(system_crond_var_lib_t)., and others, vbulletin,jelsoft,forum,bbs,discussion,bulletin board" /> (system_crond_var_lib_t)., and others Fedora SELinux Support" /> SELinux is preventing /usr/sbin/hald (hald_t) "read" to <Unknown> (system_crond_var_lib_t)., and others - Linux Archive
FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora SELinux Support

 
 
LinkBack Thread Tools
 
Old 12-21-2007, 06:57 PM
Antonio Olivares
 
Default SELinux is preventing /usr/sbin/hald (hald_t) "read" to (system_crond_var_lib_t)., and others

Dear all,

running rawhide:
[olivares@localhost ~]$ uname -a
Linux localhost 2.6.24-0.115.rc5.git5.fc9 #1 SMP Tue Dec 18 23:57:17 EST 2007 i686 athlon i386 GNU/Linux
[olivares@localhost ~]$ cat /etc/fedora-release
Fedora release 8.90 (Rawhide)
[olivares@localhost ~]$


After a while of booting with enforcing=0, and now setroubleshoot kicks in, it is reporting lots of havoc, notably the following:

Summary
SELinux is preventing /usr/sbin/hald (hald_t) "read" to <Unknown>
(system_crond_var_lib_t).

Detailed Description
SELinux denied access requested by /usr/sbin/hald. It is not expected that
this access is required by /usr/sbin/hald and this access may signal an
intrusion attempt. It is also possible that the specific version or
configuration of the application is causing it to require additional access.

Allowing Access
Sometimes labeling problems can cause SELinux denials. You could try to
restore the default system file context for <Unknown>, restorecon -v
<Unknown> If this does not work, there is currently no automatic way to
allow this access. Instead, you can generate a local policy module to allow
this access - see http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385
Or you can disable SELinux protection altogether. Disabling SELinux
protection is not recommended. Please file a
http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package.

Additional Information

Source Context unconfined_u:system_r:hald_t
Target Context system_ubject_r:system_crond_var_lib_t
Target Objects None [ file ]
Affected RPM Packages hal-0.5.10-3.fc9 [application]
Policy RPM selinux-policy-3.2.5-2.fc9
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name plugins.catchall_file
Host Name localhost
Platform Linux localhost 2.6.24-0.115.rc5.git5.fc9 #1 SMP
Tue Dec 18 23:57:17 EST 2007 i686 athlon
Alert Count 2
First Seen Fri 21 Dec 2007 01:49:40 PM CST
Last Seen Fri 21 Dec 2007 01:49:53 PM CST
Local ID c4301741-d5e1-42f5-9c6d-0008aeef8586
Line Numbers

Raw Audit Messages

avc: denied { read } for comm=hald dev=dm-0 egid=0 euid=0 exe=/usr/sbin/hald
exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name=PolicyKit.reload pid=30320
scontext=unconfined_u:system_r:hald_t:s0 sgid=0
subj=unconfined_u:system_r:hald_t:s0 suid=0 tclass=file
tcontext=system_ubject_r:system_crond_var_lib_t: s0 tty=(none) uid=0


It now makes sense that haldeamon does not run because selinux prevents it from doing so:

[root@localhost ~]# service haldaemon status
hald is stopped
[root@localhost ~]# service haldaemon start
Starting HAL daemon: [FAILED]
[root@localhost ~]# service haldaemon stop
Stopping HAL daemon: [FAILED]
[root@localhost ~]# service haldaemon restart
Stopping HAL daemon: [FAILED]
Starting HAL daemon: [FAILED]
[root@localhost ~]#


K3b tells me the following:

* similar to what Antonio M. also previously told us *

No CD/DVD writer found.
K3b did not find an optical writing device in your system. Thus, you will not be able to burn CDs or DVDs. However, you can still use other K3b features like audio track extraction or audio transcoding or ISO9660 image creation.


I am about to go to the holidays, just reporting an observation. Should I file bugs or has this been taken care of ? Thanks to all for reading this far.

I also saw this :

Summary
SELinux prevented dbus-daemon from using the terminal /dev/tty1.

Detailed Description
SELinux prevented dbus-daemon from using the terminal /dev/tty1. In most
cases daemons do not need to interact with the terminal, usually these avc
messages can be ignored. All of the confined daemons should have dontaudit
rules around using the terminal. Please file a
http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this selinux-
policy. If you would like to allow all daemons to interact with the
terminal, you can turn on the allow_daemons_use_tty boolean.

Allowing Access
Changing the "allow_daemons_use_tty" boolean to true will allow this access:
"setsebool -P allow_daemons_use_tty=1."

The following command will allow this access:
setsebool -P allow_daemons_use_tty=1

Additional Information

Source Context unconfined_u:unconfined_r:unconfined_dbusd_t
:SystemLow-SystemHigh
Target Context unconfined_ubject_r:unconfined_tty_device_t
Target Objects /dev/tty1 [ chr_file ]
Affected RPM Packages
Policy RPM selinux-policy-3.2.5-2.fc9
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name plugins.allow_daemons_use_tty
Host Name localhost
Platform Linux localhost 2.6.24-0.115.rc5.git5.fc9 #1 SMP
Tue Dec 18 23:57:17 EST 2007 i686 athlon
Alert Count 7
First Seen Wed 19 Dec 2007 07:36:11 PM CST
Last Seen Fri 21 Dec 2007 01:29:01 PM CST
Local ID 66ca0ade-760e-4112-9557-5c46b66b1296
Line Numbers

Raw Audit Messages

avc: denied { read write } for comm=dbus-daemon dev=tmpfs path=/dev/tty1
pid=28235 scontext=unconfined_u:unconfined_r:unconfined_dbus d_t:s0-s0:c0.c1023
tclass=chr_file tcontext=unconfined_ubject_r:unconfined_tty_devi ce_t:s0


and this one

Summary
SELinux is preventing access to files with the label, file_t.

Detailed Description
SELinux permission checks on files labeled file_t are being denied. file_t
is the context the SELinux kernel gives to files that do not have a label.
This indicates a serious labeling problem. No files on an SELinux box should
ever be labeled file_t. If you have just added a new disk drive to the
system you can relabel it using the restorecon command. Otherwise you
should relabel the entire files system.

Allowing Access
You can execute the following command as root to relabel your computer
system: "touch /.autorelabel; reboot"

Additional Information

Source Context system_u:system_r:tmpreaper_t
Target Context system_ubject_r:file_t
Target Objects /tmp/virtual-olivares.1dNZIJ [ dir ]
Affected RPM Packages
Policy RPM selinux-policy-3.2.5-2.fc9
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name plugins.file
Host Name localhost
Platform Linux localhost 2.6.24-0.115.rc5.git5.fc9 #1 SMP
Tue Dec 18 23:57:17 EST 2007 i686 athlon
Alert Count 1
First Seen Fri 21 Dec 2007 10:36:45 AM CST
Last Seen Fri 21 Dec 2007 10:36:45 AM CST
Local ID 59f19014-265b-4a97-96ff-b86653d2fe1d
Line Numbers

Raw Audit Messages

avc: denied { getattr } for comm=tmpwatch dev=dm-0 path=/tmp/virtual-
olivares.1dNZIJ pid=14502 scontext=system_u:system_r:tmpreaper_t:s0 tclass=dir
tcontext=system_ubject_r:file_t:s0


Happy Holidays -> Merry Christmas and a Happy New Year !


Regards,

Antonio




__________________________________________________ __________________________________
Looking for last minute shopping deals?
Find them fast with Yahoo! Search. http://tools.search.yahoo.com/newsearch/category.php?category=shopping

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 

Thread Tools




All times are GMT. The time now is 03:45 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org