Bug 432600

Summary: setfacl by hal-acl-tool can't modify ACLs on SCSI generic devices
Product: [Fedora] Fedora Reporter: Nils Philippsen <nphilipp>
Component: selinux-policyAssignee: Daniel Walsh <dwalsh>
Status: CLOSED CURRENTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: medium    
Version: 8   
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-11-17 22:03:05 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Nils Philippsen 2008-02-13 09:22:39 UTC
Description of problem:
I want to let HAL/PolicyKit give people access via ACLs to scanner devices so
they can use them from their SANE-enabled applications. While this works for USB
devices, I see no changes on the SCSI-generic devices for scanners even though
these HAL rules are in effect:

    <!-- SCSI scanners -->
    <match key="@info.parent:scsi.type" string="scanner">
      <match key="info.category" string="scsi_generic">
        <append key="info.capabilities" type="strlist">access_control</append>
        <merge key="access_control.file"
type="copy_property">linux.device_file</merge>
        <merge key="access_control.type" type="string">scanner</merge>
      </match>
    </match>

I straced hald and found that, with SELinux enforcing, the setxattr on the
device file isn't permitted.

Version-Release number of selected component (if applicable):
selinux-policy-3.0.8-81.fc8
selinux-policy-targeted-3.0.8-81.fc8
selinux-policy-devel-3.0.8-81.fc8

How reproducible:
Reproducible

Steps to Reproduce:
1. Have HAL rules from above in place
2. With a switched on SCSI scanner attached, enable it by way of 'echo "scsi
add-single-device ..." > /proc/scsi/scsi'
  
Actual results:
No ACLs granted on device file (/dev/sg3 in my case) for the console user.

[pid 17993] execve("/usr/libexec/hal-acl-tool", ["/usr/libexec/hal-acl-tool"...,
"--add-device"...], [/* 33 vars */]) = 0
Process 17996 attached (waiting for parent)
Process 17996 resumed (parent 17993 ready)
[pid 17996] execve("/sbin/setfacl", ["setfacl"..., "-m"..., "u:500:rw"...,
"/dev/sg3"...], [/* 33 vars */]) = -1 ENOENT (No such file or directory)
[pid 17996] execve("/usr/sbin/setfacl", ["setfacl"..., "-m"..., "u:500:rw"...,
"/dev/sg3"...], [/* 33 vars */]) = -1 ENOENT (No such file or directory)
[pid 17996] execve("/bin/setfacl", ["setfacl"..., "-m"..., "u:500:rw"...,
"/dev/sg3"...], [/* 33 vars */]) = -1 ENOENT (No such file or directory)
[pid 17996] execve("/usr/bin/setfacl", ["setfacl"..., "-m"..., "u:500:rw"...,
"/dev/sg3"...], [/* 33 vars */]Process 17993 suspended
) = 0
[pid 17996] getxattr("/dev/sg3", "system.posix_acl_access"..., 0x7fff23eab680,
132) = -1 ENODATA (No data available)
[pid 17996] setxattr("/dev/sg3", "system.posix_acl_access"...,
"\x02\x00\x00\x00\x01\x00\x06\x00\xff\xff\xff\xff\x02\x00\x06\x00\xf4\x01\x00\x00\x04\x00\x06\x00\xff\xff\xff\xff\x10\x00\x06\x00\xff\xff\xff\xff
\x00\x00\x00\xff\xff\xff\xff", 44, 0) = -1 EACCES (Permission denied)

Raw Audit Messages :

avc: denied { setattr } for comm=setfacl dev=tmpfs egid=0 euid=0
exe=/usr/bin/setfacl exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name=sg3 pid=17996
scontext=unconfined_u:system_r:hald_acl_t:s0 sgid=0
subj=unconfined_u:system_r:hald_acl_t:s0 suid=0 tclass=chr_file
tcontext=system_u:object_r:scsi_generic_device_t:s0 tty=(none) uid=0

Expected results:
ACLs get set on the device file.

Comment 1 Daniel Walsh 2008-02-13 14:10:38 UTC
You can allow this for now by executing 

# audit2allow -M mypol -i /var/log/audit/audit.log 
# semodule -i mypol.pp

Fixed in selinux-policy-3.0.8-85.fc8



Comment 2 Daniel Walsh 2008-11-17 22:03:05 UTC
Closing all bugs that have been in modified for over a month.  Please reopen if the bug is not actually fixed.