/bin/python2.7
hashmarkername: setroubleshoot
kernel:         3.3.4-5.fc17.x86_64
time:           Sun 13 May 2012 18:53:56 BST

description:
:SELinux is preventing /usr/sbin/lspci from using the 'sys_admin' capabilities.
:
:*****  Plugin catchall_boolean (89.3 confidence) suggests  *******************
:
:If you want to allow_polyinstantiation
:Then you must tell SELinux about this by enabling the 'allow_polyinstantiation' boolean.You can read 'xdm_selinux' man page for more details.
:Do
:setsebool -P allow_polyinstantiation 1
:
:*****  Plugin catchall (11.6 confidence) suggests  ***************************
:
:If you believe that lspci should have the sys_admin capability by default.
:Then you should report this as a bug.
:You can generate a local policy module to allow this access.
:Do
:allow this access for now by executing:
:# grep lspci /var/log/audit/audit.log | audit2allow -M mypol
:# semodule -i mypol.pp
:
:Additional Information:
:Source Context                system_u:system_r:xdm_t:s0-s0:c0.c1023
:Target Context                system_u:system_r:xdm_t:s0-s0:c0.c1023
:Target Objects                 [ capability ]
:Source                        lspci
:Source Path                   /usr/sbin/lspci
:Port                          <Unknown>
:Host                          (removed)
:Source RPM Packages           pciutils-3.1.9-1.fc17.x86_64
:Target RPM Packages           
:Policy RPM                    selinux-policy-3.10.0-121.fc17.noarch
:Selinux Enabled               True
:Policy Type                   targeted
:Enforcing Mode                Enforcing
:Host Name                     (removed)
:Platform                      Linux (removed) 3.3.4-5.fc17.x86_64 #1 SMP Mon May 7
:                              17:29:34 UTC 2012 x86_64 x86_64
:Alert Count                   27
:First Seen                    Sat 12 May 2012 21:58:09 BST
:Last Seen                     Sun 13 May 2012 18:51:58 BST
:Local ID                      2f3fd8ca-8bf7-4e4d-9885-94b266ca4e13
:
:Raw Audit Messages
:type=AVC msg=audit(1336931518.140:91): avc:  denied  { sys_admin } for  pid=1384 comm="lspci" capability=21  scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tclass=capability
:
:
:type=SYSCALL msg=audit(1336931518.140:91): arch=x86_64 syscall=pread success=yes exit=ENONET a0=3 a1=246b3a0 a2=40 a3=0 items=0 ppid=1383 pid=1384 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=lspci exe=/usr/sbin/lspci subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)
:
:Hash: lspci,xdm_t,xdm_t,capability,sys_admin
:
:audit2allowunable to open /sys/fs/selinux/policy:  Permission denied
:
:
:audit2allow -Runable to open /sys/fs/selinux/policy:  Permission denied
:
:
Comment 1 Dominic Cleal 2012-05-13 13:56:50 EDT
It looks like the fix for bug #810161 causes this.  There's a workaround in /etc/profile.d/qt-graphicssystem.sh (provided by qt-settings-4.8-10.fc17.noarch) that runs lspci through grep, and this is being run by gdm I think, causing AVC denials on each boot.
Comment 2 Miroslav Grepl 2012-05-13 16:04:54 EDT
*** Bug 821211 has been marked as a duplicate of this bug. ***
Comment 3 Miroslav Grepl 2012-05-13 16:08:42 EDT
Fixed in selinux-policy-3.10.0-125.fc17
Comment 4 Rex Dieter 2012-05-14 10:24:05 EDT
I wasn't able to reproduce this using kdm + -121 , so maybe gdm-specific somehow
Comment 5 Rex Dieter 2012-05-14 10:25:00 EDT
Marking as blocker for bug #810161 so this can get considerred for f18 GA too
Comment 6 Rex Dieter 2012-05-14 10:30:03 EDT
Miroslav, mind if I add selinux-policy-3.10.0-125.fc17 to
https://admin.fedoraproject.org/updates/FEDORA-2012-7713

or did you have other things you want fixed in the meantime?
Comment 7 Rex Dieter 2012-05-14 10:32:46 EDT
oh, nvm, I don't see any -125 builds in koji yet, so I can't test either
Comment 8 Fedora Update System 2012-05-17 05:04:13 EDT
selinux-policy-3.10.0-125.fc17 has been submitted as an update for Fedora 17.
https://admin.fedoraproject.org/updates/FEDORA-2012-7953/selinux-policy-3.10.0-125.fc17
Comment 9 Fedora Update System 2012-05-17 18:58:04 EDT
Package selinux-policy-3.10.0-125.fc17:
* should fix your issue,
* was pushed to the Fedora 17 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-125.fc17'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-7953/selinux-policy-3.10.0-125.fc17
then log in and leave karma (feedback).
Comment 10 tuxor 2012-05-21 06:09:03 EDT
The update doesn't fix this issue for me. Still the same SELinux alert after GDM login. And I get this error on yum install:

/usr/share/selinux/devel/include/services/jetty.if: Syntax error on line 197673 jetty_cache_t [type=IDENTIFIER]

Gonna leave karma as soon as I remember my password ;)
Comment 11 Dominic Cleal 2012-05-21 06:11:49 EDT
(In reply to comment #10)
> The update doesn't fix this issue for me. Still the same SELinux alert after
> GDM login.

Yes, I still receive this denial:

type=AVC msg=audit(1337367403.289:92): avc:  denied  { sys_admin } for  pid=1441 comm="lspci" capability=21  scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tclass=capability
type=SYSCALL msg=audit(1337367403.289:92): arch=c000003e syscall=17 success=yes exit=64 a0=3 a1=abc3a0 a2=40 a3=0 items=0 ppid=1440 pid=1441 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="lspci" exe="/usr/sbin/lspci" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)

> And I get this error on yum install:
> 
> /usr/share/selinux/devel/include/services/jetty.if: Syntax error on line
> 197673 jetty_cache_t [type=IDENTIFIER]

Tracked in bug #822320.
Comment 12 Daniel Walsh 2012-05-21 09:39:43 EDT
Fixed in selinux-policy-3.10.0-126.fc17

There was a typo in the policy.
Comment 13 MotherDawg 2012-05-26 17:40:05 EDT
Hi guys,

First: THANK YOU for all the work you're doing to fix things.

Second: I'm also getting this so I went ahead and tried:

# yum update --enablerepo=updates-testing selinux-policy-3.10.0-126.fc17

"No package selinux-policy-3.10.0-126.fc17 available."

I'll be patient, not to worry.

My question is: I jumped from F13 to F17Beta and SELinux errors like this used to trigger a "reporting bug" option out of the SELinux troubleshooter. It would find any already open bug report.

I now have to manually look for them... my fear is to open a new bug for nothing.


Again Thanks for all your work.
Comment 14 collura 2012-05-27 04:38:44 EDT
from comment#13

  > "No package selinux-policy-3.10.0-126.fc17 available."

still dont see in updates-testing repo but
if want to experiment look for download link at:

  http://koji.fedoraproject.org/koji/buildinfo?buildID=320274

happy testing :')
Comment 15 collura 2012-05-27 04:42:28 EDT
related bug:

  https://bugzilla.redhat.com/show_bug.cgi?id=824172
Comment 16 Kevin Kofler 2012-05-27 06:01:38 EDT
*** Bug 824172 has been marked as a duplicate of this bug. ***
Comment 17 Fedora Update System 2012-05-27 21:20:40 EDT
selinux-policy-3.10.0-125.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 18 Kevin Kofler 2012-05-27 21:26:49 EDT
selinux-policy-3.10.0-125.fc17 does not work as per comment #10, need at least selinux-policy-3.10.0-126.fc17!
Comment 19 tuxor 2012-05-30 17:53:29 EDT
I'm getting this unnerving selinux error on every single boot. Please don't feel offended, but why do we have to wait for selinux-policy-3.10.0-126.fc17 for so long?
Comment 20 MotherDawg 2012-05-30 21:21:55 EDT
Hi Tuxor

Well, some coders do have a life! They're sysadmin for a company during the day or like me during the night (no life:) and mainly for testing and quality assurance so that when you do get it, it works.

Usually, not like selinux-policy-3.10.0-125.fc17 which would have cured it 2 weeks ago.

Cya and...

*** How poor are they that have not patience! What wound did ever heal but by degrees? ~William Shakespeare, Othello, 1604
Comment 21 Fedora Update System 2012-05-31 02:24:56 EDT
selinux-policy-3.10.0-128.fc17 has been submitted as an update for Fedora 17.
https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-128.fc17
Comment 22 Miroslav Grepl 2012-05-31 02:55:48 EDT
Tuxor,
you can read more about how we do updates on

http://mgrepl.wordpress.com/2012/04/24/how-do-we-do-selinux-policy-updates/

Also we do new builds very often but as you can read in the blog, we are not able to do new updates with each build. So you can always check

http://koji.fedoraproject.org/koji/packageinfo?packageID=32

for new builds. Thanks for your testing.
Comment 23 Fedora Update System 2012-06-01 13:07:30 EDT
Package selinux-policy-3.10.0-128.fc17:
* should fix your issue,
* was pushed to the Fedora 17 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-128.fc17'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-8720/selinux-policy-3.10.0-128.fc17
then log in and leave karma (feedback).
Comment 24 Jonathan Abbey 2012-06-01 13:07:52 EDT
selinux-policy-3.10.0-128.fc17 fixes this issue for me, thanks.
Comment 25 Fedora Update System 2012-06-03 19:30:05 EDT
selinux-policy-3.10.0-128.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.