Bug 1931334
| Summary: | SELinux prevents pcscd getattr access to filesystem /sys | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Dick Marinus <dick> |
| Component: | selinux-policy-targeted | Assignee: | Zdenek Pytela <zpytela> |
| Status: | CLOSED DUPLICATE | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 33 | CC: | dwalsh |
| Target Milestone: | --- | Keywords: | Triaged |
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2021-02-24 20:35:00 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Hi, The permission in the description will be allowed in the next build, see bz#1928611. You however have some others, can you share more details? ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts today ls -lRZ /dev | grep ^c.*:device_t: Very nice!
# ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts today
(removed pid, date/time and deduplicated)
avc: denied { getattr } for pid=xxx comm=pcscd name=/ dev="sysfs" ino=1 scontext=system_u:system_r:pcscd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=filesystem permissive=0
avc: denied { getattr } for pid=xxx comm=rngd name=/ dev="sysfs" ino=1 scontext=system_u:system_r:rngd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=filesystem permissive=0
avc: denied { map } for pid=xxx comm=gnome-shell path=/var/lib/flatpak/exports/share/icons/hicolor/icon-theme.cache dev="sda2" ino=654653 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=file permissive=0
avc: denied { read } for pid=xxx comm=gnome-shell name=org.signal.Signal.desktop dev="sda2" ino=654663 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=lnk_file permissive=0
avc: denied { read } for pid=xxx comm=rpm name=rpmdb.sqlite dev="sda2" ino=785404 scontext=system_u:system_r:setroubleshootd_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file permissive=0
avc: denied { read write } for pid=xxx comm=rngd name=002 dev="devtmpfs" ino=183 scontext=system_u:system_r:rngd_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=0
# ls -lRZ /dev | grep ^c.*:device_t:
crw-rw----. 1 root kvm system_u:object_r:device_t:s0 10, 62 23 feb 20:37 udmabuf
crw-------. 1 root root system_u:object_r:device_t:s0 251, 0 23 feb 20:37 system
*** This bug has been marked as a duplicate of bug 1928611 *** |
Description of problem: When I connect my Yubikey I get the following audit message: type=AVC msg=audit(1613981663.969:1064): avc: denied { getattr } for pid=731 comm="pcscd" name="/" dev="sysfs" ino=1 scontext=system_u:system_r:pcscd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=filesystem permissive=0 audit2allow suggests the following policy: module my-pcscd 1.0; require { type device_t; type sysfs_t; type pcscd_t; class chr_file { ioctl open read write }; class filesystem getattr; } #============= pcscd_t ============== allow pcscd_t device_t:chr_file { ioctl open read write }; allow pcscd_t sysfs_t:filesystem getattr;