Bug 427808

Summary: Plugging in an 'old USB CD drive' generates AVCs
Product: [Fedora] Fedora Reporter: Tom London <selinux>
Component: udevAssignee: Harald Hoyer <harald>
Status: CLOSED RAWHIDE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: low Docs Contact:
Priority: low    
Version: rawhideCC: dwalsh
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-04-13 11:35:00 EDT Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:

Description Tom London 2008-01-07 12:24:24 EST
Description of problem:
Running latest Rawhide, targeted/enforcing.

Plugging in an 'old USB CD drive', I got the following audit message:

[root@localhost ~]# sealert -l fb77e7e0-3515-4866-9a8f-e1db99f9b4b8

Summary:

SELinux is preventing ln(/bin/ln) (udev_t) "create" to <Unknown> (etc_t).

Detailed Description:

SELinux denied access requested by ln(/bin/ln). It is not expected that this
access is required by ln(/bin/ln) and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.

Allowing Access:

Sometimes labeling problems can cause SELinux denials. You could try to restore
the default system file context for <Unknown>, restorecon -v <Unknown> If this
does not work, there is currently no automatic way to allow this access.
Instead, you can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                system_u:system_r:udev_t:SystemLow-SystemHigh
Target Context                system_u:object_r:etc_t
Target Objects                None [ lnk_file ]
Source                        ln(/bin/ln)
Port                          <Unknown>
Host                          localhost.localdomain
Source RPM Packages
Target RPM Packages
Policy RPM                    selinux-policy-3.2.5-8.fc9
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall_file
Host Name                     localhost.localdomain
Platform                      Linux localhost.localdomain
                             2.6.24-0.136.rc6.git12.fc9 #1 SMP Sat Jan 5
                             12:46:45 EST 2008 i686 i686
Alert Count                   2
First Seen                    Sun Jan  6 10:30:15 2008
Last Seen                     Sun Jan  6 10:30:15 2008
Local ID                      fb77e7e0-3515-4866-9a8f-e1db99f9b4b8
Line Numbers

Raw Audit Messages

host=localhost.localdomain type=AVC msg=audit(1199644215.878:31): avc:
 denied  { create } for  pid=6933 comm="ln" name=".is-writeable"
scontext=system_u:system_r:udev_t:s0-s0:c0.c1023
tcontext=system_u:object_r:etc_t:s0 tclass=lnk_file

host=localhost.localdomain type=SYSCALL msg=audit(1199644215.878:31):
arch=40000003 syscall=83 success=no exit=-13 a0=bff3ddc3 a1=bff3ddcd
a2=804f77c a3=0 items=0 ppid=6931 pid=6933 auid=4294967295 uid=0 gid=0
euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="ln"
exe="/bin/ln" subj=system_u:system_r:udev_t:s0-s0:c0.c1023 key=(null)


Here are the messages from /var/log/messages:

Jan  6 10:30:05 localhost kernel: usb 2-2: new full speed USB device
using uhci_hcd and address 4
Jan  6 10:30:06 localhost kernel: usb 2-2: configuration #1 chosen from 1 choice
Jan  6 10:30:06 localhost kernel: scsi8 : SCSI emulation for USB Mass
Storage devices
Jan  6 10:30:06 localhost kernel: usb-storage: device found at 4
Jan  6 10:30:06 localhost kernel: usb-storage: waiting for device to
settle before scanning
Jan  6 10:30:11 localhost kernel: usb-storage: device scan complete
Jan  6 10:30:11 localhost kernel: scsi 8:0:0:0: CD-ROM            IBM
   USB CD-ROM       20A4 PQ: 0 ANSI: 0 CCS
Jan  6 10:30:11 localhost kernel: sr1: scsi3-mmc drive: 10x/10x cd/rw
xa/form2 cdda pop-up
Jan  6 10:30:11 localhost kernel: sr 8:0:0:0: Attached scsi CD-ROM sr1
Jan  6 10:30:11 localhost kernel: sr 8:0:0:0: Attached scsi generic sg2 type 5
Jan  6 10:30:18 localhost setroubleshoot: #012    SELinux is
preventing ln(/bin/ln) (udev_t) "create" to &lt;Unknown&gt;
(etc_t).#012     For complete SELinux messages. run sealert -l
fb77e7e0-3515-4866-9a8f-e1db99f9b4b8


Putting system in permissive mode, I get these:

type=AVC msg=audit(1199645179.126:34): avc:  denied  { create } for pid=7782
comm="ln" name=".is-writeable" scontext=system_u:system_r:udev_t:s0-s0:c0.c1023
tcontext=system_u:object_r:etc_t:s0 tclass=lnk_file
type=SYSCALL msg=audit(1199645179.126:34): arch=40000003 syscall=83 success=yes
exit=0 a0=bfb56db6 a1=bfb56dc0 a2=804f77c a3=0 items=0 ppid=7780 pid=7782
auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=(none) comm="ln" exe="/bin/ln" subj=system_u:system_r:udev_t:s0-s0:c0.c1023
key=(null)
type=AVC msg=audit(1199645179.245:35): avc:  denied  { unlink } for pid=7783
comm="rm" name=".is-writeable" dev=dm-0 ino=11076747
scontext=system_u:system_r:udev_t:s0-s0:c0.c1023
tcontext=system_u:object_r:etc_t:s0 tclass=lnk_file
type=SYSCALL msg=audit(1199645179.245:35): arch=40000003 syscall=301 success=yes
exit=0 a0=ffffff9c a1=bfa17dc0 a2=0 a3=bfa17dc0 items=0 ppid=7780 pid=7783
auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=(none) comm="rm" exe="/bin/rm" subj=system_u:system_r:udev_t:s0-s0:c0.c1023
key=(null)
type=AVC msg=audit(1199645179.255:36): avc:  denied  { append } for pid=7780
comm="write_cd_rules" name="70-persistent-cd.rules" dev=dm-0 ino=11076866
scontext=system_u:system_r:udev_t:s0-s0:c0.c1023
context=system_u:object_r:etc_t:s0 tclass=file
type=SYSCALL msg=audit(1199645179.255:36): arch=40000003 syscall=5 success=yes
exit=3 a0=8a98400 a1=8441 a2=1b6 a3=8441 items=0 ppid=7761 pid=7780
auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=(none) comm="write_cd_rules" exe="/bin/bash"
subj=system_u:system_r:udev_t:s0-s0:c0.c1023 key=(null)

Version-Release number of selected component (if applicable):
udev-116-3.fc8

How reproducible:
Every time

Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:
Comment 1 Daniel Walsh 2008-01-07 12:55:45 EST
When I tried this on my machine, udev wanted to write 

/etc/udev/rules.d/70-persistent-cd.rules

Which I think should be done in a post install not in the running of udev.  
Comment 2 Harald Hoyer 2008-01-08 06:48:53 EST
no, writing /etc/udev/rules.d/70-persistent-cd.rules is intented.
Comment 3 Tom London 2008-01-08 09:34:41 EST
OK. So this file (others too?) are appended as new/different devices are plugged in.

Here is current contents of 70-persistent-cd.rules:

# This file was automatically generated by the /lib/udev/write_cd_rules
# program, probably run by the cd-aliases-generator.rules rules file.
#
# You can modify it, as long as you keep each rule on a single line
# and set the $GENERATED variable.

# DVD-RAM_UJ-842 (pci-0000:00:1f.1-scsi-0:0:0:0)
ENV{ID_CDROM}=="?*", ENV{ID_PATH}=="pci-0000:00:1f.1-scsi-0:0:0:0",
SYMLINK+="cdrom", ENV{GENERATED}="1"
ENV{ID_CDROM}=="?*", ENV{ID_PATH}=="pci-0000:00:1f.1-scsi-0:0:0:0",
SYMLINK+="cdrw", ENV{GENERATED}="1"
ENV{ID_CDROM}=="?*", ENV{ID_PATH}=="pci-0000:00:1f.1-scsi-0:0:0:0",
SYMLINK+="dvd", ENV{GENERATED}="1"
ENV{ID_CDROM}=="?*", ENV{ID_PATH}=="pci-0000:00:1f.1-scsi-0:0:0:0",
SYMLINK+="dvdrw", ENV{GENERATED}="1"
# IBM_USB_CD-ROM_Drive (pci-0000:00:1d.7-usb-0:6.3:1.0-scsi-0:0:0:0)
ENV{ID_CDROM}=="?*",
ENV{ID_SERIAL}=="TEAC_IBM_USB_CD-ROM_Drive_0000000005300129", SYMLINK+="cdrom1",
ENV{GENERATED}="1"
# IBM_USB_CD-ROM_Drive (pci-0000:00:1d.7-usb-0:6.3:1.0-scsi-0:0:0:0)
ENV{ID_CDROM}=="?*",
ENV{ID_PATH}=="pci-0000:00:1d.7-usb-0:6.3:1.0-scsi-0:0:0:0", SYMLINK+="cdrom2",
ENV{GENERATED}="1"

This is a Thinkpad X60.  I have 2 'docks', one at home, one at work, each with a
different CD/DVD drive (one is a DVD-ROM, the other a DVD-RW).

This message was produced when I hot-plugged in a portable USB CD-ROM (an old,
USB1 device).

Seems a bit funny to be adding this to 'persistent' list, but I presume its
description would need to be added somewhere...
Comment 4 Daniel Walsh 2008-01-08 10:59:18 EST
Harald, I know it is intended, I am questioning why?  And why in /etc?  /etc
should usually be considered a read/only directory,  And things that change
should be in /var.  /var/lib. /var/run, /var/cache.  I can write SELinux rules
to allow the cd rules to be written for this file and protect the others.  But
if this is really not a configuration file then it should be moved to another
directory.  SELinux likes to be able to write to entire directories instead of
certain files in a directory.
Comment 5 Harald Hoyer 2008-01-09 04:02:10 EST
Hmm, I know. I'll talk to the udev author.
Comment 6 Harald Hoyer 2008-02-20 06:27:53 EST
This is a configuration file. The admin can configure persistent names. New
devices are automatically added, if they appear.
Comment 7 Tom London 2008-04-12 21:16:03 EDT
I can no longer reproduce this.

Shall I presume it is fixed and close?
Comment 8 Harald Hoyer 2008-04-13 02:59:25 EDT
close this bug. if it ever reoccures, then you can always reopen this bug.