Selinux and hal

Bart Vanbrabant bart.vanbrabant at zoeloelip.be
Fri Mar 9 10:23:03 UTC 2007 

Hello,

I'm using a fully updated rawhide installation. Today I got some updates
from extras. I think the problem started when the update of gutenprint
was installed. I keep getting this message from sealert:

Summary
    SELinux is preventing /usr/sbin/hald (hald_t) "read" access to inotify
    (inotifyfs_t).

Detailed Description
    SELinux denied access requested by /usr/sbin/hald. It is not
expected that
    this access is required by /usr/sbin/hald and this access may signal an
    intrusion attempt. It is also possible that the specific version or
    configuration of the application is causing it to require additional
access.
    Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi
against this
    package.

Allowing Access
    Sometimes labeling problems can cause SELinux denials.  You could try to
    restore the default system file context for inotify, restorecon -v
inotify.
    There is currently no automatic way to allow this access. Instead,
you can
    generate a local policy module to allow this access - see
    http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 - or you can
    disable SELinux protection entirely for the application. Disabling
SELinux
    protection is not recommended. Please file a
    http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package.
    Changing the "hald_disable_trans" boolean to true will disable SELinux
    protection this application: "setsebool -P hald_disable_trans=1."

    The following command will allow this access:
    setsebool -P hald_disable_trans=1

Additional Information

Source Context                system_u:system_r:hald_t
Target Context                system_u:object_r:inotifyfs_t
Target Objects                inotify [ dir ]
Affected RPM Packages
Policy RPM
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   plugins.disable_trans
Host Name                     duvel
Platform                      Linux duvel 2.6.20-1.2967.fc7PAE #1 SMP
Tue Mar 6
                              14:49:37 EST 2007 i686 athlon
Alert Count                   261
First Seen                    Fri Mar  9 11:10:56 2007
Last Seen                     Fri Mar  9 11:10:58 2007
Local ID                      0057c30e-29d5-4a43-a1c7-1b382f49f813
Line Numbers

Raw Audit Messages

avc: denied { read } for comm="hald" dev=inotifyfs egid=68 euid=68
exe="/usr/sbin/hald" exit=-13 fsgid=68 fsuid=68 gid=68 items=0
name="inotify"
path="inotify" pid=2255 scontext=system_u:system_r:hald_t:s0 sgid=68
subj=system_u:system_r:hald_t:s0 suid=68 tclass=dir
tcontext=system_u:object_r:inotifyfs_t:s0 tty=(none) uid=68

I've already gotten more than 260 of those messages in 5 minutes. I had
to kill auditd when it used 58% of my 1GB ram. For a daemon that has to
do some logging this is quite extreme.

Has anyone else seen this problem? Should I file bugreports somewhere?

thanks,

Bart

-- 
Bart Vanbrabant <bart.vanbrabant at zoeloelip.be>
PGP fingerprint: 093C BB84 17F6 3AA6 6D5E  FC4F 84E1 FED1 E426 64D1

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/fedora-devel-list/attachments/20070309/d8449c24/attachment.sig>

More information about the fedora-devel-list mailing list