Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 1186072
Summary: | SELinux is preventing /usr/sbin/upsmon from 'read' accesses on the chr_file random. | ||||||
---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Alexander Ploumistos <alex.ploumistos> | ||||
Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> | ||||
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||
Severity: | unspecified | Docs Contact: | |||||
Priority: | unspecified | ||||||
Version: | 21 | CC: | dominick.grift, dwalsh, lvrabec, mgrepl, plautrba | ||||
Target Milestone: | --- | ||||||
Target Release: | --- | ||||||
Hardware: | x86_64 | ||||||
OS: | Unspecified | ||||||
Whiteboard: | abrt_hash:1c734abcfeb625afd25bf8234580db4f33a3b6a6a20a4b41adc4c7165d67915b | ||||||
Fixed In Version: | selinux-policy-3.13.1-105.3.fc21 | Doc Type: | Bug Fix | ||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2015-02-15 03:29:27 UTC | Type: | --- | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Attachments: |
|
Description
Alexander Ploumistos
2015-01-27 00:20:21 UTC
commit ca4fb28741fdf9b47418bef9953f73e19fa064f3 Author: Lukas Vrabec <lvrabec> Date: Wed Jan 28 16:01:15 2015 +0100 Allow nut_upsmon_t to read random_device_t. BZ(1186072) Is it in http://pkgs.fedoraproject.org/cgit/selinux-policy.git/ or someplace else? Because I cannot find that commit. It's here: https://github.com/selinux-policy/selinux-policy/commit/ca4fb28741fdf9b47418bef9953f73e19fa064f3 Package will be available soon. Thank you very much! I installed the packages (3.13.1-105.2) from koji, rebooted the machine, but I'm still seeing these: Feb 2 22:21:38 localhost sedispatch: AVC Message for setroubleshoot, dropping message Feb 2 22:21:38 localhost sedispatch: AVC Message for setroubleshoot, dropping message Feb 2 22:21:38 localhost sedispatch: AVC Message for setroubleshoot, dropping message Feb 2 22:21:38 localhost sedispatch: AVC Message for setroubleshoot, dropping message Feb 2 22:21:38 localhost sedispatch: AVC Message for setroubleshoot, dropping message Feb 2 22:21:38 localhost sedispatch: AVC Message for setroubleshoot, dropping message Feb 2 22:21:38 localhost sedispatch: AVC Message for setroubleshoot, dropping message Feb 2 22:21:38 localhost sedispatch: AVC Message for setroubleshoot, dropping message Feb 2 22:21:38 localhost setroubleshoot: Plugin Exception restorecon_source Feb 2 22:21:38 localhost setroubleshoot: SELinux is preventing /usr/sbin/upsmon from read access on the chr_file urandom. For complete SELinux messages. run sealert -l 9c298592-7379-45e4-855e-a73dda984104 Feb 2 22:21:38 localhost python: SELinux is preventing /usr/sbin/upsmon from read access on the chr_file urandom. ***** Plugin catchall_boolean (47.5 confidence) suggests ****************** If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server Then you must tell SELinux about this by enabling the 'authlogin_nsswitch_use_ldap' boolean. You can read 'None' man page for more details. Do setsebool -P authlogin_nsswitch_use_ldap 1 ***** Plugin catchall_boolean (47.5 confidence) suggests ****************** If you want to enable reading of urandom for all domains. Then you must tell SELinux about this by enabling the 'global_ssp' boolean. You can read 'None' man page for more details. Do setsebool -P global_ssp 1 ***** Plugin catchall (6.38 confidence) suggests ************************** If you believe that upsmon should be allowed read access on the urandom chr_file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep upsmon /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Do I need to relabel the system or something? One interesting side-effect, after installing the update, my dropbox tray icon is visible again. It used to be a horizontal, black line, see https://alexpl.fedorapeople.org/screenshots/gnome_message_tray.png HI, I need to see AVC related to this issue. Could you attach /var/log/audit.log file? Thank you! Created attachment 987537 [details]
/var/log/audit/audit.log
While "SELinux is preventing /usr/sbin/upsmon from read access on the chr_file urandom" happens every time the system starts, SELinux Troubleshooter pops up only at nights. Is there a setting for this behavior, or is it a bug as well?
OK, upsmon also needs read urandom device. I'll add fix ASAP. commit 6ed17a9861381497615030b03dfe15f18e9afa02 Author: Lukas Vrabec <lvrabec> Date: Tue Feb 3 15:37:25 2015 +0100 Allow upsmon_t to read urandom device. selinux-policy-3.13.1-105.3.fc21 has been submitted as an update for Fedora 21. https://admin.fedoraproject.org/updates/selinux-policy-3.13.1-105.3.fc21 All is well now, thanks again! P.S.: Do I need to file another report for this, or is it WIP upstream? Feb 5 16:18:50 localhost kernel: SELinux: Permission audit_read in class capability2 not defined in policy. Feb 5 16:18:50 localhost kernel: SELinux: the above unknown classes and permissions will be allowed Package selinux-policy-3.13.1-105.3.fc21: * should fix your issue, * was pushed to the Fedora 21 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.13.1-105.3.fc21' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2015-1768/selinux-policy-3.13.1-105.3.fc21 then log in and leave karma (feedback). selinux-policy-3.13.1-105.3.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report. |