From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.4.1) Gecko/20031114 Description of problem: Running in enforcing mode XFree86 fails to start using the synaptics driver (http://w1.894.telia.com/~u89404340/touchpad/) which takes raw events from /dev/input/eventN - dmesg snippet avc: denied { read } for pid=2028 exe=/usr/X11R6/bin/XFree86 name=event17 dev=hda5 ino=1296402 scontext=system_u:system_r:xdm_xserver_t tcontext=system_u:object_r:device_t tclass=chr_file avc: denied { read } for pid=2028 exe=/usr/X11R6/bin/XFree86 name=event18 dev=hda5 ino=1296403 scontext=system_u:system_r:xdm_xserver_t tcontext=system_u:object_r:device_t tclass=chr_file XFree86.0.log: MouseS no synaptics event device found (**) Option "Device" "/dev/input/mice" Query no Synaptics: 6003C8 (EE) MouseS no synaptics touchpad detected and no repeater device (EE) MouseS Unable to query/initialize Synaptics hardware. (EE) PreInit failed for input device "MouseS" (II) UnloadModule: "synaptics" (II) Keyboard "Keyboard0" handled by legacy driver (**) Option "Protocol" "IMPS/2" (**) DevInputMice: Protocol: "IMPS/2" (**) Option "AlwaysCore" (**) DevInputMice: always reports core events (**) Option "Device" "/dev/input/mice" (**) Option "Emulate3Buttons" "no" (**) Option "ZAxisMapping" "4 5" (**) DevInputMice: ZAxisMapping: buttons 4 and 5 (**) DevInputMice: Buttons: 5 (WW) No core pointer registered (II) XINPUT: Adding extended input device "DevInputMice" (type: MOUSE) (II) DevInputMice: ps2EnableDataReporting: succeeded No core pointer Version-Release number of selected component (if applicable): policy-1.6.16 How reproducible: Always Steps to Reproduce: 1. run in enforcing mode (I used setenforce 1) 2. startx on machine using synaptics driver Actual Results: Fails with above logs Expected Results: XFree86 starts Additional info: Added /u?dev/input/.*event.* -c system_u:object_r:mouse_device_t to file_contexts/types.fc and make relabel fixes. However as event devices can be all input devices it might make sense to have event_device_t maybe.
Note that gpm also has this problem if the evdev driver is used in gpm (which is included in the default distro, BTW). I would also like to see this problem fixed.
Is this fixed by policy-1.9-1
No. In policy-1.9-3, the event devices are still not marked any special and I see: audit(1079743662.488:0): avc: denied { read } for pid=24211 exe=/usr/X11R6/bin/XFree86 name=event0 dev=hda2 ino=4219044 scontext=system_u:system_r:xdm_xserver_t tcontext=system_u:object_r:device_t tclass=chr_file audit(1079743662.488:0): avc: denied { ioctl } for pid=24211 exe=/usr/X11R6/bin/XFree86 path=/dev/input/event0 dev=hda2 ino=4219044 scontext=system_u:system_r:xdm_xserver_t tcontext=system_u:object_r:device_t tclass=chr_file audit(1079743662.489:0): avc: denied { write } for pid=24211 exe=/usr/X11R6/bin/XFree86 name=event0 dev=hda2 ino=4219044 scontext=system_u:system_r:xdm_xserver_t tcontext=system_u:object_r:device_t tclass=chr_file audit(1079743662.618:0): avc: denied { getattr } for pid=24211 exe=/usr/X11R6/bin/XFree86 path=/dev/input/event0 dev=hda2 ino=4219044 scontext=system_u:system_r:xdm_xserver_t tcontext=system_u:object_r:device_t tclass=chr_file I see that policy-1.9-3 has a event_device_t type. But if I manually add /u?dev/input/.*event.* -c system_u:object_r:event_device_t then X still is not allowed to access them: audit(1079743543.522:0): avc: denied { read } for pid=23815 exe=/usr/X11R6/bin/XFree86 name=event0 dev=hda2 ino=4219044 scontext=system_u:system_r:xdm_xserver_t tcontext=system_u:object_r:event_device_t tclass=chr_file audit(1079743543.522:0): avc: denied { ioctl } for pid=23815 exe=/usr/X11R6/bin/XFree86 path=/dev/input/event0 dev=hda2 ino=4219044 scontext=system_u:system_r:xdm_xserver_t tcontext=system_u:object_r:event_device_t tclass=chr_file audit(1079743543.522:0): avc: denied { write } for pid=23815 exe=/usr/X11R6/bin/XFree86 name=event0 dev=hda2 ino=4219044 scontext=system_u:system_r:xdm_xserver_t tcontext=system_u:object_r:event_device_t tclass=chr_file audit(1079743546.735:0): avc: denied { getattr } for pid=23815 exe=/usr/X11R6/bin/XFree86 path=/dev/input/event0 dev=hda2 ino=4219044 scontext=system_u:system_r:xdm_xserver_t tcontext=system_u:object_r:event_device_t tclass=chr_file audit(1079743629.754:0): avc: denied { read } for pid=24005 exe=/usr/X11R6/bin/XFree86 name=event0 dev=hda2 ino=4219044 scontext=system_u:system_r:xdm_xserver_t tcontext=system_u:object_r:event_device_t tclass=chr_file
Fixed with policy-sources-1.9.1-2