[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Selinux and hal


I'm using a fully updated rawhide installation. Today I got some updates
from extras. I think the problem started when the update of gutenprint
was installed. I keep getting this message from sealert:

    SELinux is preventing /usr/sbin/hald (hald_t) "read" access to inotify

Detailed Description
    SELinux denied access requested by /usr/sbin/hald. It is not
expected that
    this access is required by /usr/sbin/hald and this access may signal an
    intrusion attempt. It is also possible that the specific version or
    configuration of the application is causing it to require additional
    Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi
against this

Allowing Access
    Sometimes labeling problems can cause SELinux denials.  You could try to
    restore the default system file context for inotify, restorecon -v
    There is currently no automatic way to allow this access. Instead,
you can
    generate a local policy module to allow this access - see
    http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 - or you can
    disable SELinux protection entirely for the application. Disabling
    protection is not recommended. Please file a
    http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package.
    Changing the "hald_disable_trans" boolean to true will disable SELinux
    protection this application: "setsebool -P hald_disable_trans=1."

    The following command will allow this access:
    setsebool -P hald_disable_trans=1

Additional Information

Source Context                system_u:system_r:hald_t
Target Context                system_u:object_r:inotifyfs_t
Target Objects                inotify [ dir ]
Affected RPM Packages
Policy RPM
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   plugins.disable_trans
Host Name                     duvel
Platform                      Linux duvel 2.6.20-1.2967.fc7PAE #1 SMP
Tue Mar 6
                              14:49:37 EST 2007 i686 athlon
Alert Count                   261
First Seen                    Fri Mar  9 11:10:56 2007
Last Seen                     Fri Mar  9 11:10:58 2007
Local ID                      0057c30e-29d5-4a43-a1c7-1b382f49f813
Line Numbers

Raw Audit Messages

avc: denied { read } for comm="hald" dev=inotifyfs egid=68 euid=68
exe="/usr/sbin/hald" exit=-13 fsgid=68 fsuid=68 gid=68 items=0
path="inotify" pid=2255 scontext=system_u:system_r:hald_t:s0 sgid=68
subj=system_u:system_r:hald_t:s0 suid=68 tclass=dir
tcontext=system_u:object_r:inotifyfs_t:s0 tty=(none) uid=68

I've already gotten more than 260 of those messages in 5 minutes. I had
to kill auditd when it used 58% of my 1GB ram. For a daemon that has to
do some logging this is quite extreme.

Has anyone else seen this problem? Should I file bugreports somewhere?



Bart Vanbrabant <bart vanbrabant zoeloelip be>
PGP fingerprint: 093C BB84 17F6 3AA6 6D5E  FC4F 84E1 FED1 E426 64D1

Attachment: signature.asc
Description: OpenPGP digital signature

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]