Bug 1590446

Summary: selinux-policy blocks motion access to v4l camera
Product: [Fedora] Fedora Reporter: Vaclav Danek <vdanek>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 28CC: bugzilla_fedora, dwalsh, lvrabec, mgrepl, mmalik, plautrba, pmoore
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.14.1-36.fc28 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-07-29 03:23:36 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Vaclav Danek 2018-06-12 15:24:55 UTC 
Description of problem:
selinux-policy blocks motion access to v4l camera

Version-Release number of selected component (if applicable):
selinux-policy-3.14.1-32.fc28.noarch
motion-4.1.1-4.fc28.x86_64

How reproducible:
Always

Steps to Reproduce:
1. use v4l usb camera for example ps3 eye
2. configure motion
3. start motion

Actual results:
access to camera is blocked

Expected results:
camera should be accessible for motion

Additional info:
type=AVC msg=audit(1528816280.009:425): avc:  denied  { map } for  pid=14945 comm="ml1" path="/dev/video0" dev="devtmpfs" ino=18994 scontext=system_u:system_r:motion_t:s0 tcontext=system_u:object_r:v4l_device_t:s0 tclass=chr_file permissive=0
type=MAC_STATUS msg=audit(1528816282.213:426): enforcing=0 old_enforcing=1 auid=1000 ses=6
type=USER_AVC msg=audit(1528816282.215:427): pid=774 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  received setenforce notice (enforcing=0)  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
type=AVC msg=audit(1528816290.011:428): avc:  denied  { map } for  pid=14945 comm="ml1" path="/dev/video0" dev="devtmpfs" ino=18994 scontext=system_u:system_r:motion_t:s0 tcontext=system_u:object_r:v4l_device_t:s0 tclass=chr_file permissive=1
Comment 1 bugzilla_fedora 2018-07-08 21:13:04 UTC 
Also observing this on F27:

selinux-policy.noarch                   3.13.1-283.35.fc27
selinux-policy-targeted.noarch          3.13.1-283.35.fc27
motion.x86_64                           4.1.1-1.fc27

Raw Audit Messages
type=AVC msg=audit(1531083900.219:746): avc:  denied  { map } for  pid=7339 comm="ml1" path="/dev/video0" dev="devtmpfs" ino=20595 scontext=system_u:system_r:motion_t:s0 tcontext=system_u:object_r:v4l_device_t:s0 tclass=chr_file permissive=0
Comment 2 Fedora Update System 2018-07-25 22:29:29 UTC 
selinux-policy-3.14.1-36.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-1050fb248b
Comment 3 Fedora Update System 2018-07-26 16:31:45 UTC 
selinux-policy-3.14.1-36.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-1050fb248b
Comment 4 Fedora Update System 2018-07-29 03:23:36 UTC 
selinux-policy-3.14.1-36.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.