Bug 140059

Summary: Strict SELinux policy blocks new scanner permissions work
Product: [Fedora] Fedora Reporter: W. Michael Petullo <redhat>
Component: selinux-policy-strictAssignee: Daniel Walsh <dwalsh>
Status: CLOSED RAWHIDE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: rawhideCC: arequipeno, boris, bugzilla.redhat.com, mishu, tmraz, twaugh
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2006-04-19 18:28:30 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On:    
Bug Blocks: 133471    
Description Flags
AVC messages after attaching my USB scanner none

Description W. Michael Petullo 2004-11-19 16:05:23 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.5)
Gecko/20041107 Firefox/1.0

Description of problem:
The Linux hotplug subsystem now creates a symbolic link from
/dev/usb/scannerXXX to /proc/bus/usb/YYY/ZZZ.  The purpose of this is
to let pam_console set the permissions on the scanner device so that
users may use the scanner.

Currently, pam_console sets the appropriate Unix permissions on
/proc/bus/usb/YYY/ZZZ when SELinux is not running.  However, when
SELinux is enforcing Fedora's strict policy this does not work.

I don't yet have the associated AVC messages.  I hope to investigate
this matter more over the weekend and provide some more information. 
I did note that the link /dev/usb/scannerXXX had a context of
device_t.  I imagine this should be scanner_device_t.  I also noticed
that xdm.te has dontaudit statements for probes of /proc, so this may
be keeping some avc messages from being logged.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1.  Log in to a system with a USB scanner attached and SELinux NOT
enforcing its policy.

2.  Log in to a system with a USB scanner attached and SELinux
enforcing its policy.

Actual Results:  Following scenario one, the scanner was assigned
permissions allowing me to use it.

Following scenario two, the scanner was NOT assigned the appropriate

Expected Results:  The scanner's permissions should be set correctly
regardless of the SELinux policy.

Additional info:

Comment 1 Daniel Walsh 2004-11-20 11:22:15 UTC
Were you able to use the scanner even with the failure.  I have tried
a USB scanner and I have found it to work without writing the symlink.
xsane still found the device.  And hal/hotplug set the device to be
owned by the console user.

Comment 2 W. Michael Petullo 2004-11-20 17:12:23 UTC
Here are the steps I took to get this procedure working with Fedora's
strict SELinux policy:

1.  Add the following line to /etc/hotplug/usb/libusbscanner, directly
following ``ln -sf "${DEVICE}" "${DEVDIR}/${DEVNAME}":'' ``chcon -h
system_u:object_r:scanner_device_t "${DEVDIR}/${DEVNAME}".''

2.  Add the following rules to allow permission changing when a user
logs in:

allow xdm_t scanner_device_t:lnk_file { read getattr };
allow xdm_t usbfs_t:file { getattr setattr };
allow xdm_t usbfs_t:dir search;
allow pam_console_t scanner_device_t:lnk_file { read getattr };
allow pam_console_t usbfs_t:file { getattr setattr };
allow pam_console_t usbfs_t:dir search;
allow local_login_t scanner_device_t:lnk_file { read getattr };
allow local_login_t usbfs_t:file { getattr setattr };
allow local_login_t usbfs_t:dir search;

3.  Add the following rules to allow the creation/unlink of the
/dev/usb/scanner-???:??? link in the first place:

allow hotplug_t scanner_device_t:lnk_file unlink;
allow hotplug_t scanner_device_t:lnk_file relabelto;

4.  Allow scanimage to manipulate scanner.  Currently I get:
Nov 20 11:12:45 imp kernel: audit(1100970765.086:0): avc:  denied  {
read } for  pid=7932 exe=/usr/bin/scanimage name=scanner-002:017
dev=tmpfs ino=20209 scontext=user_u:user_r:user_t
tcontext=system_u:object_r:scanner_device_t tclass=lnk_file
Nov 20 11:12:45 imp kernel: audit(1100970765.087:0): avc:  denied  {
write } for  pid=7932 exe=/usr/bin/scanimage name=017 dev=usbfs
ino=20136 scontext=user_u:user_r:user_t
tcontext=system_u:object_r:usbfs_t tclass=file

I would rather add a rule like "/dev/usb/scanner-???:???  -l 
system_u:object_r:scanner_device_t" and use restorecon in step one. 
But I can't figure out how to get restorecon to relabel symbolic
links.  Restorecon /dev/usb/scanner-002:012 says "Warning!
/dev/usb/scanner-002:017 refers to a symbolic link, not following last

I don't quite understand the question posed in comment #1.  If the
link is not created then how does pam_console change the permissions
on /proc/bus/usb/...?  Did you plug the scanner in while you were
already logged in (that's cheating)?

Comment 3 Daniel Walsh 2004-11-22 19:36:06 UTC
I am seeing none of this and mine just works.  
I have tried to plug in the scanner while logged in and it works, I
have plugged it in while logged out then logged in and it works.  I am
seeing no AVC messages.  And pam_console is not trying to do anything
with /dev/usb, which doesn't even exist on my machine.

What version of hotplug are you using?

rpm -q hotplug udev


Comment 4 W. Michael Petullo 2004-11-22 20:00:16 UTC
Dan: I'm sorry, but for some reason I thought you had been following
bug #121511, "extend console.perms to cover /proc/bus/usb/*."

I will have to check my version numbers after work.  What are the
permissions on the node in for you scanner in /proc/bus/usb/???/??? ?
 Is your scanner application suid root?  I am confused because if you
look at bug #121511 you will see that most people's scanner device is
owned by root and not writable by non-root users.  Because of this,
pam_console must set the scanner's permissions.  This is what is being
blocked by SELinux.

I think the code that fixed bug #121511 was added to
sane-backends-1.0.15-2 and hotplug-2004_04_01-10.

Comment 5 Daniel Walsh 2004-11-22 20:23:12 UTC
I am seeing /proc/bus/usb/*.* owned by dwalsh, after it is plugged in.
 It is being set by udev/hotplug.  (Although I have not been able to
track down where.)  I am doing this on FC3  not rawhide.  So this
might be something new

rpm -q sane-backends

Comment 6 W. Michael Petullo 2004-11-22 20:33:18 UTC
Right.  This is post-FC3 stuff (bug's Version field is devel).  See
bug #121511 for what needs fixing and how it is being fixed.

Comment 7 Tim Waugh 2004-11-23 10:15:03 UTC
Daniel: um, now I'm really confused -- I *know* that it doesn't work properly in
FC3 to have the scanner connected before logging in!  You say "owned by dwalsh,
after it is plugged in" -- the case we are looking at is where the scanner is
continuously connected from boot.  In that instance, I'm quite amazed to hear
that it works for you, since it doesn't work for anyone else (unless you happen
to have a multifunction device driven by hpoj, in which case it's all different).

The place where /proc/bus/usb/* gets ownership set is
/etc/hotplug/usb/libusbscanner, but the version shipped in FC3 certainly does
not cope with a continuously connected scanner.  It gets run once, before log
in, and does the chown there and then.

Comment 8 Daniel Walsh 2004-11-23 14:46:41 UTC
Your right, I just tried it again and it does fail. 


Comment 9 Daniel Walsh 2004-12-10 18:37:28 UTC
This should be fixed in sane-backend-1.0.15-8

Comment 10 W. Michael Petullo 2004-12-13 00:53:01 UTC
I'm using sane-backends-1.0.15-8 and this does NOT seem to be fixed. 
The scanner device's permissions are set when I log in with SELinux
not enforcing its policy.  However, then I log in with Fedora's strict
policy being enforced, the ownership is not set.  In the latter case,
the device continues to be owned by root.


Comment 11 Tim Waugh 2005-01-11 10:14:36 UTC
Is this all working now?

Comment 12 W. Michael Petullo 2005-01-13 03:12:11 UTC
I'm still having the same problem with selinux-policy-strict-1.20.1-3.
 I don't see any AVC messages, though.  The scanner device's
permissions are set correctly when SELinux is off and not set when
SELinux is on.

Comment 13 W. Michael Petullo 2006-04-04 23:23:00 UTC
Using Fedora Core 5, the SELinux policy still seems to cause pam_console_app to
fail.  As a result, the permissions on a scanner that is plugged in AFTER a user
has logged in will not be set properly.  This is true of BOTH the strict and
targeted policy.  Everything works when SELinux is not enforcing its policy.

Comment 14 Daniel Walsh 2006-04-05 12:41:32 UTC
What avc's are you seeing?  

Comment 15 W. Michael Petullo 2006-04-06 01:51:25 UTC
Created attachment 127384 [details]
AVC messages after attaching my USB scanner

After looking at the AVC messages, I suspect that this may be because I am
using LDAP and accessing it over TLS.  I think the SELinux policy should be
fixed to support this.

Comment 16 Daniel Walsh 2006-04-14 13:26:56 UTC
fixed in selinux-policy-2.2.32-1.FC5.

Comment 17 W. Michael Petullo 2006-04-19 18:28:30 UTC
I can confirm that this is fixed in the targeted policy.  I have not tried the
strict policy.