Bug 603198

Summary: SELinux AVC denials with lirc irman
Product: [Fedora] Fedora Reporter: Carsten Clasohm <clasohm>
Component: selinux-policy-targetedAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Ben Levenson <benl>
Severity: medium Docs Contact:
Priority: low    
Version: 13   
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.7.19-33.fc13 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-07-06 17:08:40 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Carsten Clasohm 2010-06-11 20:22:02 UTC 
Description of problem:

When SELinux is in enforcing mode, lirc cannot access /dev/ttyS0. This breaks lirc's support for "irman" infrared receivers, which are connected to the serial port.


Version-Release number of selected component (if applicable):

lirc-0.8.6-7.fc13.x86_64
selinux-policy-targeted-3.7.19-23.fc13.noarch


How reproducible:

always


Steps to Reproduce:
1. configure lirc for irman
2. "service lirc start" as root
3. "irw" as normal user

  
Actual results:

This is shown in /var/log/messages:

lircd-0.8.6[8239]: lircd(irman) ready, using /var/run/lirc/lircd
lircd-0.8.6[8239]: accepted new client on /var/run/lirc/lircd
lircd-0.8.6[8239]: could not open /dev/ttyS0
lircd-0.8.6[8239]: irman_init(): Permission denied
lircd-0.8.6[8239]: Failed to initialize hardware

There are no AVC denied entries in /var/log/audit/audit.log except for the following:

avc:  denied  { open } for  pid=6214 comm="lircd" name="ttyS0" dev=devtmpfs ino=5540 scontext=unconfined_u:system_r:lircd_t:s0 tcontext=system_u:object_r:tty_device_t:s0 tclass=chr_file

But even if I create and load a SELinux module with the following content, lircd still cannot access /dev/ttyS0 as long as SELinux is in enforcing mode. lirc only works if I put SELinux into permissive mode with "setenforce 0". No SELinux messages are logged in this case.

policy_module(lirccustom, 1.0)

require {
        type lircd_t;
        type tty_device_t;
}

allow lircd_t tty_device_t:chr_file { open };


Expected results:

lirc configured for irman should work with SELinux in enforcing mode.


Additional info:
Comment 1 Daniel Walsh 2010-06-16 17:14:44 UTC 
Miroslav add

term_use_unallocated_ttys(lircd_t)
Comment 2 Miroslav Grepl 2010-06-16 20:27:10 UTC 
Fixed in selinux-policy-3.7.19-30.fc13
Comment 3 Fedora Update System 2010-06-30 19:54:21 UTC 
selinux-policy-3.7.19-33.fc13 has been submitted as an update for Fedora 13.
http://admin.fedoraproject.org/updates/selinux-policy-3.7.19-33.fc13
Comment 4 Fedora Update System 2010-07-01 18:48:12 UTC 
selinux-policy-3.7.19-33.fc13 has been pushed to the Fedora 13 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update selinux-policy'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/selinux-policy-3.7.19-33.fc13
Comment 5 Fedora Update System 2010-07-06 17:06:39 UTC 
selinux-policy-3.7.19-33.fc13 has been pushed to the Fedora 13 stable repository.  If problems still persist, please make note of it in this bug report.