Bug 121207

Summary: gthumb unable to read USB devices with string SELinux policy
Product: [Fedora] Fedora Reporter: W. Michael Petullo <redhat>
Component: selinux-policy-strictAssignee: Russell Coker <rcoker>
Status: CLOSED RAWHIDE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: 3CC: abuse, johan.dahl, pgraner, twaugh
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2005-05-12 17:24:54 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 133471    

Description W. Michael Petullo 2004-04-19 00:20:25 UTC 
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux ppc; en-US; rv:1.6)
Gecko/20040312 Epiphany/1.1.12

Description of problem:
The digital camera application gtkam does not seem to want to play
nicely with SELinux.  Gtkam needs to access /proc/bus/usb because it
uses libusb.                                                         
                      

Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
Try to run gtkam as a user (user_u:user_r:user_t) with SELinux in
enforcing mode.
    

Actual Results:  When I try to run gtkam I get:
                                                                     
          
Apr 17 09:57:47 imp kernel: avc:  denied  { read } for  pid=3620
+exe=/usr/bin/gtkam dev= ino=724 scontext=user_u:user_r:user_t
+tcontext=system_u:object_r:usbfs_t tclass=dir
Apr 17 09:57:47 imp kernel:
Apr 17 09:57:47 imp kernel: avc:  denied  { search } for  pid=3620
+exe=/usr/bin/gtkam dev= ino=1 scontext=user_u:user_r:user_t
+tcontext=system_u:object_r:sysfs_t tclass=dir

Additional info:
Comment 1 Colin Walters 2004-04-19 14:45:41 UTC 
I've added policy to support this, it will be in the next policy package.
Comment 2 W. Michael Petullo 2004-05-01 15:24:24 UTC 
I tried policy-1.11.2-21 and still found that gtkam could not properly
open /proc/bus/usb devices.  It looks like gtkam needs write access to
these devices as well.  Adding the following line to
user_macros.te:full_user_role() fixes things (but may be too permissive):

allow $1_t usbfs_t:file write;
Comment 3 W. Michael Petullo 2004-05-03 00:52:59 UTC 
The modifications are also required for USB scanners because these are
now accessed using libusb.
Comment 4 Daniel Walsh 2004-05-06 18:16:09 UTC 
Added rules in policy-1.11.3-2
Comment 5 W. Michael Petullo 2004-05-29 04:00:21 UTC 
It looks like I closed this bug prematurely.  The following keeps
gtkam from accessing my camera now:

May 28 22:56:32 imp kernel: audit(1085802992.308:0): avc:  denied  {
write } for  pid=4410 exe=/usr/bin/gtkam name=003 dev=usbfs ino=8806
scontext=user_u:user_r:user_t tcontext=system_u:object_r:usbfs_t
tclass=file
Comment 6 Bas Mevissen 2004-06-02 22:44:18 UTC 
This one actually managed to reproducably crash my computer. Camera is
a medion MD5319 and computer is Dell Inspiron 8500.

I've only installed the "EXAMPLE" policy. I need to do that because
otherwise I don't get the tools. (strange dependancy?).

But main problem is that I did not enable selinux on the kernel
command line, but got lots of selinux output...

(kernel 2.6.6-1.383 btw).
Comment 7 W. Michael Petullo 2004-07-17 03:58:57 UTC 
Problem still exists with:

selinux-policy-strict-sources-1.15.5-2
selinux-policy-strict-1.15.5-2
policycoreutils-1.15.1-1
checkpolicy-1.14.1-1
libselinux-devel-1.15.1-1
libselinux-1.15.1-1
Comment 8 W. Michael Petullo 2004-10-03 23:15:44 UTC 
Gtkam is gone, but gThumb does not like selinux-policy-strict either.
 I get the following when I ask gThumb to import pictures from my camera:

Oct  3 18:11:32 imp dbus: avc:  denied  { send_msg } for 
scontext=system_u:system_r:hald_t tcontext=system_u:system_r:initrc_t
tclass=dbus
Oct  3 18:11:41 imp kernel: ohci_hcd 0001:01:1b.1: wakeup
Oct  3 18:11:41 imp kernel: usb 3-1: new full speed USB device using
address 6
Oct  3 18:11:42 imp dbus: avc:  denied  { send_msg } for 
scontext=system_u:system_r:hald_t tcontext=system_u:system_r:initrc_t
tclass=dbus
Oct  3 18:11:42 imp last message repeated 2 times
Oct  3 18:11:50 imp kernel: audit(1096845110.041:0): avc:  denied  {
write } for  pid=8432 exe=/usr/bin/gthumb name=006 dev=usbfs ino=23212
scontext=user_u:user_r:user_t tcontext=system_u:object_r:usbfs_t
tclass=file
Oct  3 18:11:50 imp kernel: audit(1096845110.152:0): avc:  denied  {
write } for  pid=8432 exe=/usr/bin/gthumb name=006 dev=usbfs ino=23212
scontext=user_u:user_r:user_t tcontext=system_u:object_r:usbfs_t
tclass=file

gThumb pops up a window that states:

An error occurred in the io-library ('Could not claim the USB
device'): Could not clain interface 0 (Operation not permitted). Make
sure no other program or kernel module (e.g. dc2xx or stv6800) is
using the device and you have read/write access to the device.

Everything works fine is SELinux is not enforcing its strict policy.

Here are some relevant versions:

selinux-policy-strict-1.17.26-1
policycoreutils-1.17.5-6
checkpolicy-1.17.5-1
libselinux-1.17.13-3
gthumb-2.4.2-2
Comment 9 W. Michael Petullo 2004-10-21 02:35:53 UTC 
Using:

selinux-policy-strict-1.17.30-2
policycoreutils-1.17.6-2
checkpolicy-1.17.5-1
libselinux-1.17.14-1
gthumb-2.4.2-2

I get:

Oct 20 21:36:54 imp kernel: ohci_hcd 0001:10:1b.1: wakeup
Oct 20 21:36:54 imp kernel: usb 3-1: new full speed USB device using
address 4
Oct 20 21:37:01 imp kernel: audit(1098326221.050:0): avc:  denied  {
write } for  pid=27789 exe=/usr/bin/gthumb name=004 dev=usbfs
ino=183950 scontext=user_u:user_r:user_t
tcontext=system_u:object_r:usbfs_t tclass=file
Oct 20 21:37:01 imp kernel: audit(1098326221.055:0): avc:  denied  {
write } for  pid=27789 exe=/usr/bin/gthumb name=004 dev=usbfs
ino=183950 scontext=user_u:user_r:user_t
tcontext=system_u:object_r:usbfs_t tclass=file

Importing photos fails because of this (works fine when SELinux is not
enforcing its policy).
Comment 10 W. Michael Petullo 2004-11-20 19:35:21 UTC 
With selinux-policy-strict-1.19.3-1:

Nov 20 13:29:03 imp dbus: avc:  denied  { send_msg } for 
scontext=system_u:system_r:hald_t tcontext=system_u:system_r:hald_t
tclass=dbus
Nov 20 13:29:14 imp kernel: audit(1100978954.424:0): avc:  denied  {
read } for  pid=6707 exe=/usr/sbin/lockdev name=ld.so.cache dev=dm-0
ino=309782 scontext=user_u:user_r:user_lockdev_t
tcontext=root:object_r:etc_t tclass=file
Nov 20 13:29:14 imp kernel: audit(1100978954.425:0): avc:  denied  {
getattr } for  pid=6707 exe=/usr/sbin/lockdev path=/etc/ld.so.cache
dev=dm-0 ino=309782 scontext=user_u:user_r:user_lockdev_t
tcontext=root:object_r:etc_t tclass=file
Nov 20 13:29:14 imp kernel: audit(1100978954.824:0): avc:  denied  {
write } for  pid=6699 exe=/usr/bin/gthumb name=005 dev=usbfs ino=26430
scontext=user_u:user_r:user_t tcontext=system_u:object_r:usbfs_t
tclass=file

This seems to fix this:

1.  allow hald_t hald_t:dbus send_msg;
2.  allow user_lockdev_t etc_t:file { read getattr };
3.  allow user_t usbfs_t:file write;

I'm not sure about rule 3.  It does work but it may be too permissive.
Comment 11 Johan Dahl 2004-12-13 22:35:39 UTC 
I also found that gthumb fails to rotate picture located on a fat
filesystem. It moves the file to /tmp rotates it and writes it back.
But  the mv back fails with this. It seems to work then on file is
located on ext3

Dec 13 23:24:50 localhost kernel: audit(1102976690.391:0): avc: 
denied  { assoc iate } for  pid=4217 exe=/bin/mv name=pb210004.jpg
scontext=user_u:object_r:tmp_ t tcontext=system_u:object_r:dosfs_t
tclass=filesystem
Comment 12 Daniel Walsh 2005-05-12 17:24:54 UTC 
Fixed in rawhide selinux-policy-targeted-1.24.14-2