| Summary: | lircd works when launched from prompt only | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Mark Mayfield <mayfield_mark> |
| Component: | selinux-policy | Assignee: | Jarod Wilson <jarodwilson> |
| Status: | CLOSED NEXTRELEASE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 14 | CC: | bnocera, dominick.grift, dwalsh, jarodwilson, mgrepl |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2011-11-23 22:44:31 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
|
Description
Mark Mayfield
2011-05-09 15:36:20 UTC
When lircd is run from a console and works, is that as root, or as your desktop user? In any case, this sounds like a permissions issue on /dev/ttyUSB0, which isn't really something lirc has anything to do with... What does 'ls -lZ /dev/ttyUSB0' show? I use sudo to run it from the console. But when I run it from the console my client program (vlc) is able to use lirc. When I use service management it is not. Either way the process shows up to be owned by root and the permissions on /dev/ttyUSB0 are the same. ls -lZ /dev/ttyUSB0 crw-rw----. root dialout system_u:object_r:tty_device_t:s0 /dev/ttyUSB0 I thought it sounded like a permission issue but could not determine why it would work from console and not service script I do not get any avc denials for ttyUSB0. I had some for lircd.conf and a couple of other things but I resolved those. I have no problem reclassifying it from lirc to another component, I just don't know where the problem is coming from. Usually lirc has modules that have to be loaded but my ir receiver has an independent module, ftdi_sio. But it is a supported module and I have not had these problems with it before, or with the ttyUSB0 device. Sorry for the lack of reply, but I haven't a clue where to point you. resolved I'm sure I set SELINUX to permissive before and it did not work but after running some updates and trying again the issue has been resolved. This time when I set selinux to permissive and ran the client I got a SELINUX troubleshooter notification, the details helped me fix the problem. I had to set the following boolean. sudo setsebool -P allow_daemons_use_tty 1 why the troubleshooter does not issue a denial when SELINUX is enabled I don't understand. It's also puzzling why it would work when launched from the prompt under the exact same SELINUX environment it did not work from with the service script. LIRCD is a daemon whether started from a service or the command line, isn't it? maybe the SELINUX team should be informed of this? Also is it possible to have the lirc context so that it can use a tty device without allowing all daemons? I tried to create a policy module to this with cat /var/log/audit/audit.log | audit2allow -M mylirc semodule -i mylirc.pp It did not work I did not close the bug to ensure this would be read. Please feel free to close the issue upon reviewing I moved this over to SELINUX since it is where the problem was. I have it working but thought the SELINUX team might want to have a peek at it. SELinux expects tty usb device nodes in: /dev/usb/, not sure why yours is /dev/ttyUSB0 /dev/ttyUSB0 is mislabelled. It currently is labelled unallocated tty (tty_device_t) but it should be labelled usb tty device (ttyusb_device_t) Nonetheless even if it would be /dev/usb/ttyUSB0 (usbtty_device_t), lircd would still be denied access because lircd is currently not allowed to use usb tty devices. There is a rule that allows lircd to use generic usb devices. I have a feeling that this rule was added due to a similar mislabelled node. So i my view we need to fix the labelling of tty usb devices (named filetrans?) and then allow lircd to use properly labelled tty usb device nodes instead of generic usb device nodes. Something like this ( i am sure that i have overlooked stuff ); diff --git policy/modules/kernel/terminal.fc policy/modules/kernel/terminal.fc index 6727eb7..e398357 100644 --- policy/modules/kernel/terminal.fc +++ policy/modules/kernel/terminal.fc @@ -19,6 +19,7 @@ /dev/slamr[0-9]+ -c gen_context(system_u:object_r:tty_device_t,s0) /dev/tty -c gen_context(system_u:object_r:devtty_t,s0) /dev/ttySG.* -c gen_context(system_u:object_r:tty_device_t,s0) +/dev/ttyUSB.* -c gen_context(system_u:object_r:usbtty_device_t,s0) /dev/vport[0-9]p[0-9]+ -c gen_context(system_u:object_r:virtio_device_t,s0) /dev/xvc[^/]* -c gen_context(system_u:object_r:tty_device_t,s0) diff --git policy/modules/kernel/terminal.if policy/modules/kernel/terminal.if index ea0ff94..bf8b146 100644 --- policy/modules/kernel/terminal.if +++ policy/modules/kernel/terminal.if @@ -1308,6 +1308,26 @@ ######################################## ## <summary> +## Read from and write USB tty +## character device nodes. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`term_use_usb_ttys',` + gen_require(` + type usbtty_device_t; + ') + + dev_list_all_dev_nodes($1) + allow $1 usbtty_device_t:chr_file rw_chr_file_perms; +') + +######################################## +## <summary> ## Get the attributes of all tty device nodes. ## </summary> ## <param name="domain"> @@ -1971,6 +1991,16 @@ dev_filetrans($1, tty_device_t, chr_file, "ttySG7") dev_filetrans($1, tty_device_t, chr_file, "ttySG8") dev_filetrans($1, tty_device_t, chr_file, "ttySG9") + dev_filetrans($1, usbtty_device_t, chr_file, "ttyUSB0") + dev_filetrans($1, usbtty_device_t, chr_file, "ttyUSB1") + dev_filetrans($1, usbtty_device_t, chr_file, "ttyUSB2") + dev_filetrans($1, usbtty_device_t, chr_file, "ttyUSB3") + dev_filetrans($1, usbtty_device_t, chr_file, "ttyUSB4") + dev_filetrans($1, usbtty_device_t, chr_file, "ttyUSB5") + dev_filetrans($1, usbtty_device_t, chr_file, "ttyUSB6") + dev_filetrans($1, usbtty_device_t, chr_file, "ttyUSB7") + dev_filetrans($1, usbtty_device_t, chr_file, "ttyUSB8") + dev_filetrans($1, usbtty_device_t, chr_file, "ttyUSB9") dev_filetrans($1, virtio_device_t, chr_file, "vport0p0") dev_filetrans($1, virtio_device_t, chr_file, "vport0p1") dev_filetrans($1, virtio_device_t, chr_file, "vport0p2") diff --git policy/modules/services/lircd.te policy/modules/services/lircd.te index a32fbe8..b37e4e0 100644 --- policy/modules/services/lircd.te +++ policy/modules/services/lircd.te @@ -45,7 +45,7 @@ corenet_tcp_sendrecv_all_ports(lircd_t) corenet_tcp_connect_lirc_port(lircd_t) -dev_rw_generic_usb_dev(lircd_t) +dev_rw_generic_usb_dev(lircd_t) # not sure if this is really right. dev_read_mouse(lircd_t) dev_filetrans_lirc(lircd_t) dev_rw_lirc(lircd_t) @@ -58,6 +58,7 @@ files_read_all_locks(lircd_t) term_use_ptmx(lircd_t) +term_use_usb_ttys(lircd_t) logging_send_syslog_msg(lircd_t) Looks good to me, should be checked into F16 and back ported. http://git.fedorahosted.org/git/?p=selinux-policy.git;a=commitdiff;h=105865a08aaed4270d62ff44ca919b1ca1a93922 I do not know if back porting this change is such a good idea, since this may break anything depending on /dev/ttyUSB[0-9]+ character device nodes being labeled type tty_device_t. Let's test it for a while and then I could backport it. |