Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 821211
| Summary: | SELinux is preventing /usr/sbin/lspci from using the sys_admin capability | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | collura |
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
| Status: | CLOSED DUPLICATE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | medium | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 17 | CC: | collura, dominick.grift, dwalsh, mgrepl |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2012-05-13 20:04:54 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
*** This bug has been marked as a duplicate of bug 821268 *** |
Description of problem: SELinux is preventing /usr/sbin/lspci from using the sys_admin capability. ***** Plugin catchall_boolean (89.3 confidence) suggests ******************* If you want to enable polyinstantiated directory support. Then you must tell SELinux about this by enabling the'allow_polyinstantiation' boolean.You can read 'xdm_selinux' man page for more details. Do setsebool -P allow_polyinstantiation 1 ***** Plugin catchall (11.6 confidence) suggests *************************** If you believe that lspci should have the sys_admin capability by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep lspci /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:xdm_t:s0-s0:c0.c1023 Target Context system_u:system_r:xdm_t:s0-s0:c0.c1023 Target Objects [ capability ] Source lspci Source Path /usr/sbin/lspci Port <Unknown> Host <removed>.<removed> Source RPM Packages pciutils-3.1.9-1.fc17.x86_64 Target RPM Packages Policy RPM selinux-policy-3.10.0-121.fc17.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name <removed>.<removed> Platform Linux <removed>.<removed> 3.3.4-4.fc17.x86_64 #1 SMP Fri May 4 17:25:07 UTC 2012 x86_64 x86_64 Alert Count 5 First Seen Sun 13 May 2012 01:02:46 AM EDT Last Seen Sun 13 May 2012 01:02:46 AM EDT Local ID <removed> Raw Audit Messages type=AVC msg=audit(1336885366.441:58): avc: denied { sys_admin } for pid=785 comm="lspci" capability=21 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tclass=capability type=SYSCALL msg=audit(1336885366.441:58): arch=x86_64 syscall=pread success=yes exit=ENONET a0=3 a1=247a540 a2=40 a3=0 items=0 ppid=784 pid=785 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=lspci exe=/usr/sbin/lspci subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null) Hash: lspci,xdm_t,xdm_t,capability,sys_admin audit2allowunable to open /sys/fs/selinux/policy: Permission denied audit2allow -Runable to open /sys/fs/selinux/policy: Permission denied Version-Release number of selected component (if applicable): selinux-policy-3.10.0-121.fc17.x86_64 How reproducible: Steps to Reproduce: 1. boot and login 2. 3. Actual results: get error Expected results: no error Additional info: