Bug 187436

Summary: policy denies udev pam_console_apply on dev/dvb
Product: [Fedora] Fedora Reporter: Jón Fairbairn <jon.fairbairn>
Component: selinux-policy-targetedAssignee: Daniel Walsh <dwalsh>
Status: CLOSED RAWHIDE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: 5CC: dwalsh
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2006-05-05 15:01:13 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jón Fairbairn 2006-03-30 21:54:09 UTC 
Description of problem:
udev fails to set user/group on /dev/dvb/adapter*/* when module is loaded

Version-Release number of selected component (if applicable):
selinux-policy-targeted-2.2.25-2.fc5

How reproducible:
always

Steps to Reproduce:
1. put a file in //etc/security/console.perms.d/ like:
# classes
<dvb>=/dev/dvb/adapter*/*
<video>=/dev/video*

# permissions
<console> 0660 <dvb>    0660 root.household
<console> 0660 <video>  0660 root.household

2. load the driver for the dvb adapter
3.
  
Actual results:
audit log contains lines:
type=AVC msg=audit(1143754601.828:2966): avc:  denied  { getattr } for 
pid=23278 comm="pam_console_app" name="frontend0" dev=tmpfs ino=51473
scontext=system_u:system_r:pam_console_t:s0-s0:c0.c255
tcontext=system_u:object_r:device_t:s0 tclass=chr_file

type=SYSCALL msg=audit(1143754601.828:2966): arch=c000003e syscall=6 success=no
exit=-13 a0=6390f0 a1=7fffffe2fda0 a2=7fffffe2fda0 a3=639102 items=1 pid=23278
auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
comm="pam_console_app" exe="/sbin/pam_console_apply"

type=AVC_PATH msg=audit(1143754601.828:2966):  path="/dev/dvb/adapter0/frontend0"
type=CWD msg=audit(1143754601.828:2966):  cwd="/"
type=PATH msg=audit(1143754601.828:2966): item=0
name="/dev/dvb/adapter0/frontend0" flags=0  inode=51473 dev=00:0f mode=020600
ouid=0 ogid=0 rdev=d4:03

and the device nodes are created with owner and group root.

Expected results:
/dev/dvb/adapter0/frontend0 (and all the others) should be given permissions
according to the pam rules

Additional info:
Comment 1 Daniel Walsh 2006-03-31 16:46:29 UTC 
Could you try

semanage fcontext -a -t v4l_device_t "/dev/dvb/.*" 
restorecon -R -v /dev/dvb

and see if it works?
Comment 2 Jón Fairbairn 2006-03-31 17:06:36 UTC 
# semanage fcontext -a -t v4l_device_t "/dev/dvb/.*"
(no output)
# restorecon -R -v /dev/dvb
restorecon set context /dev/dvb/adapter0->system_u:object_r:v4l_device_t
failed:'Permission denied'
restorecon reset /dev/dvb/adapter0/net0 context
system_u:object_r:device_t->system_u:object_r:v4l_device_t
restorecon reset /dev/dvb/adapter0/dvr0 context
system_u:object_r:device_t->system_u:object_r:v4l_device_t
restorecon reset /dev/dvb/adapter0/demux0 context
system_u:object_r:device_t->system_u:object_r:v4l_device_t
restorecon reset /dev/dvb/adapter0/frontend0 context
system_u:object_r:device_t->system_u:object_r:v4l_device_t

After that, removing the driver and reloading it results in the console owner
owning the devices
$ ls --lcon /dev/dvb/adapter0/
total 0
crw-rw---- 1 system_u:object_r:v4l_device_t   jf root 212, 4 Mar 31 18:07 demux0
crw-rw---- 1 system_u:object_r:v4l_device_t   jf root 212, 5 Mar 31 18:07 dvr0
crw-rw---- 1 system_u:object_r:v4l_device_t   jf root 212, 3 Mar 31 18:07 frontend0
crw-rw---- 1 system_u:object_r:v4l_device_t   jf root 212, 7 Mar 31 18:07 net0

presumably the restorecon is unneccessary if the driver isn't loaded, since the
device nodes don't exist until it is loaded, and it'll happen then?

The first error refers to the directory:
$ ls --lcon /dev/dvb/adapter0/ -d
drwxr-xr-x 2 system_u:object_r:device_t       root root 120 Mar 31 18:07
/dev/dvb/adapter0//

but that's fine
Comment 3 Daniel Walsh 2006-03-31 17:21:57 UTC 
Actually I gave you the wrong command

#delete the previous
semanage fcontext -d -t v4l_device_t "/dev/dvb/.*"
# Readd the command specifying -c for chr_device
semanage fcontext -a -t v4l_device_t -f"-c" "/dev/dvb/.*"
# List the device
semanage fcontext -l | grep dvb
/dev/dvb/.*                                        character device  
system_u:object_r:v4l_device_t:s0


Next policy update should have this change.
Comment 4 Jón Fairbairn 2006-03-31 17:27:21 UTC 
That works too.

Many thanks.
Comment 5 Daniel Walsh 2006-04-03 16:32:52 UTC 
Fixed in selinux-policy-2.2.29-2.fc5
Comment 7 Daniel Walsh 2006-05-05 15:01:13 UTC 
Closing as these have been marked as modified, for a while.  Feel free to reopen
if not fixed