Bug 700614

Summary: SELinux is preventing acpid from 'read' accesses on the chr_file event4.
Product: [Fedora] Fedora Reporter: Clyde E. Kunkel <clydekunkel7734>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED CURRENTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: unspecified    
Version: rawhideCC: dwalsh, jamescape777, mgrepl, zimon
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard: setroubleshoot_trace_hash:352b07c5c13d27464c46dc3d757ed23e5e0f6c3056b8d6ee00322818822d2581
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-11-21 16:42:41 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Attachments:
Description Flags
SElinux alert text
none
syslog: selinux complains about acpid access vialition when pwc device is unplugged and re-plugged none

Description Clyde E. Kunkel 2011-04-28 19:41:16 UTC 
SELinux is preventing acpid from 'read' accesses on the chr_file event4.

*****  Plugin device (91.4 confidence) suggests  *****************************

If you want to allow acpid to have read access on the event4 chr_file
Then you need to change the label on event4 to a type of a similar device.
Do
# semanage fcontext -a -t SIMILAR_TYPE 'event4'
# restorecon -v 'event4'

*****  Plugin catchall (9.59 confidence) suggests  ***************************

If you believe that acpid should be allowed read access on the event4 chr_file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep acpid /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:apmd_t:s0
Target Context                system_u:object_r:device_t:s0
Target Objects                event4 [ chr_file ]
Source                        acpid
Source Path                   acpid
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.9.16-15.fc16
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed)
                              2.6.39-0.rc4.git8.0.fc16.x86_64 #1 SMP Tue Apr 26
                              20:25:03 UTC 2011 x86_64 x86_64
Alert Count                   6
First Seen                    Sat 23 Apr 2011 10:01:12 AM EDT
Last Seen                     Thu 28 Apr 2011 03:35:18 PM EDT
Local ID                      c37af328-0255-433e-a2e3-cf02b09f7848

Raw Audit Messages
type=AVC msg=audit(1304019318.480:231): avc:  denied  { read } for  pid=1310 comm="acpid" name="event4" dev=devtmpfs ino=460954 scontext=system_u:system_r:apmd_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file


Hash: acpid,apmd_t,device_t,chr_file,read

audit2allow

#============= apmd_t ==============
allow apmd_t device_t:chr_file read;

audit2allow -R

#============= apmd_t ==============
allow apmd_t device_t:chr_file read;
Comment 1 Miroslav Grepl 2011-04-29 05:36:02 UTC 
How is labeled /dev/mouse/event4 now?

# ls -Z /dev/input/event4

Were you plugging in a mouse or doing suspend/resume?
Comment 2 Clyde E. Kunkel 2011-04-29 13:37:47 UTC 
$ sudo ls -Z /dev/input/event4
crw-r-----. root root system_u:object_r:event_device_t:s0 /dev/input/event4


No new events.  I do have usb mouse and keyboard on an external kvm switch and perhaps I caught an event switching to/from another system.  Will try several switchs and see what happens.  I have seen, for many months now, usb mouse events in dmesg as a result of kvm switching.
Comment 3 Daniel Walsh 2011-04-29 15:13:40 UTC 
This is a race condition, where udev is not relabeling the device when it gets created fast enough before apmd gets ahold of the device.

I would hope the new kernel_t filename trans rules would fix this problem.
Comment 4 zimon 2014-01-12 15:13:22 UTC 
Created attachment 848938 [details]
SElinux alert text

I got this today. Maybe started after upgrading from Fedora 19 to Fedora 20. And it is repeatable for me, happens every time now. Haven't rebooted and checked after that though.

"Jan 12 17:03:11 mylocalhost setroubleshoot: SELinux is preventing /usr/sbin/acpid from read access on the chr_file event21."

It happens, if I unplug a USB camera in /dev/video0 (or /dev/video1, i have twho), and then re-attach it. The webcams do not work either after this unplub-plug-cycle.

The same happens if I remove the driver (modprobe -r pwc) and then reload it.

SElinux alert attached.

And if the webcams are tried to be used after this unplug-plug-cyckle (and acpid complain), they do not work:

"
$ cvlc v4l2:///dev/video0
VLC media player 2.1.2 Rincewind (revision 2.1.2-0-ga4c4876)
[0x1a2f2b8] dummy interface: using the dummy interface module...
libv4l2: error turning on stream: No space left on device
[0x7f93c4000e68] v4l2 demux error: cannot start streaming: No space left on device
[0x7f93c4000e68] v4l2 demux error: not a radio tuner device
libv4l2: error turning on stream: No space left on device
[0x7f93c4000e48] v4l2 access error: cannot start streaming: No space left on device
[0x7f93cc008c88] main input error: open of `v4l2:///dev/video0' failed
[0x7f93cc008c88] main input error: Your input can't be opened
[0x7f93cc008c88] main input error: VLC is unable to open the MRL 'v4l2:///dev/video0'. Check the log for details.
libv4l2: error turning on stream: No space left on device
[0x7f93c4000e48] v4l2 demux error: cannot start streaming: No space left on device
[0x7f93c4000e48] v4l2 demux error: not a radio tuner device
libv4l2: error turning on stream: No space left on device
[0x7f93c4000e48] v4l2 access error: cannot start streaming: No space left on device
[0x7f93cc005eb8] main input error: open of `v4l2:///dev/video0' failed
[0x7f93cc005eb8] main input error: Your input can't be opened
[0x7f93cc005eb8] main input error: VLC is unable to open the MRL 'v4l2:///dev/video0'. Check the log for details.
libv4l2: error turning on stream: No space left on device
[0x7f93c4000e28] v4l2 demux error: cannot start streaming: No space left on device
....and so on...
"
Comment 5 zimon 2014-01-12 16:00:37 UTC 
Created attachment 848939 [details]
syslog: selinux complains about acpid access vialition when pwc device is unplugged and re-plugged

Rebooting the machine didn't fix the sealert issue, it still complains about acpid read access on the chr_file event if I unplug and plug the webcam. But this time pwc camera does work after the unplug-cycle, although the selinux whining.

"Jan 12 17:48:25 mylocalhost dbus[1071]: [system] Successfully activated service 'org.fedoraproject.Setroubleshootd'"

This is the device btw which causes that acpid selinux alert issue:
"
$ v4l2-ctl --all -d /dev/video1
Driver Info (not using libv4l2):
	Driver name   : pwc
	Card type     : Logitech QuickCam Pro 4000
	Bus info      : usb-0000:00:1d.0-1.2.4.2
	Driver version: 3.12.6
	Capabilities  : 0x85000001
		Video Capture
		Read/Write
		Streaming
		Device Capabilities
	Device Caps   : 0x05000001
		Video Capture
		Read/Write
		Streaming
Priority: 2
Video input : 0 (Camera: ok)
Format Video Capture:
	Width/Height  : 640/480
	Pixel Format  : 'YU12'
	Field         : None
	Bytes per Line: 640
	Size Image    : 460800
	Colorspace    : SRGB
Streaming Parameters Video Capture:
	Capabilities     : timeperframe
	Frames per second: 15.000 (15/1)
	Read buffers     : 2

User Controls
....
"
Comment 6 Miroslav Grepl 2014-01-13 12:38:28 UTC 
Could you attach raw AVC message?
Comment 7 zimon 2014-01-13 13:05:56 UTC 
It was (I think) already in my first message as an attachment in the end:
https://bugzilla.redhat.com/attachment.cgi?id=848938
"
Raw Audit Messages
type=AVC msg=audit(1389538991.602:54110): avc:  denied  { read } for  pid=1055 comm="acpid" name="event21" dev="devtmpfs" ino=3514871 scontext=system_u:system_r:apmd_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file


type=SYSCALL msg=audit(1389538991.602:54110): arch=x86_64 syscall=open success=no exit=EACCES a0=7fff7a3cf2b0 a1=80800 a2=7fff7a3cf2b0 a3=3c items=0 ppid=1 pid=1055 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm=acpid exe=/usr/sbin/acpid subj=system_u:system_r:apmd_t:s0 key=(null)

Hash: acpid,apmd_t,device_t,chr_file,read
"
Comment 8 Daniel Walsh 2014-01-13 16:21:48 UTC 
We have filetrans rules for the first 20... This is a race condition.
Comment 9 Miroslav Grepl 2014-01-13 16:57:32 UTC 
commit 85e70c44ceec161c858554c6d3f2d79d3954341a
Author: Miroslav Grepl <mgrepl>
Date:   Mon Jan 13 17:57:05 2014 +0100

    Add filename trans also for event21