Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 227704 - SELinux denial while starting haldaemon
Summary: SELinux denial while starting haldaemon
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: rawhide
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Ben Levenson
URL:
Whiteboard:
: 227713 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2007-02-07 17:37 UTC by Nalin Dahyabhai
Modified: 2007-11-30 22:11 UTC (History)
3 users (show)

Fixed In Version: Current
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2007-08-22 14:15:14 UTC


Attachments (Terms of Use)

Description Nalin Dahyabhai 2007-02-07 17:37:49 UTC
Description of problem:
hal 0.5.9 seems to need to be able to do more things than targeted policy
2.5.2-5.fc7 allowed for previous versions

Version-Release number of selected component (if applicable):
2.5.2-5.fc7

How reproducible:
Always

Steps to Reproduce:
1. try to start the haldaemon service

Additional info:
My audit log shows:
type=AVC msg=audit(1170866731.434:8): avc:  denied  { write } for  pid=3137
comm="hald-generate-f" name="hald" dev=dm-0 ino=6809187
scontext=system_u:system_r:hald_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=dir
type=AVC msg=audit(1170866868.580:19): avc:  denied  { write } for  pid=3513
comm="hald-generate-f" name="hald" dev=dm-0 ino=6809187
scontext=system_u:system_r:hald_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=dir

This appears to be triggered by hald-generate-fdi-cache.

Comment 1 Will Woods 2007-02-07 23:03:32 UTC
*** Bug 227713 has been marked as a duplicate of this bug. ***

Comment 2 Will Woods 2007-02-07 23:05:42 UTC
Here's my audit message:

avc: denied { write } for comm="hald-generate-f" dev=dm-3 egid=0 euid=0
exe="/usr/libexec/hald-generate-fdi-cache" exit=-13 fsgid=0 fsuid=0 gid=0
items=0 name="hald" pid=3570 scontext=user_u:system_r:hald_t:s0 sgid=0
subj=user_u:system_r:hald_t:s0 suid=0 tclass=dir
tcontext=system_u:object_r:var_t:s0 tty=(none) uid=0 

Comment 3 Daniel Walsh 2007-02-12 16:19:00 UTC
Fixed in  selinux-policy-2.5.2-7


Comment 4 Steve 2007-05-10 09:07:15 UTC
(In reply to comment #3)
> Fixed in  selinux-policy-2.5.2-7
> 

I've selinux-policy-2.6.1-1.fc7.

My audit message:
avc:  denied  { write } for  pid=2893 comm="hald-generate-f" name="hald"
dev=dm-0 ino=32670049 scontext=user_u:system_r:hald_t:s0
tcontext=system_u:object_r:var_t:s0 tclass=dir

Comment 5 Steve 2007-05-10 10:05:55 UTC
(In reply to comment #4)
> (In reply to comment #3)
> > Fixed in  selinux-policy-2.5.2-7
> > 
> 
> I've selinux-policy-2.6.1-1.fc7.
> 
> My audit message:
> avc:  denied  { write } for  pid=2893 comm="hald-generate-f" name="hald"
> dev=dm-0 ino=32670049 scontext=user_u:system_r:hald_t:s0
> tcontext=system_u:object_r:var_t:s0 tclass=dir

A "touch /.autorelabel && reboot" did it!



Comment 6 Daniel Walsh 2007-08-22 14:15:14 UTC
Should be fixed in the current release



Note You need to log in before you can comment on or make changes to this bug.