SELinux is preventing /usr/sbin/hald (hald_t) "read" to <Unknown> (system_crond_var_lib_t)., and others

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Dear all,

running rawhide:
[olivares@localhost ~]$ uname -a
Linux localhost 2.6.24-0.115.rc5.git5.fc9 #1 SMP Tue Dec 18 23:57:17 EST 2007 i686 athlon i386 GNU/Linux
[olivares@localhost ~]$ cat /etc/fedora-release 
Fedora release 8.90 (Rawhide)
[olivares@localhost ~]$ 


After a while of booting with enforcing=0, and now setroubleshoot kicks in, it is reporting lots of havoc, notably the following:  

Summary
    SELinux is preventing /usr/sbin/hald (hald_t) "read" to <Unknown>
    (system_crond_var_lib_t).

Detailed Description
    SELinux denied access requested by /usr/sbin/hald. It is not expected that
    this access is required by /usr/sbin/hald and this access may signal an
    intrusion attempt. It is also possible that the specific version or
    configuration of the application is causing it to require additional access.

Allowing Access
    Sometimes labeling problems can cause SELinux denials.  You could try to
    restore the default system file context for <Unknown>, restorecon -v
    <Unknown> If this does not work, there is currently no automatic way to
    allow this access. Instead,  you can generate a local policy module to allow
    this access - see http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385
    Or you can disable SELinux protection altogether. Disabling SELinux
    protection is not recommended. Please file a
    http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package.

Additional Information        

Source Context                unconfined_u:system_r:hald_t
Target Context                system_u:object_r:system_crond_var_lib_t
Target Objects                None [ file ]
Affected RPM Packages         hal-0.5.10-3.fc9 [application]
Policy RPM                    selinux-policy-3.2.5-2.fc9
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   plugins.catchall_file
Host Name                     localhost
Platform                      Linux localhost 2.6.24-0.115.rc5.git5.fc9 #1 SMP
                              Tue Dec 18 23:57:17 EST 2007 i686 athlon
Alert Count                   2
First Seen                    Fri 21 Dec 2007 01:49:40 PM CST
Last Seen                     Fri 21 Dec 2007 01:49:53 PM CST
Local ID                      c4301741-d5e1-42f5-9c6d-0008aeef8586
Line Numbers                  

Raw Audit Messages            

avc: denied { read } for comm=hald dev=dm-0 egid=0 euid=0 exe=/usr/sbin/hald
exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name=PolicyKit.reload pid=30320
scontext=unconfined_u:system_r:hald_t:s0 sgid=0
subj=unconfined_u:system_r:hald_t:s0 suid=0 tclass=file
tcontext=system_u:object_r:system_crond_var_lib_t:s0 tty=(none) uid=0


It now makes sense that haldeamon does not run because selinux prevents it from doing so:

[root@localhost ~]# service haldaemon status
hald is stopped
[root@localhost ~]# service haldaemon start
Starting HAL daemon:                                       [FAILED]
[root@localhost ~]# service haldaemon stop
Stopping HAL daemon:                                       [FAILED]
[root@localhost ~]# service haldaemon restart
Stopping HAL daemon:                                       [FAILED]
Starting HAL daemon:                                       [FAILED]
[root@localhost ~]# 


K3b tells me the following:  

* similar to what Antonio M. also previously told us * 

No CD/DVD writer found.
K3b did not find an optical writing device in your system. Thus, you will not be able to burn CDs or DVDs. However, you can still use other K3b features like audio track extraction or audio transcoding or ISO9660 image creation.


I am about to go to the holidays, just reporting an observation.  Should I file bugs or has this been taken care of ?  Thanks to all for reading this far.  

I also saw this :

Summary
    SELinux prevented dbus-daemon from using the terminal /dev/tty1.

Detailed Description
    SELinux prevented dbus-daemon from using the terminal /dev/tty1. In most
    cases daemons do not need to interact with the terminal, usually these avc
    messages can be ignored.  All of the confined daemons should have dontaudit
    rules around using the terminal.  Please file a
    http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this selinux-
    policy.  If you would like to allow all daemons to interact with the
    terminal, you can turn on the allow_daemons_use_tty boolean.

Allowing Access
    Changing the "allow_daemons_use_tty" boolean to true will allow this access:
    "setsebool -P allow_daemons_use_tty=1."

    The following command will allow this access:
    setsebool -P allow_daemons_use_tty=1

Additional Information        

Source Context                unconfined_u:unconfined_r:unconfined_dbusd_t
                              :SystemLow-SystemHigh
Target Context                unconfined_u:object_r:unconfined_tty_device_t
Target Objects                /dev/tty1 [ chr_file ]
Affected RPM Packages         
Policy RPM                    selinux-policy-3.2.5-2.fc9
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   plugins.allow_daemons_use_tty
Host Name                     localhost
Platform                      Linux localhost 2.6.24-0.115.rc5.git5.fc9 #1 SMP
                              Tue Dec 18 23:57:17 EST 2007 i686 athlon
Alert Count                   7
First Seen                    Wed 19 Dec 2007 07:36:11 PM CST
Last Seen                     Fri 21 Dec 2007 01:29:01 PM CST
Local ID                      66ca0ade-760e-4112-9557-5c46b66b1296
Line Numbers                  

Raw Audit Messages            

avc: denied { read write } for comm=dbus-daemon dev=tmpfs path=/dev/tty1
pid=28235 scontext=unconfined_u:unconfined_r:unconfined_dbusd_t:s0-s0:c0.c1023
tclass=chr_file tcontext=unconfined_u:object_r:unconfined_tty_device_t:s0


and this one

Summary
    SELinux is preventing access to files with the label, file_t.

Detailed Description
    SELinux permission checks on files labeled file_t are being denied.  file_t
    is the context the SELinux kernel gives to files that do not have a label.
    This indicates a serious labeling problem. No files on an SELinux box should
    ever be labeled file_t. If you have just added a new disk drive to the
    system you can relabel it using the restorecon command.  Otherwise you
    should relabel the entire files system.

Allowing Access
    You can execute the following command as root to relabel your computer
    system: "touch /.autorelabel; reboot"

Additional Information        

Source Context                system_u:system_r:tmpreaper_t
Target Context                system_u:object_r:file_t
Target Objects                /tmp/virtual-olivares.1dNZIJ [ dir ]
Affected RPM Packages         
Policy RPM                    selinux-policy-3.2.5-2.fc9
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   plugins.file
Host Name                     localhost
Platform                      Linux localhost 2.6.24-0.115.rc5.git5.fc9 #1 SMP
                              Tue Dec 18 23:57:17 EST 2007 i686 athlon
Alert Count                   1
First Seen                    Fri 21 Dec 2007 10:36:45 AM CST
Last Seen                     Fri 21 Dec 2007 10:36:45 AM CST
Local ID                      59f19014-265b-4a97-96ff-b86653d2fe1d
Line Numbers                  

Raw Audit Messages            

avc: denied { getattr } for comm=tmpwatch dev=dm-0 path=/tmp/virtual-
olivares.1dNZIJ pid=14502 scontext=system_u:system_r:tmpreaper_t:s0 tclass=dir
tcontext=system_u:object_r:file_t:s0


Happy Holidays -> Merry Christmas and a Happy New Year ! 


Regards,

Antonio 




      ____________________________________________________________________________________
Looking for last minute shopping deals?  
Find them fast with Yahoo! Search.  http://tools.search.yahoo.com/newsearch/category.php?category=shopping

--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux