Bug 230628

Summary: SELinux rejects ub
Product: [Fedora] Fedora Reporter: Pete Zaitcev <zaitcev>
Component: selinux-policyAssignee: Daniel Walsh <dwalsh>
Status: CLOSED CURRENTRELEASE QA Contact: Ben Levenson <benl>
Severity: medium Docs Contact:
Priority: medium    
Version: 6CC: dwalsh, jonathan.underwood, wtogami
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Current Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-08-22 14:12:15 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 230322    
Bug Blocks:    

Description Pete Zaitcev 2007-03-01 21:21:31 UTC 
Hi, Dan:

Fedora has a capability to switch between ub and sd in runtime,
so please consider if a workaround for this would be feasible.
Since sd is the primary driver and ub is a workaround, this is a low
priority, but would be very nice to have.

-- Pete

+++ This bug was initially created as a clone of Bug #230322 +++

Version-Release number of selected component (if applicable):
2.6.19-1.2911.fc6 #1 SMP

-- Additional comment from zaitcev on 2007-02-28 13:00 EST --

BTW, what does happen if you boot with libusual.bias="ub" in grub.conf?

-- Additional comment from jonathan.underwood on 2007-03-01 06:07 EST --
Hi Pete, thanks for your response. Adding libusual.bias="ub" fixes the problem,
once I had disabled SElinux.  I'm not sure that the problem is specific to the
usb-storeage layer though, as I am also seeing soft lockups when vmware tries to
create its virtual ethernet interfaces.  These also disappear with
libusual.bias="ub"

[Just to put your mind at rest though - the problem originally reported in this
bug is present with an untainted kernel (i.e. without the vmware module loaded).]


As an aside, if there are any plans to enable libusual.bias="ub" out of the box,
then I guess the SElinux issue will need fixing up. The SElinux messages
displayed are:
 audit(1172746861.823:7): avc:  denied  { read } for  pid=5340
comm="hald-probe-volu" name="uba1" dev=tmpfs ino=20335
scontext=system_u:system_r:hald_t:s0 tcontext=system_u:object_r:device_t:s0
tclass=blk_file
audit(1172746861.824:8): avc:  denied  { ioctl } for  pid=5340
comm="hald-probe-volu" name="uba1" dev=tmpfs ino=20335
scontext=system_u:system_r:hald_t:s0 tcontext=system_u:object_r:device_t:s0
tclass=blk_file
SELinux: initialized (dev uba1, type vfat), uses genfs_contexts
audit(1172746862.109:9): avc:  denied  { getattr } for  pid=4470 comm="hald"
name="uba1" dev=tmpfs ino=20335 scontext=system_u:system_r:hald_t:s0
tcontext=system_u:object_r:device_t:s0 tclass=blk_file

-- Additional comment from zaitcev on 2007-03-01 16:15 EST --
Thanks for the testing, Jonathan. I'll clone this bug for Dan Walsh regarding
the SElinux issue.
Comment 1 Daniel Walsh 2007-03-01 21:27:04 UTC 
The problem here is the devices are labeled incorrectly.  They are labeled 
as device_t.  uba1 should probably be labeled usb_device_t?
Comment 2 Daniel Walsh 2007-03-01 21:33:17 UTC 
If you execute this command does everything work?

semanage fcontext -a -t removable_device_t -f '-b' '/dev/ub[a-z][0-9]+'

you might have to run

restorecon -v /dev/ub*

Current policy only matches
dev/ub[a-z]
Comment 3 Pete Zaitcev 2007-03-01 21:45:01 UTC 
Adding Jon to cc:, to try the test (see comment #2).
Comment 4 Jonathan Underwood 2007-03-02 11:53:31 UTC 
I tried re-enabling SElinux and running those two commands, but it didn't work,
I still see this in dmesg:

audit(1172836335.532:20): avc:  denied  { read } for  pid=16589
comm="hald-probe-volu" name="uba1" dev=tmpfs ino=834181
scontext=system_u:system_r:hald_t:s0 tcontext=system_u:object_r:device_t:s0
tclass=blk_file

and the drive isn't mounted.
Comment 5 Daniel Walsh 2007-03-02 15:04:59 UTC 
I believe you need to reboot or restart udev. since udev is not rereading the
file_context file.
Comment 6 Jonathan Underwood 2007-03-02 15:24:22 UTC 
Thanks Daniel - I rebooted having run those two commands. On reboot I added
libusual.bias="ub" to the kernel options line, and sure enough plugging in a usb
key causes it to be mounted and the contents displayed, with no SElinux
grumbling at all.
Comment 7 Daniel Walsh 2007-03-02 17:03:18 UTC 
Fixed in selinux-policy-2.4.6-42
Comment 8 Daniel Walsh 2007-08-22 14:12:15 UTC 
Fixed in current release