Bug 1190349 - SELinux is preventing /usr/bin/brltty from ioctl access on the chr_file /dev/bus/usb/002/004.
Summary: SELinux is preventing /usr/bin/brltty from ioctl access on the chr_file /dev/...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: brltty
Version: 21
Hardware: All
OS: All
unspecified
medium
Target Milestone: ---
Assignee: Gwyn Ciesla
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-02-07 13:50 UTC by Anthony Poncet
Modified: 2015-04-08 08:54 UTC (History)
7 users (show)

Fixed In Version: selinux-policy-3.13.1-105.6.fc21
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-03-21 04:50:17 UTC
Type: Bug
Embargoed:


Attachments (Terms of Use)

Description Anthony Poncet 2015-02-07 13:50:05 UTC
Description of problem:
When I use brltty with my Esys 40, I view this error. Brltty doesn't stop but this error always reappears.


Version-Release number of selected component (if applicable):
Brltty : 5.2
BrlAPI Server : 0.6.3

How reproducible:
Just enable and start brltty with sudo systemctl enable brltty.service && sudo systemctl start brltty.service.


Steps to Reproduce:
1. Enable and start brltty.
2. Use with orca.
3.

Actual results:
No crash but this allert.


Expected results:


Additional info:
Message from selinux log :
SELinux is preventing /usr/bin/brltty from ioctl access on the chr_file /dev/bus/usb/002/004.

*****  Plugin catchall (100. confidence) suggests   **************************

If vous pensez que brltty devrait être autorisé à accéder ioctl sur 004 chr_file par défaut.
Then vous devriez rapporter ceci en tant qu'anomalie.
Vous pouvez générer un module de stratégie local pour autoriser cet accès.
Do
autoriser cet accès pour le moment en exécutant :
# grep brltty /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:brltty_t:s0
Target Context                system_u:object_r:usb_device_t:s0
Target Objects                /dev/bus/usb/002/004 [ chr_file ]
Source                        brltty
Source Path                   /usr/bin/brltty
Port                          <Unknown>
Host                          host.local
Source RPM Packages           brltty-5.2-1.fc21.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-105.1.fc21.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     host.local
Platform                      Linux host.local 3.18.5-201.fc21.x86_64 #1
                              SMP Mon Feb 2 21:00:58 UTC 2015 x86_64 x86_64
Alert Count                   21
First Seen                    2015-02-07 11:13:45 CET
Last Seen                     2015-02-07 14:27:00 CET
Local ID                      ce120dd7-f0f7-43bf-a52f-405e9d8cc5ad

Raw Audit Messages
type=AVC msg=audit(1423315620.838:2624): avc:  denied  { ioctl } for  pid=759 comm="brltty" path="/dev/bus/usb/002/004" dev="devtmpfs" ino=9922 scontext=system_u:system_r:brltty_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=1


type=SYSCALL msg=audit(1423315620.838:2624): arch=x86_64 syscall=ioctl success=yes exit=0 a0=a a1=8038550a a2=efe680 a3=c items=0 ppid=1 pid=759 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=brltty exe=/usr/bin/brltty subj=system_u:system_r:brltty_t:s0 key=(null)

Hash: brltty,brltty_t,usb_device_t,chr_file,ioctl

Comment 1 Jaroslav Škarvada 2015-02-08 10:16:40 UTC
I think it needs selinux rule, reassigning.

Comment 2 Lukas Vrabec 2015-02-10 12:55:51 UTC
commit bc59934cf1049c5953a3ac1ee2f76dcc055f07cf
Author: Lukas Vrabec <lvrabec>
Date:   Tue Feb 10 13:55:10 2015 +0100

    Allow brltty ioctl on usb_device_t. BZ(1190349)

Comment 3 Fedora Update System 2015-02-25 20:12:56 UTC
selinux-policy-3.13.1-105.5.fc21 has been submitted as an update for Fedora 21.
https://admin.fedoraproject.org/updates/selinux-policy-3.13.1-105.5.fc21

Comment 4 Fedora Update System 2015-02-27 09:25:10 UTC
Package selinux-policy-3.13.1-105.5.fc21:
* should fix your issue,
* was pushed to the Fedora 21 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.13.1-105.5.fc21'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2015-2733/selinux-policy-3.13.1-105.5.fc21
then log in and leave karma (feedback).

Comment 5 Anthony Poncet 2015-02-27 11:51:36 UTC
I'm testing, but I had an others errors :
"SELinux is preventing /usr/bin/brltty from ioctl access on the chr_file /dev/uinput.

*****  Plugin catchall (100. confidence) suggests   **************************

If vous pensez que brltty devrait être autorisé à accéder ioctl sur uinput chr_file par défaut.
Then vous devriez rapporter ceci en tant qu'anomalie.
Vous pouvez générer un module de stratégie local pour autoriser cet accès.
Do
autoriser cet accès pour le moment en exécutant :
# grep brltty /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:brltty_t:s0
Target Context                system_u:object_r:event_device_t:s0
Target Objects                /dev/uinput [ chr_file ]
Source                        brltty
Source Path                   /usr/bin/brltty
Port                          <Unknown>
Host                          host.local
Source RPM Packages           brltty-5.2-1.fc21.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-105.5.fc21.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     host.local
Platform                      Linux host.local 3.18.7-200.fc21.x86_64 #1
                              SMP Wed Feb 11 21:53:17 UTC 2015 x86_64 x86_64
Alert Count                   1
First Seen                    2015-02-27 12:24:00 CET
Last Seen                     2015-02-27 12:24:00 CET
Local ID                      8e0bdd65-c533-47ca-98d4-9d3bda08b134

Raw Audit Messages
type=AVC msg=audit(1425036240.75:138705): avc:  denied  { ioctl } for  pid=15302 comm="brltty" path="/dev/uinput" dev="devtmpfs" ino=11932 scontext=system_u:system_r:brltty_t:s0 tcontext=system_u:object_r:event_device_t:s0 tclass=chr_file permissive=1


type=SYSCALL msg=audit(1425036240.75:138705): arch=x86_64 syscall=ioctl success=yes exit=0 a0=14 a1=4008556c a2=7fff98e73d50 a3=0 items=0 ppid=1 pid=15302 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=brltty exe=/usr/bin/brltty subj=system_u:system_r:brltty_t:s0 key=(null)

Hash: brltty,brltty_t,event_device_t,chr_file,ioctl
"
"SELinux is preventing /usr/bin/brltty from write access on the chr_file uinput.

*****  Plugin catchall (100. confidence) suggests   **************************

If vous pensez que brltty devrait être autorisé à accéder write sur uinput chr_file par défaut.
Then vous devriez rapporter ceci en tant qu'anomalie.
Vous pouvez générer un module de stratégie local pour autoriser cet accès.
Do
autoriser cet accès pour le moment en exécutant :
# grep brltty /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:brltty_t:s0
Target Context                system_u:object_r:event_device_t:s0
Target Objects                uinput [ chr_file ]
Source                        brltty
Source Path                   /usr/bin/brltty
Port                          <Unknown>
Host                          host.local
Source RPM Packages           brltty-5.2-1.fc21.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-105.5.fc21.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     host.local
Platform                      Linux host.local 3.18.7-200.fc21.x86_64 #1
                              SMP Wed Feb 11 21:53:17 UTC 2015 x86_64 x86_64
Alert Count                   1
First Seen                    2015-02-27 12:24:00 CET
Last Seen                     2015-02-27 12:24:00 CET
Local ID                      688a67d9-29d1-44c8-b017-466e1064735a

Raw Audit Messages
type=AVC msg=audit(1425036240.75:138703): avc:  denied  { write } for  pid=15302 comm="brltty" name="uinput" dev="devtmpfs" ino=11932 scontext=system_u:system_r:brltty_t:s0 tcontext=system_u:object_r:event_device_t:s0 tclass=chr_file permissive=1


type=AVC msg=audit(1425036240.75:138703): avc:  denied  { open } for  pid=15302 comm="brltty" path="/dev/uinput" dev="devtmpfs" ino=11932 scontext=system_u:system_r:brltty_t:s0 tcontext=system_u:object_r:event_device_t:s0 tclass=chr_file permissive=1


type=SYSCALL msg=audit(1425036240.75:138703): arch=x86_64 syscall=open success=yes exit=ENOTDIR a0=8bd040 a1=1 a2=1 a3=20 items=0 ppid=1 pid=15302 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=brltty exe=/usr/bin/brltty subj=system_u:system_r:brltty_t:s0 key=(null)

Hash: brltty,brltty_t,event_device_t,chr_file,write
"


Thanks.

Comment 6 Lukas Vrabec 2015-02-27 11:54:07 UTC
Hi, 
This is also needed?

Comment 7 Anthony Poncet 2015-02-27 12:11:14 UTC
Hi,
I don't know, I think it's may be for accessing to the braille keyboard (but I don't use it).
I'm just a user of brltty, I don't know if brltty has realy need it.

Is there are a brltty developper around?

Comment 8 Jaroslav Škarvada 2015-02-27 14:26:34 UTC
(In reply to Lukas Vrabec from comment #6)
> Hi, 
> This is also needed?

The uinput interface is used for input events injection, so brltty also needs R/W access to /dev/uinput. Also if uinput kernel module is not loaded (afaik it is the default in Fedora) it tries to modprobe it itself.

Comment 9 Lukas Vrabec 2015-02-27 16:18:50 UTC
Thank you Jaroslav, I'll add rules.

Comment 10 Lukas Vrabec 2015-02-27 16:23:22 UTC
commit e9cd25c954769046f005824513bea68038d7f7b2
Author: Lukas Vrabec <lvrabec>
Date:   Fri Feb 27 17:21:51 2015 +0100

    Allow brltty rw event device. BZ(1190349)

Comment 11 Fedora Update System 2015-03-06 22:28:14 UTC
selinux-policy-3.13.1-105.6.fc21 has been submitted as an update for Fedora 21.
https://admin.fedoraproject.org/updates/selinux-policy-3.13.1-105.6.fc21

Comment 12 Fedora Update System 2015-03-09 08:33:56 UTC
Package selinux-policy-3.13.1-105.6.fc21:
* should fix your issue,
* was pushed to the Fedora 21 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.13.1-105.6.fc21'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2015-3476/selinux-policy-3.13.1-105.6.fc21
then log in and leave karma (feedback).

Comment 13 Fedora Update System 2015-03-21 04:50:17 UTC
selinux-policy-3.13.1-105.6.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 14 Anthony Poncet 2015-04-04 14:52:31 UTC
Now, i have an other error (when I started Orca) :
"SELinux is preventing /usr/bin/brltty (deleted) from accept access on the tcp_socket port None."

Comment 15 Jaroslav Škarvada 2015-04-07 07:42:51 UTC
(In reply to Anthony Poncet from comment #14)
> Now, i have an other error (when I started Orca) :
> "SELinux is preventing /usr/bin/brltty (deleted) from accept access on the
> tcp_socket port None."

Strange, could you try restart brltty?

Comment 16 Anthony Poncet 2015-04-08 07:24:11 UTC
I restart brltty and orca, and this message appear when I restarted or started Orca. (When orca connecting to brltty).

Comment 17 Jaroslav Škarvada 2015-04-08 08:54:57 UTC
If you can reproduce it, please open separate bugzilla.


Note You need to log in before you can comment on or make changes to this bug.