SELinux is preventing /usr/sbin/hald (hald_t) "read" to <Unknown> (system_crond_var_lib_t)., and others
Antonio Olivares
olivares14031 at yahoo.com
Fri Dec 21 19:57:48 UTC 2007
Dear all,
running rawhide:
[olivares at localhost ~]$ uname -a
Linux localhost 2.6.24-0.115.rc5.git5.fc9 #1 SMP Tue Dec 18 23:57:17 EST 2007 i686 athlon i386 GNU/Linux
[olivares at localhost ~]$ cat /etc/fedora-release
Fedora release 8.90 (Rawhide)
[olivares at localhost ~]$
After a while of booting with enforcing=0, and now setroubleshoot kicks in, it is reporting lots of havoc, notably the following:
Summary
SELinux is preventing /usr/sbin/hald (hald_t) "read" to <Unknown>
(system_crond_var_lib_t).
Detailed Description
SELinux denied access requested by /usr/sbin/hald. It is not expected that
this access is required by /usr/sbin/hald and this access may signal an
intrusion attempt. It is also possible that the specific version or
configuration of the application is causing it to require additional access.
Allowing Access
Sometimes labeling problems can cause SELinux denials. You could try to
restore the default system file context for <Unknown>, restorecon -v
<Unknown> If this does not work, there is currently no automatic way to
allow this access. Instead, you can generate a local policy module to allow
this access - see http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385
Or you can disable SELinux protection altogether. Disabling SELinux
protection is not recommended. Please file a
http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package.
Additional Information
Source Context unconfined_u:system_r:hald_t
Target Context system_u:object_r:system_crond_var_lib_t
Target Objects None [ file ]
Affected RPM Packages hal-0.5.10-3.fc9 [application]
Policy RPM selinux-policy-3.2.5-2.fc9
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name plugins.catchall_file
Host Name localhost
Platform Linux localhost 2.6.24-0.115.rc5.git5.fc9 #1 SMP
Tue Dec 18 23:57:17 EST 2007 i686 athlon
Alert Count 2
First Seen Fri 21 Dec 2007 01:49:40 PM CST
Last Seen Fri 21 Dec 2007 01:49:53 PM CST
Local ID c4301741-d5e1-42f5-9c6d-0008aeef8586
Line Numbers
Raw Audit Messages
avc: denied { read } for comm=hald dev=dm-0 egid=0 euid=0 exe=/usr/sbin/hald
exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name=PolicyKit.reload pid=30320
scontext=unconfined_u:system_r:hald_t:s0 sgid=0
subj=unconfined_u:system_r:hald_t:s0 suid=0 tclass=file
tcontext=system_u:object_r:system_crond_var_lib_t:s0 tty=(none) uid=0
It now makes sense that haldeamon does not run because selinux prevents it from doing so:
[root at localhost ~]# service haldaemon status
hald is stopped
[root at localhost ~]# service haldaemon start
Starting HAL daemon: [FAILED]
[root at localhost ~]# service haldaemon stop
Stopping HAL daemon: [FAILED]
[root at localhost ~]# service haldaemon restart
Stopping HAL daemon: [FAILED]
Starting HAL daemon: [FAILED]
[root at localhost ~]#
K3b tells me the following:
* similar to what Antonio M. also previously told us *
No CD/DVD writer found.
K3b did not find an optical writing device in your system. Thus, you will not be able to burn CDs or DVDs. However, you can still use other K3b features like audio track extraction or audio transcoding or ISO9660 image creation.
I am about to go to the holidays, just reporting an observation. Should I file bugs or has this been taken care of ? Thanks to all for reading this far.
I also saw this :
Summary
SELinux prevented dbus-daemon from using the terminal /dev/tty1.
Detailed Description
SELinux prevented dbus-daemon from using the terminal /dev/tty1. In most
cases daemons do not need to interact with the terminal, usually these avc
messages can be ignored. All of the confined daemons should have dontaudit
rules around using the terminal. Please file a
http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this selinux-
policy. If you would like to allow all daemons to interact with the
terminal, you can turn on the allow_daemons_use_tty boolean.
Allowing Access
Changing the "allow_daemons_use_tty" boolean to true will allow this access:
"setsebool -P allow_daemons_use_tty=1."
The following command will allow this access:
setsebool -P allow_daemons_use_tty=1
Additional Information
Source Context unconfined_u:unconfined_r:unconfined_dbusd_t
:SystemLow-SystemHigh
Target Context unconfined_u:object_r:unconfined_tty_device_t
Target Objects /dev/tty1 [ chr_file ]
Affected RPM Packages
Policy RPM selinux-policy-3.2.5-2.fc9
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name plugins.allow_daemons_use_tty
Host Name localhost
Platform Linux localhost 2.6.24-0.115.rc5.git5.fc9 #1 SMP
Tue Dec 18 23:57:17 EST 2007 i686 athlon
Alert Count 7
First Seen Wed 19 Dec 2007 07:36:11 PM CST
Last Seen Fri 21 Dec 2007 01:29:01 PM CST
Local ID 66ca0ade-760e-4112-9557-5c46b66b1296
Line Numbers
Raw Audit Messages
avc: denied { read write } for comm=dbus-daemon dev=tmpfs path=/dev/tty1
pid=28235 scontext=unconfined_u:unconfined_r:unconfined_dbusd_t:s0-s0:c0.c1023
tclass=chr_file tcontext=unconfined_u:object_r:unconfined_tty_device_t:s0
and this one
Summary
SELinux is preventing access to files with the label, file_t.
Detailed Description
SELinux permission checks on files labeled file_t are being denied. file_t
is the context the SELinux kernel gives to files that do not have a label.
This indicates a serious labeling problem. No files on an SELinux box should
ever be labeled file_t. If you have just added a new disk drive to the
system you can relabel it using the restorecon command. Otherwise you
should relabel the entire files system.
Allowing Access
You can execute the following command as root to relabel your computer
system: "touch /.autorelabel; reboot"
Additional Information
Source Context system_u:system_r:tmpreaper_t
Target Context system_u:object_r:file_t
Target Objects /tmp/virtual-olivares.1dNZIJ [ dir ]
Affected RPM Packages
Policy RPM selinux-policy-3.2.5-2.fc9
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name plugins.file
Host Name localhost
Platform Linux localhost 2.6.24-0.115.rc5.git5.fc9 #1 SMP
Tue Dec 18 23:57:17 EST 2007 i686 athlon
Alert Count 1
First Seen Fri 21 Dec 2007 10:36:45 AM CST
Last Seen Fri 21 Dec 2007 10:36:45 AM CST
Local ID 59f19014-265b-4a97-96ff-b86653d2fe1d
Line Numbers
Raw Audit Messages
avc: denied { getattr } for comm=tmpwatch dev=dm-0 path=/tmp/virtual-
olivares.1dNZIJ pid=14502 scontext=system_u:system_r:tmpreaper_t:s0 tclass=dir
tcontext=system_u:object_r:file_t:s0
Happy Holidays -> Merry Christmas and a Happy New Year !
Regards,
Antonio
____________________________________________________________________________________
Looking for last minute shopping deals?
Find them fast with Yahoo! Search. http://tools.search.yahoo.com/newsearch/category.php?category=shopping
More information about the fedora-test-list
mailing list