Bug 121207
Summary: | gthumb unable to read USB devices with string SELinux policy | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | W. Michael Petullo <redhat> |
Component: | selinux-policy-strict | Assignee: | Russell Coker <rcoker> |
Status: | CLOSED RAWHIDE | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 3 | CC: | abuse, johan.dahl, pgraner, twaugh |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2005-05-12 17:24:54 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 133471 |
Description
W. Michael Petullo
2004-04-19 00:20:25 UTC
I've added policy to support this, it will be in the next policy package. I tried policy-1.11.2-21 and still found that gtkam could not properly open /proc/bus/usb devices. It looks like gtkam needs write access to these devices as well. Adding the following line to user_macros.te:full_user_role() fixes things (but may be too permissive): allow $1_t usbfs_t:file write; The modifications are also required for USB scanners because these are now accessed using libusb. Added rules in policy-1.11.3-2 It looks like I closed this bug prematurely. The following keeps gtkam from accessing my camera now: May 28 22:56:32 imp kernel: audit(1085802992.308:0): avc: denied { write } for pid=4410 exe=/usr/bin/gtkam name=003 dev=usbfs ino=8806 scontext=user_u:user_r:user_t tcontext=system_u:object_r:usbfs_t tclass=file This one actually managed to reproducably crash my computer. Camera is a medion MD5319 and computer is Dell Inspiron 8500. I've only installed the "EXAMPLE" policy. I need to do that because otherwise I don't get the tools. (strange dependancy?). But main problem is that I did not enable selinux on the kernel command line, but got lots of selinux output... (kernel 2.6.6-1.383 btw). Problem still exists with: selinux-policy-strict-sources-1.15.5-2 selinux-policy-strict-1.15.5-2 policycoreutils-1.15.1-1 checkpolicy-1.14.1-1 libselinux-devel-1.15.1-1 libselinux-1.15.1-1 Gtkam is gone, but gThumb does not like selinux-policy-strict either. I get the following when I ask gThumb to import pictures from my camera: Oct 3 18:11:32 imp dbus: avc: denied { send_msg } for scontext=system_u:system_r:hald_t tcontext=system_u:system_r:initrc_t tclass=dbus Oct 3 18:11:41 imp kernel: ohci_hcd 0001:01:1b.1: wakeup Oct 3 18:11:41 imp kernel: usb 3-1: new full speed USB device using address 6 Oct 3 18:11:42 imp dbus: avc: denied { send_msg } for scontext=system_u:system_r:hald_t tcontext=system_u:system_r:initrc_t tclass=dbus Oct 3 18:11:42 imp last message repeated 2 times Oct 3 18:11:50 imp kernel: audit(1096845110.041:0): avc: denied { write } for pid=8432 exe=/usr/bin/gthumb name=006 dev=usbfs ino=23212 scontext=user_u:user_r:user_t tcontext=system_u:object_r:usbfs_t tclass=file Oct 3 18:11:50 imp kernel: audit(1096845110.152:0): avc: denied { write } for pid=8432 exe=/usr/bin/gthumb name=006 dev=usbfs ino=23212 scontext=user_u:user_r:user_t tcontext=system_u:object_r:usbfs_t tclass=file gThumb pops up a window that states: An error occurred in the io-library ('Could not claim the USB device'): Could not clain interface 0 (Operation not permitted). Make sure no other program or kernel module (e.g. dc2xx or stv6800) is using the device and you have read/write access to the device. Everything works fine is SELinux is not enforcing its strict policy. Here are some relevant versions: selinux-policy-strict-1.17.26-1 policycoreutils-1.17.5-6 checkpolicy-1.17.5-1 libselinux-1.17.13-3 gthumb-2.4.2-2 Using: selinux-policy-strict-1.17.30-2 policycoreutils-1.17.6-2 checkpolicy-1.17.5-1 libselinux-1.17.14-1 gthumb-2.4.2-2 I get: Oct 20 21:36:54 imp kernel: ohci_hcd 0001:10:1b.1: wakeup Oct 20 21:36:54 imp kernel: usb 3-1: new full speed USB device using address 4 Oct 20 21:37:01 imp kernel: audit(1098326221.050:0): avc: denied { write } for pid=27789 exe=/usr/bin/gthumb name=004 dev=usbfs ino=183950 scontext=user_u:user_r:user_t tcontext=system_u:object_r:usbfs_t tclass=file Oct 20 21:37:01 imp kernel: audit(1098326221.055:0): avc: denied { write } for pid=27789 exe=/usr/bin/gthumb name=004 dev=usbfs ino=183950 scontext=user_u:user_r:user_t tcontext=system_u:object_r:usbfs_t tclass=file Importing photos fails because of this (works fine when SELinux is not enforcing its policy). With selinux-policy-strict-1.19.3-1: Nov 20 13:29:03 imp dbus: avc: denied { send_msg } for scontext=system_u:system_r:hald_t tcontext=system_u:system_r:hald_t tclass=dbus Nov 20 13:29:14 imp kernel: audit(1100978954.424:0): avc: denied { read } for pid=6707 exe=/usr/sbin/lockdev name=ld.so.cache dev=dm-0 ino=309782 scontext=user_u:user_r:user_lockdev_t tcontext=root:object_r:etc_t tclass=file Nov 20 13:29:14 imp kernel: audit(1100978954.425:0): avc: denied { getattr } for pid=6707 exe=/usr/sbin/lockdev path=/etc/ld.so.cache dev=dm-0 ino=309782 scontext=user_u:user_r:user_lockdev_t tcontext=root:object_r:etc_t tclass=file Nov 20 13:29:14 imp kernel: audit(1100978954.824:0): avc: denied { write } for pid=6699 exe=/usr/bin/gthumb name=005 dev=usbfs ino=26430 scontext=user_u:user_r:user_t tcontext=system_u:object_r:usbfs_t tclass=file This seems to fix this: 1. allow hald_t hald_t:dbus send_msg; 2. allow user_lockdev_t etc_t:file { read getattr }; 3. allow user_t usbfs_t:file write; I'm not sure about rule 3. It does work but it may be too permissive. I also found that gthumb fails to rotate picture located on a fat filesystem. It moves the file to /tmp rotates it and writes it back. But the mv back fails with this. It seems to work then on file is located on ext3 Dec 13 23:24:50 localhost kernel: audit(1102976690.391:0): avc: denied { assoc iate } for pid=4217 exe=/bin/mv name=pb210004.jpg scontext=user_u:object_r:tmp_ t tcontext=system_u:object_r:dosfs_t tclass=filesystem Fixed in rawhide selinux-policy-targeted-1.24.14-2 |