Bug 238255

Summary: avc when adding a firewire camera
Product: [Fedora] Fedora Reporter: Stephanos Manos <stefmanos>
Component: selinux-policyAssignee: Daniel Walsh <dwalsh>
Status: CLOSED RAWHIDE QA Contact: Ben Levenson <benl>
Severity: medium Docs Contact:
Priority: medium    
Version: rawhideCC: dwalsh
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-05-21 14:24:30 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Description Stephanos Manos 2007-04-28 11:17:01 UTC
Description of problem:
When plugging a firewire camera on my system i get the following avc error in

    SELinux is preventing /usr/bin/setfacl (hald_acl_t) "getattr" access to
    device /dev/fw1.

Detailed Description
    SELinux has denied the /usr/bin/setfacl (hald_acl_t) "getattr" access to
    device /dev/fw1. /dev/fw1 is mislabeled, this device has the default label
    of the /dev directory, which should not happen.  All Character and/or Block
    Devices should have a label. You can attempt to change the label of the file
    using restorecon -v /dev/fw1. If this device remains labeled device_t, then
    this is a bug in SELinux policy. Please file a
    http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against the selinux-policy
    package. If you look at the other similar devices labels, ls -lZ
    /dev/SIMILAR, and find a type that would work for /dev/fw1, you can use
    chcon -t SIMILAR_TYPE /dev/fw1, If this fixes the problem, you can make this
    permanent by executing semanage fcontext -a -t SIMILAR_TYPE /dev/fw1 If the
    restorecon changes the context, this indicates that the application that
    created the device, created it without using SELinux APIs.  If you can
    figure out which application created the device, please file a
    http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this application.

Allowing Access
    Attempt restorecon -v /dev/fw1 or chcon -t SIMILAR_TYPE /dev/fw1

Additional Information        

Source Context                system_u:system_r:hald_acl_t
Target Context                system_u:object_r:device_t
Target Objects                /dev/fw1 [ chr_file ]
Affected RPM Packages         acl-2.2.39-3.1.fc7 [application]
Policy RPM                    selinux-policy-2.6.1-1.fc7
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   plugins.device
Host Name                     ghost.home-net
Platform                      Linux ghost.home-net 2.6.21-1.3116.fc7 #1 SMP Thu
                              Apr 26 10:36:44 EDT 2007 i686 i686
Alert Count                   4
First Seen                    Σαβ 28 Απρ 2007 02:01:58 μμ EEST
Last Seen                     Σαβ 28 Απρ 2007 02:06:38 μμ EEST
Local ID                      96c87c7e-a0bd-4cc2-a197-3f406e6b28b8
Line Numbers                  

Raw Audit Messages            

avc: denied { getattr } for comm="setfacl" cwd="/usr/libexec" dev=00:10 egid=0
euid=0 exe="/usr/bin/setfacl" exit=-13 fsgid=0 fsuid=0 gid=0 inode=60172 item=0
items=1 mode=020600 name="fw1" obj=system_u:object_r:device_t:s0 ogid=0 ouid=0
path="/dev/fw1" pid=5279 rdev=fb:01 scontext=system_u:system_r:hald_acl_t:s0
sgid=0 subj=system_u:system_r:hald_acl_t:s0 suid=0 tclass=chr_file
tcontext=system_u:object_r:device_t:s0 tty=(none) uid=0

Comment 1 Daniel Walsh 2007-04-28 13:27:01 UTC

Comment 2 Stephanos Manos 2007-05-20 18:47:49 UTC
fixed in latest selinux policy