Bug 518393

Summary: (staff_u) line of SELinux AVC denials with videocamera
Product: [Fedora] Fedora Reporter: Matěj Cepl <mcepl>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED CURRENTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: 11CC: bnocera, dwalsh, hdegoede, jkubin, mcepl, mgrepl, pbrobinson
Target Milestone: ---Keywords: SELinux
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-09-29 21:45:36 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Matěj Cepl 2009-08-20 09:05:20 UTC 
I have bought for Red Hat testing Logitech QuickCam Messenger (which works perfectly out-of-the-box, thanks Hans!) but when connecting it as staff_u and trying ekiga on it I get a line of AVC denials so I had to try it in Permissive mode:


Souhrn:

SELinux is preventing gstreamer-prope (staff_t) "read write" v4l_device_t.

Podrobný popis:

SELinux denied access requested by gstreamer-prope. It is not expected that this
access is required by gstreamer-prope and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.

Povolení přístupu:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Další informace:

Kontext zdroje                staff_u:staff_r:staff_t:s0-s0:c0.c1023
Kontext cíle                 system_u:object_r:v4l_device_t:s0
Objekty cíle                 video0 [ chr_file ]
Zdroj                         gstreamer-prope
Cesta zdroje                  /usr/bin/gstreamer-properties
Port                          <Neznámé>
Počítač                    bradford
RPM balíčky zdroje          gnome-media-2.27.90.fix-1.fc11
RPM balíčky cíle           
RPM politiky                  selinux-policy-3.6.12-78.fc11
Selinux povolen               True
Typ politiky                  targeted
MLS povoleno                  True
Vynucovací režim            Enforcing
Název zásuvného modulu     catchall
Název počítače            bradford
Platforma                     Linux bradford 2.6.30.5-28.rc2.fc11.x86_64 #1 SMP
                              Fri Aug 14 21:56:43 EDT 2009 x86_64 x86_64
Počet upozornění           1
Poprvé viděno               Čt 20. srpen 2009, 10:27:05 CEST
Naposledy viděno             Čt 20. srpen 2009, 10:27:05 CEST
Místní ID                   9e8a4ca8-f5a8-467f-9a20-5e16d99cdf7a
Čísla řádků              

Původní zprávy auditu      

node=bradford type=AVC msg=audit(1250756825.364:31801): avc:  denied  { read write } for  pid=4982 comm="gstreamer-prope" name="video0" dev=tmpfs ino=193486 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:object_r:v4l_device_t:s0 tclass=chr_file

node=bradford type=SYSCALL msg=audit(1250756825.364:31801): arch=c000003e syscall=2 success=no exit=-13 a0=22e9410 a1=2 a2=1 a3=1 items=0 ppid=4933 pid=4982 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=pts0 ses=2 comm="gstreamer-prope" exe="/usr/bin/gstreamer-properties" subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key=(null)


-----------------------------------------------


Souhrn:

SELinux is preventing gstreamer-prope (staff_t) "write" v4l_device_t.

Podrobný popis:

[SELinux je v uvolněném režimu, operace by byla odmítnuta, ale byla povolena
kvůli uvolněnému režimu.]

SELinux denied access requested by gstreamer-prope. It is not expected that this
access is required by gstreamer-prope and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.

Povolení přístupu:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Další informace:

Kontext zdroje                staff_u:staff_r:staff_t:s0-s0:c0.c1023
Kontext cíle                 system_u:object_r:v4l_device_t:s0
Objekty cíle                 video0 [ chr_file ]
Zdroj                         gstreamer-prope
Cesta zdroje                  /usr/bin/gstreamer-properties
Port                          <Neznámé>
Počítač                    bradford
RPM balíčky zdroje          gnome-media-2.27.90.fix-1.fc11
RPM balíčky cíle           
RPM politiky                  selinux-policy-3.6.12-78.fc11
Selinux povolen               True
Typ politiky                  targeted
MLS povoleno                  True
Vynucovací režim            Permissive
Název zásuvného modulu     catchall
Název počítače            bradford
Platforma                     Linux bradford 2.6.30.5-28.rc2.fc11.x86_64 #1 SMP
                              Fri Aug 14 21:56:43 EDT 2009 x86_64 x86_64
Počet upozornění           1
Poprvé viděno               Čt 20. srpen 2009, 10:27:37 CEST
Naposledy viděno             Čt 20. srpen 2009, 10:27:37 CEST
Místní ID                   054e0c90-1cb2-4617-bcab-407c55331a87
Čísla řádků              

Původní zprávy auditu      

node=bradford type=AVC msg=audit(1250756857.366:31811): avc:  denied  { write } for  pid=5101 comm="gstreamer-prope" name="video0" dev=tmpfs ino=193486 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:object_r:v4l_device_t:s0 tclass=chr_file

node=bradford type=SYSCALL msg=audit(1250756857.366:31811): arch=c000003e syscall=2 success=yes exit=14 a0=d18c00 a1=2 a2=1 a3=1 items=0 ppid=5054 pid=5101 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=pts1 ses=2 comm="gstreamer-prope" exe="/usr/bin/gstreamer-properties" subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key=(null)


--------------------------------


Souhrn:

SELinux is preventing ekiga (staff_t) "read" v4l_device_t.

Podrobný popis:

[SELinux je v uvolněném režimu, operace by byla odmítnuta, ale byla povolena
kvůli uvolněnému režimu.]

SELinux denied access requested by ekiga. It is not expected that this access is
required by ekiga and this access may signal an intrusion attempt. It is also
possible that the specific version or configuration of the application is
causing it to require additional access.

Povolení přístupu:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Další informace:

Kontext zdroje                staff_u:staff_r:staff_t:s0-s0:c0.c1023
Kontext cíle                 system_u:object_r:v4l_device_t:s0
Objekty cíle                 video0 [ chr_file ]
Zdroj                         gstreamer-prope
Cesta zdroje                  /usr/bin/gstreamer-properties
Port                          <Neznámé>
Počítač                    bradford
RPM balíčky zdroje          ekiga-3.2.5-2.fc11
RPM balíčky cíle           
RPM politiky                  selinux-policy-3.6.12-78.fc11
Selinux povolen               True
Typ politiky                  targeted
MLS povoleno                  True
Vynucovací režim            Permissive
Název zásuvného modulu     catchall
Název počítače            bradford
Platforma                     Linux bradford 2.6.30.5-28.rc2.fc11.x86_64 #1 SMP
                              Fri Aug 14 21:56:43 EDT 2009 x86_64 x86_64
Počet upozornění           5
Poprvé viděno               Čt 20. srpen 2009, 10:27:37 CEST
Naposledy viděno             Čt 20. srpen 2009, 10:45:04 CEST
Místní ID                   5903c9be-11c0-4c9c-9cde-8ca53fbd5a22
Čísla řádků              

Původní zprávy auditu      

node=bradford type=AVC msg=audit(1250757904.106:31813): avc:  denied  { read } for  pid=5461 comm="ekiga" name="video0" dev=tmpfs ino=193486 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:object_r:v4l_device_t:s0 tclass=chr_file

node=bradford type=AVC msg=audit(1250757904.106:31813): avc:  denied  { open } for  pid=5461 comm="ekiga" name="video0" dev=tmpfs ino=193486 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:object_r:v4l_device_t:s0 tclass=chr_file

node=bradford type=SYSCALL msg=audit(1250757904.106:31813): arch=c000003e syscall=2 success=yes exit=27 a0=c0edd0 a1=800 a2=7fffd54e6520 a3=7fffd54e6280 items=0 ppid=5460 pid=5461 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=pts1 ses=2 comm="ekiga" exe="/usr/bin/ekiga" subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key=(null)
Comment 1 Matěj Cepl 2009-08-20 09:08:00 UTC 
Audit2allow is probably too kind to me when it suggests:

#============= staff_sudo_t ==============
allow staff_sudo_t staff_t:tcp_socket { read write };

#============= staff_t ==============
allow staff_t v4l_device_t:chr_file { read write open };
bradford:~# 

(I guess the second rule could make some sense)
Comment 2 Hans de Goede 2009-08-20 09:11:39 UTC 
This does not seem to be a libv4l problem, but rather a selinux-policy one, changing component.
Comment 3 Matěj Cepl 2009-08-20 09:12:54 UTC 
(In reply to comment #2)
> This does not seem to be a libv4l problem, but rather a selinux-policy one,
> changing component.  

You are probably right, this is so widespread all over the place that it was my mistake to pin it to one individual component.
Comment 4 Daniel Walsh 2009-08-20 13:07:56 UTC 
What are the security ramifications of allowing a confined user 

read/write these devices?

/dev/vtx.*	-c	system_u:object_r:v4l_device_t:s0
/dev/vbi.*	-c	system_u:object_r:v4l_device_t:s0
/dev/tlk[0-3]	-c	system_u:object_r:v4l_device_t:s0
/dev/dvb/.*	-c	system_u:object_r:v4l_device_t:s0
/dev/video.*	-c	system_u:object_r:v4l_device_t:s0
/dev/radio.*	-c	system_u:object_r:v4l_device_t:s0
/dev/em8300.*	-c	system_u:object_r:v4l_device_t:s0
/dev/raw1394.*	-c	system_u:object_r:v4l_device_t:s0
/dev/winradio.	-c	system_u:object_r:v4l_device_t:s0
/dev/sonypi	-c	system_u:object_r:v4l_device_t:s0
/dev/vttuner	-c	system_u:object_r:v4l_device_t:s0
Comment 5 Daniel Walsh 2009-08-20 13:12:20 UTC 
I think we should probably allow it.

Miroslav add

	dev_read_video_dev($1)
	dev_write_video_dev($1)

to
userdom_xwindows_client
Comment 6 Miroslav Grepl 2009-08-20 15:09:32 UTC 
Fixed in selinux-policy-3.6.12-79.fc11
Comment 7 Peter Robinson 2009-09-29 21:29:29 UTC 
any reason this is still open?