Bug 124382
Summary: | Execution of /usr/bin/lockdev should transition into domain that is allowed to mess with /var/lock | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Aleksey Nogin <aleksey> |
Component: | policy | Assignee: | Daniel Walsh <dwalsh> |
Status: | CLOSED CURRENTRELEASE | QA Contact: | Ben Levenson <benl> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | rawhide | CC: | dwalsh, havill, pgraner |
Target Milestone: | --- | Keywords: | SELinux |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2004-11-30 19:04:32 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Aleksey Nogin
2004-05-26 04:56:56 UTC
I need more info? What is failing here? It might be a problem if apps transitioned to lockdev, and you needed to give lockdev access to all /var/lock files. Dan Programs that are supposed to give users access to certain serial devices (including minicom and gphoto2) are compiled against the liblockdev library that implements locking using a setgid helper program /usr/sbin/lockdev (that allows arbitrary users to install/remove locks in the /var/locks directory, possibly with some appropriate permission checks). Note that the users themselves do not have write permissions to /var/locks (which is the whole point). Now enters SELinux. Suddenly users can not touch /var/locks even with the help of a setgid binary. As a result, minicon, gphoto2 (and other similar programs, such as efax and kandy once bug 79615 and bug 84143 are fixed) are no longer able to lock the serial devices when ran by an ordinary user. Basically, the whole point of the /usr/sbin/lockdev binary is a limited privilegde elevation and it needs to be supported under SELinux as well. Thanks I will look into adding SELinux support to it. Dan Added fixes to selinux-policy-strict-1.18.2-3 Tested it out with minilog. Please try it out. Dan |