Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 824172
| Summary: | SELinux is preventing lspci from using the 'sys_admin' capabilities. | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Arif Tri Waluyo <arifiauo> |
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
| Status: | CLOSED DUPLICATE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 17 | CC: | collura, dominick.grift, dwalsh, kevin, mgrepl |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | i686 | ||
| OS: | Unspecified | ||
| Whiteboard: | abrt_hash:886155125b700de9c77231188640adea40a8c084aa5ac0c619873e8790dcdd81 | ||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2012-05-27 10:01:38 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Please update to the latest policy. # yum update selinux-policy-targeted --enablerepo=updates-testing related bug: https://bugzilla.redhat.com/show_bug.cgi?id=821268 *** This bug has been marked as a duplicate of bug 821268 *** |
libreport version: 2.0.10 executable: /usr/bin/python2.7 hashmarkername: setroubleshoot kernel: 3.3.4-5.fc17.i686 time: Wed 23 May 2012 04:10:47 AM WIT description: :SELinux is preventing lspci from using the 'sys_admin' capabilities. : :***** Plugin catchall_boolean (89.3 confidence) suggests ******************* : :If you want to enable polyinstantiated directory support. :Then you must tell SELinux about this by enabling the 'allow_polyinstantiation' boolean.You can read 'xdm_selinux' man page for more details. :Do :setsebool -P allow_polyinstantiation 1 : :***** Plugin catchall (11.6 confidence) suggests *************************** : :If you believe that lspci should have the sys_admin capability by default. :Then you should report this as a bug. :You can generate a local policy module to allow this access. :Do :allow this access for now by executing: :# grep lspci /var/log/audit/audit.log | audit2allow -M mypol :# semodule -i mypol.pp : :Additional Information: :Source Context system_u:system_r:xdm_t:s0-s0:c0.c1023 :Target Context system_u:system_r:xdm_t:s0-s0:c0.c1023 :Target Objects [ capability ] :Source lspci :Source Path lspci :Port <Unknown> :Host (removed) :Source RPM Packages :Target RPM Packages :Policy RPM selinux-policy-3.10.0-121.fc17.noarch :Selinux Enabled True :Policy Type targeted :Enforcing Mode Enforcing :Host Name (removed) :Platform Linux (removed) 3.3.4-5.fc17.i686 #1 SMP Mon May : 7 17:45:26 UTC 2012 i686 i686 :Alert Count 8 :First Seen Tue 22 May 2012 01:43:55 AM WIT :Last Seen Tue 22 May 2012 01:43:55 AM WIT :Local ID df38d9ac-edc2-4aa3-b121-c03bb5403be9 : :Raw Audit Messages :type=AVC msg=audit(1337625835.327:83): avc: denied { sys_admin } for pid=659 comm="lspci" capability=21 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tclass=capability : : :Hash: lspci,xdm_t,xdm_t,capability,sys_admin : :audit2allowunable to open /sys/fs/selinux/policy: Permission denied : : :audit2allow -Runable to open /sys/fs/selinux/policy: Permission denied : :