Bug 856216 - SELinux is preventing /usr/bin/dbus-daemon from read, write access on the blk_file /dev/sdd.
SELinux is preventing /usr/bin/dbus-daemon from read, write access on the blk...
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
18
x86_64 Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Miroslav Grepl
Fedora Extras Quality Assurance
abrt_hash:71b21347a7bf81473f1c58f24d1...
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-09-11 09:18 EDT by Elad Alfassa
Modified: 2013-04-23 03:53 EDT (History)
10 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-12-20 10:08:12 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
File: type (9 bytes, text/plain)
2012-09-11 09:18 EDT, Elad Alfassa
no flags Details
File: hashmarkername (14 bytes, text/plain)
2012-09-11 09:18 EDT, Elad Alfassa
no flags Details

  None (edit)
Description Elad Alfassa 2012-09-11 09:18:17 EDT
Additional info:
libreport version: 2.0.13
kernel:         3.6.0-0.rc4.git2.1.fc18.x86_64

description:
:SELinux is preventing /usr/bin/dbus-daemon from read, write access on the blk_file /dev/sdd.
:
:Tried to benchmark an sdcard using gnome-disk-utility
:
:*****  Plugin catchall (100. confidence) suggests  ***************************
:
:If you believe that dbus-daemon should be allowed read write access on the sdd blk_file by default.
:Then you should report this as a bug.
:You can generate a local policy module to allow this access.
:Do
:allow this access for now by executing:
:# grep dbus-daemon /var/log/audit/audit.log | audit2allow -M mypol
:# semodule -i mypol.pp
:
:Additional Information:
:Source Context                system_u:system_r:system_dbusd_t:s0-s0:c0.c1023
:Target Context                system_u:object_r:fixed_disk_device_t:s0
:Target Objects                /dev/sdd [ blk_file ]
:Source                        dbus-daemon
:Source Path                   /usr/bin/dbus-daemon
:Port                          <Unknown>
:Host                          (removed)
:Source RPM Packages           dbus-1.6.0-2.fc18.x86_64
:Target RPM Packages           
:Policy RPM                    selinux-policy-3.11.1-16.fc18.noarch
:Selinux Enabled               True
:Policy Type                   targeted
:Enforcing Mode                Enforcing
:Host Name                     (removed)
:Platform                      Linux (removed) 3.6.0-0.rc4.git2.1.fc18.x86_64 #1
:                              SMP Fri Sep 7 12:36:02 UTC 2012 x86_64 x86_64
:Alert Count                   1
:First Seen                    2012-09-11 15:17:09 CEST
:Last Seen                     2012-09-11 15:17:09 CEST
:Local ID                      ecd84a4a-a35b-4501-b500-98a5c85a579d
:
:Raw Audit Messages
:type=AVC msg=audit(1347369429.113:69): avc:  denied  { read write } for  pid=483 comm="dbus-daemon" path="/dev/sdd" dev="devtmpfs" ino=34721 scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file
:
:
:type=SYSCALL msg=audit(1347369429.113:69): arch=x86_64 syscall=recvmsg success=yes exit=ENOSTR a0=21 a1=7fff80967aa0 a2=40000000 a3=0 items=0 ppid=1 pid=483 auid=4294967295 uid=81 gid=81 euid=81 suid=81 fsuid=81 egid=81 sgid=81 fsgid=81 tty=(none) ses=4294967295 comm=dbus-daemon exe=/usr/bin/dbus-daemon subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 key=(null)
:
:Hash: dbus-daemon,system_dbusd_t,fixed_disk_device_t,blk_file,read,write
:
:audit2allow
:
:#============= system_dbusd_t ==============
:allow system_dbusd_t fixed_disk_device_t:blk_file { read write };
:
:audit2allow -R
:
:#============= system_dbusd_t ==============
:allow system_dbusd_t fixed_disk_device_t:blk_file { read write };
:
Comment 1 Elad Alfassa 2012-09-11 09:18:21 EDT
Created attachment 611768 [details]
File: type
Comment 2 Elad Alfassa 2012-09-11 09:18:24 EDT
Created attachment 611769 [details]
File: hashmarkername
Comment 3 Miroslav Grepl 2012-09-12 07:53:15 EDT
Do you know what you were doing when this happened?
Comment 4 Elad Alfassa 2012-09-12 07:58:01 EDT
As I've written in the report, I tried to benchmark an sdcard using gnome-disk-utility

(this line is easily missed because I appended it manually when the report was shown on the screen, and ABRT does not distinguish between machine generated and user-written data in the bugzilla output)



-- 
Fedora Bugzappers volunteer triage team
https://fedoraproject.org/wiki/BugZappers
Comment 5 Miroslav Grepl 2012-09-12 09:25:51 EDT
I apologize, I missed this. Thank you.
Comment 6 Daniel Walsh 2012-09-18 10:24:14 EDT
Colin any ideas?  Is this dbus being used to pass an open file descriptor?
Comment 7 Colin Walters 2012-09-18 10:32:47 EDT
(In reply to comment #6)
> Colin any ideas?  Is this dbus being used to pass an open file descriptor?

Very likely, yes - my guess is specifically between gnome-disk-utility and udisks.
Comment 8 Daniel Walsh 2012-09-18 11:35:43 EDT
Elad did it work?  Or did SELinux break it.  Looks like the syscalls are returning success.  "success=true"
Comment 9 Elad Alfassa 2012-09-18 11:53:06 EDT
It did not work, I got an error "Message did not receive a reply (timeout by message bus) (g-dbus-error-quark, 4)"




-- 
Fedora Bugzappers volunteer triage team
https://fedoraproject.org/wiki/BugZappers
Comment 10 Daniel Walsh 2012-09-19 21:34:28 EDT
Ok if you put the machine into permissive mode does it work?
Comment 11 Daniel Walsh 2012-09-19 21:43:11 EDT
Steven or Eric would the kernel get involved here and close the socket?
Comment 12 David Zeuthen 2012-10-16 12:35:27 EDT
(In reply to comment #6)
> Colin any ideas?  Is this dbus being used to pass an open file descriptor?

In general any D-Bus application can pass any file descriptor to any file to any other D-Bus application.

In this case the desktop application GNOME Disks is calling this method

 http://udisks.freedesktop.org/docs/latest/gdbus-org.freedesktop.UDisks2.Block.html#gdbus-method-org-freedesktop-UDisks2-Block.OpenForBackup

So in this specific case, you need to change SELinux so it doesn't complain when udisks is passing a file descriptor for a block device.

I remember filing bugs about this a couple of times (but I don't have the bug numbers handy), not sure why it keeps popping up.
Comment 13 David Zeuthen 2012-10-16 12:36:51 EDT
(In reply to comment #12)
> (In reply to comment #6)
> > Colin any ideas?  Is this dbus being used to pass an open file descriptor?
> 
> In general any D-Bus application can pass any file descriptor to any file to
> any other D-Bus application.
> 
> In this case the desktop application GNOME Disks is calling this method
> 
>  http://udisks.freedesktop.org/docs/latest/gdbus-org.freedesktop.UDisks2.
> Block.html#gdbus-method-org-freedesktop-UDisks2-Block.OpenForBackup

Actually as per comment 4, this is the method that selinux is interfering with

http://udisks.freedesktop.org/docs/latest/gdbus-org.freedesktop.UDisks2.Block.html#gdbus-method-org-freedesktop-UDisks2-Block.OpenForBenchmark
Comment 14 David Zeuthen 2012-10-22 11:48:40 EDT
Any chance the selinux policy for this will get fixed anytime soon? It's quite annoying being forced to used permissive mode. Thanks.
Comment 15 Miroslav Grepl 2012-10-23 12:02:35 EDT
I would like to know if this is still happening with the latest policy.
Comment 16 Peter Hjalmarsson 2012-10-25 04:33:16 EDT
(In reply to comment #15)
> I would like to know if this is still happening with the latest policy.

Which version do you mean with "the latest policy"?
This bug happened to me today with a Fedora 18 installation updated as late as today. Adding the "mypol" workaround works.
Comment 17 Peter Hjalmarsson 2012-10-25 05:19:57 EDT
I upgraded selinux-policy-*-3.11.1-44.fc18 directly from koji to really get the latest versions. Still no cigar.
Comment 18 Daniel Walsh 2012-10-25 14:08:10 EDT
Fixed in selinux-policy-3.11.1-45.fc18.noarch
Comment 19 Fedora Update System 2012-10-26 11:36:02 EDT
selinux-policy-3.11.1-46.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/selinux-policy-3.11.1-46.fc18
Comment 20 Fedora Update System 2012-10-26 15:25:19 EDT
Package selinux-policy-3.11.1-46.fc18:
* should fix your issue,
* was pushed to the Fedora 18 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.11.1-46.fc18'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-16862/selinux-policy-3.11.1-46.fc18
then log in and leave karma (feedback).
Comment 21 Fedora Update System 2012-12-20 10:08:17 EST
selinux-policy-3.11.1-46.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 22 Phil V 2013-04-22 22:45:17 EDT
I think this is on ongoing issue.

with 
# setenforce 1  

I'm still getting 

"An error occurred.
Message did not receive a reply (timeout by message bus) (g-dbus-error-quark, 4)"

# setenforce 0 

allows the benchmark to run successfully.


I have updated to selinux-policy-3.11.1-87.fc18.noarch
but have not rebooted since 2013-apr-8.  

# uname -a
Linux localhost.localdomain 3.8.5-201.fc18.x86_64 #1 SMP Thu Mar 28 21:01:19 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux
Comment 23 Miroslav Grepl 2013-04-23 03:53:24 EDT
What AVC msgs are you getting?

Note You need to log in before you can comment on or make changes to this bug.