Bug 903676 (libselinux-procfs) - SELinux is preventing /usr/lib/systemd/systemd-udevd from 'write' accesses on the directory watch.
Summary: SELinux is preventing /usr/lib/systemd/systemd-udevd from 'write' accesses on...
Keywords:
Status: CLOSED RAWHIDE
Alias: libselinux-procfs
Product: Fedora
Classification: Fedora
Component: libselinux
Version: rawhide
Hardware: x86_64
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: abrt_hash:c9138492d8e81f38f00647c9ebe...
: 903677 903678 903679 903680 903681 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-01-24 14:58 UTC by Martin
Modified: 2014-09-15 00:04 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2013-01-24 22:45:29 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)

Description Martin 2013-01-24 14:58:40 UTC 
Description of problem:
Upgrade from clean installed F18 to F19 Rawhide.
SELinux is preventing /usr/lib/systemd/systemd-udevd from 'write' accesses on the directory watch.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that systemd-udevd should be allowed write access on the watch directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep systemd-udevd /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:udev_t:s0-s0:c0.c1023
Target Context                system_u:object_r:sound_device_t:s0
Target Objects                watch [ dir ]
Source                        systemd-udevd
Source Path                   /usr/lib/systemd/systemd-udevd
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           systemd-195-15.fc18.x86_64
                              systemd-197-2.fc19.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.11.1-66.fc18.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     (removed)
Platform                      Linux (removed) 3.6.10-4.fc18.x86_64 #1 SMP Tue
                              Dec 11 18:01:27 UTC 2012 x86_64 x86_64
Alert Count                   1
First Seen                    2013-01-24 15:07:31 CET
Last Seen                     2013-01-24 15:07:31 CET
Local ID                      a00a2815-cd70-4f5c-a380-ace5d428560f

Raw Audit Messages
type=AVC msg=audit(1359036451.123:338): avc:  denied  { write } for  pid=3069 comm="systemd-udevd" name="watch" dev="tmpfs" ino=37767 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sound_device_t:s0 tclass=dir


type=AVC msg=audit(1359036451.123:338): avc:  denied  { add_name } for  pid=3069 comm="systemd-udevd" name="1" scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sound_device_t:s0 tclass=dir


type=SYSCALL msg=audit(1359036451.123:338): arch=x86_64 syscall=symlink success=yes exit=0 a0=7f41d3df8b90 a1=7fff4d64c860 a2=7f41d2c97770 a3=7 items=0 ppid=1 pid=3069 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=systemd-udevd exe=/usr/lib/systemd/systemd-udevd subj=system_u:system_r:udev_t:s0-s0:c0.c1023 key=(null)

Hash: systemd-udevd,udev_t,sound_device_t,dir,write

audit2allow

#============= udev_t ==============
#!!!! The source type 'udev_t' can write to a 'dir' of the following types:
# etc_mail_t, sysctl_type, xend_var_log_t, net_conf_t, mqueue_spool_t, postgresql_db_t, data_home_t, filesystem_type, cache_home_t, nx_server_var_lib_t, var_spool_t, var_log_t, init_var_run_t, modules_object_t, virt_var_run_t, device_t, var_lib_t, var_run_t, etc_t, httpd_sys_content_t, systemd_passwd_var_run_t, home_root_t, admin_home_t, httpd_user_script_exec_t, httpd_user_content_t, udev_rules_t, semanage_store_t, krb5kdc_conf_t, krb5_host_rcache_t, virt_home_t, user_home_dir_t, unlabeled_t, hugetlbfs_t, proc_type, mail_spool_t, file_type, device_t, devpts_t, etc_t, config_home_t, bin_t, boot_t, root_t, tmp_t, usr_t, var_t, user_tmp_t, cupsd_etc_t, postfix_etc_t, udev_var_run_t, var_run_t

allow udev_t sound_device_t:dir { write add_name };

audit2allow -R

#============= udev_t ==============
#!!!! The source type 'udev_t' can write to a 'dir' of the following types:
# etc_mail_t, sysctl_type, xend_var_log_t, net_conf_t, mqueue_spool_t, postgresql_db_t, data_home_t, filesystem_type, cache_home_t, nx_server_var_lib_t, var_spool_t, var_log_t, init_var_run_t, modules_object_t, virt_var_run_t, device_t, var_lib_t, var_run_t, etc_t, httpd_sys_content_t, systemd_passwd_var_run_t, home_root_t, admin_home_t, httpd_user_script_exec_t, httpd_user_content_t, udev_rules_t, semanage_store_t, krb5kdc_conf_t, krb5_host_rcache_t, virt_home_t, user_home_dir_t, unlabeled_t, hugetlbfs_t, proc_type, mail_spool_t, file_type, device_t, devpts_t, etc_t, config_home_t, bin_t, boot_t, root_t, tmp_t, usr_t, var_t, user_tmp_t, cupsd_etc_t, postfix_etc_t, udev_var_run_t, var_run_t

allow udev_t sound_device_t:dir { write add_name };


Additional info:
hashmarkername: setroubleshoot
kernel:         3.6.10-4.fc18.x86_64
type:           libreport
Comment 1 Daniel Walsh 2013-01-24 22:43:04 UTC 
Fixed in libselinux-2.1.12-18.fc19.x86_64
Comment 2 Daniel Walsh 2013-01-24 22:44:33 UTC 
*** Bug 903679 has been marked as a duplicate of this bug. ***
Comment 3 Daniel Walsh 2013-01-24 22:44:37 UTC 
*** Bug 903678 has been marked as a duplicate of this bug. ***
Comment 4 Daniel Walsh 2013-01-24 22:44:41 UTC 
*** Bug 903677 has been marked as a duplicate of this bug. ***
Comment 5 Daniel Walsh 2013-01-24 22:45:57 UTC 
*** Bug 903681 has been marked as a duplicate of this bug. ***
Comment 6 Daniel Walsh 2013-01-24 22:46:40 UTC 
*** Bug 903680 has been marked as a duplicate of this bug. ***
Note You need to log in before you can comment on or make changes to this bug.