Package: selinux-policy-default Version: 2:0.0.20080702-14 Severity: important Tags: selinux
This basically makes SELinux unusable on laptops. Many of the selinux issues that I'm seeing are related to hald. Probably, if we fix the hal policy, half of the problems should vanish. Summary: SELinux is preventing s2ram (hald_t) "execute" to /dev/mem (memory_device_t). Detailed Description: [SELinux is in permissive mode, the operation would have been denied but was permitted due to permissive mode.] SELinux denied access requested by s2ram. It is not expected that this access is required by s2ram and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for /dev/mem, restorecon -v '/dev/mem' If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context unconfined_u:system_r:hald_t:s0 Target Context system_u:object_r:memory_device_t:s0 Target Objects /dev/mem [ chr_file ] Source s2ram Source Path /usr/sbin/s2ram Port <Unknown> Host champaran Source RPM Packages Target RPM Packages Policy RPM <Unknown> Selinux Enabled True Policy Type default MLS Enabled True Enforcing Mode Permissive Plugin Name catchall_file Host Name champaran Platform Linux champaran 2.6.28-custom #1 SMP Thu Feb 12 19:09:05 IST 2009 i686 Alert Count 1 First Seen Mon 16 Feb 2009 01:27:06 PM IST Last Seen Mon 16 Feb 2009 01:27:06 PM IST Local ID 4e89d6aa-5273-4b26-a949-228d7135f253 Line Numbers Raw Audit Messages node=champaran type=AVC msg=audit(1234771026.836:570): avc: denied { execute } for pid=4458 comm="s2ram" path="/dev/mem" dev=tmpfs ino=1225 scontext=unconfined_u:system_r:hald_t:s0 tcontext=system_u:object_r:memory_device_t:s0 tclass=chr_file node=champaran type=SYSCALL msg=audit(1234771026.836:570): arch=40000003 syscall=192 success=yes exit=0 a0=0 a1=502 a2=7 a3=11 items=0 ppid=4374 pid=4458 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="s2ram" exe="/usr/sbin/s2ram" subj=unconfined_u:system_r:hald_t:s0 key=(null) -- System Information: Debian Release: 5.0 APT prefers testing APT policy: (990, 'testing'), (500, 'unstable'), (101, 'experimental') Architecture: i386 (i686) Kernel: Linux 2.6.28-custom (SMP w/1 CPU core) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages selinux-policy-default depends on: ii libpam-modules 1.0.1-5 Pluggable Authentication Modules f ii libselinux1 2.0.65-5 SELinux shared libraries ii libsepol1 2.0.30-2 Security Enhanced Linux policy lib ii policycoreutils 2.0.49-8 SELinux core policy utilities ii python 2.5.2-3 An interactive high-level object-o Versions of packages selinux-policy-default recommends: ii checkpolicy 2.0.16-3 SELinux policy compiler ii setools 3.3.5.ds-5 tools for Security Enhanced Linux Versions of packages selinux-policy-default suggests: pn logcheck <none> (no description available) pn syslog-summary <none> (no description available) -- no debconf information -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
