Bug 967279
Summary: | libusb using applications need udev access with latest libusb-1.2.0 | ||||||
---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Hans de Goede <hdegoede> | ||||
Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> | ||||
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||
Severity: | unspecified | Docs Contact: | |||||
Priority: | unspecified | ||||||
Version: | 19 | CC: | dominick.grift, dwalsh, mgrepl | ||||
Target Milestone: | --- | ||||||
Target Release: | --- | ||||||
Hardware: | Unspecified | ||||||
OS: | Unspecified | ||||||
Whiteboard: | |||||||
Fixed In Version: | selinux-policy-3.12.1-47.fc19 | Doc Type: | Bug Fix | ||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2013-05-30 03:34:28 UTC | Type: | Bug | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Attachments: |
|
Great, thank you. I added fixes. selinux-policy-3.12.1-47.fc19 has been submitted as an update for Fedora 19. https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-47.fc19 Package selinux-policy-3.12.1-47.fc19: * should fix your issue, * was pushed to the Fedora 19 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-47.fc19' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2013-9565/selinux-policy-3.12.1-47.fc19 then log in and leave karma (feedback). selinux-policy-3.12.1-47.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report. |
Created attachment 753278 [details] List with all packages using libusb-1.x in Fedora Hi, As one of the libusb developers I'm currently working towards a new libusb-1.2.0 release, one of the new festures this release will have is hotplug support. So that apps using libusb can dynamically detect devices coming and going away. Some apps already this by hooking into udev themselves, for other libusb applications the use of udev will be new. Since the new libusb also relies on udev for initial enumeration, all libusb1 using applications will need access to the udev netlink socket now. During development and testing of the new libusb, I've noticed that selinux blocks udev access for at least the following applications: ### type=AVC msg=audit(1369561022.59:416): avc: denied { create } for pid=2961 comm="hp" scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tclass=netlink_kobject_uevent_socket Source Context system_u:system_r:cupsd_t:s0-s0:c0.c1023 Target Context system_u:system_r:cupsd_t:s0-s0:c0.c1023 Target Objects [ netlink_kobject_uevent_socket ] Source usb Source Path /usr/lib/cups/backend/usb Port <Unknown> Host shalem.localdomain Source RPM Packages hplip-3.13.5-1.fc19.x86_64 Target RPM Packages Policy RPM selinux-policy-3.12.1-44.fc19.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing ### type=AVC msg=audit(1369560976.357:408): avc: denied { create } for pid=2822 comm="fprintd" scontext=system_u:system_r:fprintd_t:s0 tcontext=system_u:system_r:fprintd_t:s0 tclass=netlink_kobject_uevent_socket type=SYSCALL msg=audit(1369560976.357:408): arch=x86_64 syscall=socket success=no exit=EACCES a0=10 a1=80803 a2=f a3=2175400 items=0 ppid=1 pid=2822 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm=fprintd exe=/usr/libexec/fprintd subj=system_u:system_r:fprintd_t:s0 key=(null) Source Context system_u:system_r:fprintd_t:s0 Target Context system_u:system_r:fprintd_t:s0 Target Objects [ netlink_kobject_uevent_socket ] Source fprintd Source Path /usr/libexec/fprintd Port <Unknown> Host shalem.localdomain Source RPM Packages fprintd-0.5.0-1.fc19.x86_64 Target RPM Packages Policy RPM selinux-policy-3.12.1-44.fc19.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing ### type=AVC msg=audit(1369139283.868:702): avc: denied { create } for pid=13834 comm="gpsd" scontext=system_u:system_r:gpsd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:gpsd_t:s0-s0:c0.c1023 tclass=netlink_kobject_uevent_socket type=SYSCALL msg=audit(1369139283.868:702): arch=x86_64 syscall=socket success=no exit=EACCES a0=10 a1=80803 a2=f a3=1d6d1b0 items=0 ppid=1 pid=13834 auid=4294967295 uid=99 gid=18 euid=99 suid=99 fsuid=99 egid=18 sgid=18 fsgid=18 ses=4294967295 tty=(none) comm=gpsd exe=/usr/sbin/gpsd subj=system_u:system_r:gpsd_t:s0-s0:c0.c1023 key=(null) Source Context system_u:system_r:gpsd_t:s0-s0:c0.c1023 Target Context system_u:system_r:gpsd_t:s0-s0:c0.c1023 Target Objects [ netlink_kobject_uevent_socket ] Source gpsd Source Path /usr/sbin/gpsd Port <Unknown> Host shalem.localdomain Source RPM Packages gpsd-3.9-1.fc19.x86_64 Target RPM Packages Policy RPM selinux-policy-3.12.1-44.fc19.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing ### Although libusb-1.2.0 is currently under development it is not unlikely that it will eventually come to Fedora-19 and its downstream(s) as an update, so it would be good to get this fixed in the selinux-policy for F-19+ Although the above 3 are the only 3 AVC-s which I'm seeing on my system, other apps using libusb1 may be running in a restricted too, I'm attaching a full list of all packages using libusb-1.x in Fedora.