Bug 124382

Summary: Execution of /usr/bin/lockdev should transition into domain that is allowed to mess with /var/lock
Product: [Fedora] Fedora Reporter: Aleksey Nogin <aleksey>
Component: policyAssignee: Daniel Walsh <dwalsh>
Status: CLOSED CURRENTRELEASE QA Contact: Ben Levenson <benl>
Severity: medium Docs Contact:
Priority: medium    
Version: rawhideCC: dwalsh, havill, pgraner
Target Milestone: ---Keywords: SELinux
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2004-11-30 19:04:32 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Aleksey Nogin 2004-05-26 04:56:56 UTC 
Currently /usr/sbin/lockdev has an ordinary sbin_t SELinux type. As a
result, lockdev-enabled programs need special permissions to
read/add/remove the lock files in /var/lock. This is IMHO wrong - it
would be much more consistent to transition into a lockdev_t domain on
executing /usr/sbin/lockdev and then allow the lockdev_t, not the
original domain to access /var/lock.
Comment 1 Daniel Walsh 2004-11-06 06:44:12 UTC 
I need more info?  What is failing here?

It might be a problem if apps transitioned to lockdev, and you needed
to give lockdev access to all /var/lock files.

Dan
Comment 2 Aleksey Nogin 2004-11-06 07:00:02 UTC 
Programs that are supposed to give users access to certain serial
devices (including minicom and gphoto2) are compiled against the
liblockdev library that implements locking using a setgid helper
program /usr/sbin/lockdev (that allows arbitrary users to
install/remove locks in the /var/locks directory, possibly with some
appropriate permission checks). Note that the users themselves do not
have write permissions to /var/locks (which is the whole point).

Now enters SELinux. Suddenly users can not touch /var/locks even with
the help of a setgid binary. As a result, minicon, gphoto2 (and other
similar programs, such as efax and kandy once bug 79615 and bug 84143
are fixed) are no longer able to lock the serial devices when ran by
an ordinary user.

Basically, the whole point of the /usr/sbin/lockdev binary is a
limited privilegde elevation and it needs to be supported under
SELinux as well.
Comment 3 Daniel Walsh 2004-11-06 18:41:08 UTC 
Thanks I will look into adding SELinux support to it.

Dan
Comment 4 Daniel Walsh 2004-11-08 18:46:12 UTC 
Added fixes to selinux-policy-strict-1.18.2-3

Tested it out with minilog.

Please try it out.

Dan