121207 – gthumb unable to read USB devices with string SELinux policy

Bug 121207 - gthumb unable to read USB devices with string SELinux policy

Summary: gthumb unable to read USB devices with string SELinux policy

Keywords:
Status:	CLOSED RAWHIDE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy-strict
Sub Component:
Version:	3
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Russell Coker
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	133471
TreeView+	depends on / blocked

Reported:	2004-04-19 00:20 UTC by W. Michael Petullo
Modified:	2007-11-30 22:10 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2005-05-12 17:24:54 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description W. Michael Petullo 2004-04-19 00:20:25 UTC

From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux ppc; en-US; rv:1.6)
Gecko/20040312 Epiphany/1.1.12

Description of problem:
The digital camera application gtkam does not seem to want to play
nicely with SELinux.  Gtkam needs to access /proc/bus/usb because it
uses libusb.                                                         
                      

Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
Try to run gtkam as a user (user_u:user_r:user_t) with SELinux in
enforcing mode.
    

Actual Results:  When I try to run gtkam I get:
                                                                     
          
Apr 17 09:57:47 imp kernel: avc:  denied  { read } for  pid=3620
+exe=/usr/bin/gtkam dev= ino=724 scontext=user_u:user_r:user_t
+tcontext=system_u:object_r:usbfs_t tclass=dir
Apr 17 09:57:47 imp kernel:
Apr 17 09:57:47 imp kernel: avc:  denied  { search } for  pid=3620
+exe=/usr/bin/gtkam dev= ino=1 scontext=user_u:user_r:user_t
+tcontext=system_u:object_r:sysfs_t tclass=dir

Additional info:

Comment 1 Colin Walters 2004-04-19 14:45:41 UTC

I've added policy to support this, it will be in the next policy package.

Comment 2 W. Michael Petullo 2004-05-01 15:24:24 UTC

I tried policy-1.11.2-21 and still found that gtkam could not properly
open /proc/bus/usb devices.  It looks like gtkam needs write access to
these devices as well.  Adding the following line to
user_macros.te:full_user_role() fixes things (but may be too permissive):

allow $1_t usbfs_t:file write;

Comment 3 W. Michael Petullo 2004-05-03 00:52:59 UTC

The modifications are also required for USB scanners because these are
now accessed using libusb.

Comment 4 Daniel Walsh 2004-05-06 18:16:09 UTC

Added rules in policy-1.11.3-2

Comment 5 W. Michael Petullo 2004-05-29 04:00:21 UTC

It looks like I closed this bug prematurely.  The following keeps
gtkam from accessing my camera now:

May 28 22:56:32 imp kernel: audit(1085802992.308:0): avc:  denied  {
write } for  pid=4410 exe=/usr/bin/gtkam name=003 dev=usbfs ino=8806
scontext=user_u:user_r:user_t tcontext=system_u:object_r:usbfs_t
tclass=file

Comment 6 Bas Mevissen 2004-06-02 22:44:18 UTC

This one actually managed to reproducably crash my computer. Camera is
a medion MD5319 and computer is Dell Inspiron 8500.

I've only installed the "EXAMPLE" policy. I need to do that because
otherwise I don't get the tools. (strange dependancy?).

But main problem is that I did not enable selinux on the kernel
command line, but got lots of selinux output...

(kernel 2.6.6-1.383 btw).

Comment 7 W. Michael Petullo 2004-07-17 03:58:57 UTC

Problem still exists with:

selinux-policy-strict-sources-1.15.5-2
selinux-policy-strict-1.15.5-2
policycoreutils-1.15.1-1
checkpolicy-1.14.1-1
libselinux-devel-1.15.1-1
libselinux-1.15.1-1

Comment 8 W. Michael Petullo 2004-10-03 23:15:44 UTC

Gtkam is gone, but gThumb does not like selinux-policy-strict either.
 I get the following when I ask gThumb to import pictures from my camera:

Oct  3 18:11:32 imp dbus: avc:  denied  { send_msg } for 
scontext=system_u:system_r:hald_t tcontext=system_u:system_r:initrc_t
tclass=dbus
Oct  3 18:11:41 imp kernel: ohci_hcd 0001:01:1b.1: wakeup
Oct  3 18:11:41 imp kernel: usb 3-1: new full speed USB device using
address 6
Oct  3 18:11:42 imp dbus: avc:  denied  { send_msg } for 
scontext=system_u:system_r:hald_t tcontext=system_u:system_r:initrc_t
tclass=dbus
Oct  3 18:11:42 imp last message repeated 2 times
Oct  3 18:11:50 imp kernel: audit(1096845110.041:0): avc:  denied  {
write } for  pid=8432 exe=/usr/bin/gthumb name=006 dev=usbfs ino=23212
scontext=user_u:user_r:user_t tcontext=system_u:object_r:usbfs_t
tclass=file
Oct  3 18:11:50 imp kernel: audit(1096845110.152:0): avc:  denied  {
write } for  pid=8432 exe=/usr/bin/gthumb name=006 dev=usbfs ino=23212
scontext=user_u:user_r:user_t tcontext=system_u:object_r:usbfs_t
tclass=file

gThumb pops up a window that states:

An error occurred in the io-library ('Could not claim the USB
device'): Could not clain interface 0 (Operation not permitted). Make
sure no other program or kernel module (e.g. dc2xx or stv6800) is
using the device and you have read/write access to the device.

Everything works fine is SELinux is not enforcing its strict policy.

Here are some relevant versions:

selinux-policy-strict-1.17.26-1
policycoreutils-1.17.5-6
checkpolicy-1.17.5-1
libselinux-1.17.13-3
gthumb-2.4.2-2

Comment 9 W. Michael Petullo 2004-10-21 02:35:53 UTC

Using:

selinux-policy-strict-1.17.30-2
policycoreutils-1.17.6-2
checkpolicy-1.17.5-1
libselinux-1.17.14-1
gthumb-2.4.2-2

I get:

Oct 20 21:36:54 imp kernel: ohci_hcd 0001:10:1b.1: wakeup
Oct 20 21:36:54 imp kernel: usb 3-1: new full speed USB device using
address 4
Oct 20 21:37:01 imp kernel: audit(1098326221.050:0): avc:  denied  {
write } for  pid=27789 exe=/usr/bin/gthumb name=004 dev=usbfs
ino=183950 scontext=user_u:user_r:user_t
tcontext=system_u:object_r:usbfs_t tclass=file
Oct 20 21:37:01 imp kernel: audit(1098326221.055:0): avc:  denied  {
write } for  pid=27789 exe=/usr/bin/gthumb name=004 dev=usbfs
ino=183950 scontext=user_u:user_r:user_t
tcontext=system_u:object_r:usbfs_t tclass=file

Importing photos fails because of this (works fine when SELinux is not
enforcing its policy).

Comment 10 W. Michael Petullo 2004-11-20 19:35:21 UTC

With selinux-policy-strict-1.19.3-1:

Nov 20 13:29:03 imp dbus: avc:  denied  { send_msg } for 
scontext=system_u:system_r:hald_t tcontext=system_u:system_r:hald_t
tclass=dbus
Nov 20 13:29:14 imp kernel: audit(1100978954.424:0): avc:  denied  {
read } for  pid=6707 exe=/usr/sbin/lockdev name=ld.so.cache dev=dm-0
ino=309782 scontext=user_u:user_r:user_lockdev_t
tcontext=root:object_r:etc_t tclass=file
Nov 20 13:29:14 imp kernel: audit(1100978954.425:0): avc:  denied  {
getattr } for  pid=6707 exe=/usr/sbin/lockdev path=/etc/ld.so.cache
dev=dm-0 ino=309782 scontext=user_u:user_r:user_lockdev_t
tcontext=root:object_r:etc_t tclass=file
Nov 20 13:29:14 imp kernel: audit(1100978954.824:0): avc:  denied  {
write } for  pid=6699 exe=/usr/bin/gthumb name=005 dev=usbfs ino=26430
scontext=user_u:user_r:user_t tcontext=system_u:object_r:usbfs_t
tclass=file

This seems to fix this:

1.  allow hald_t hald_t:dbus send_msg;
2.  allow user_lockdev_t etc_t:file { read getattr };
3.  allow user_t usbfs_t:file write;

I'm not sure about rule 3.  It does work but it may be too permissive.

Comment 11 Johan Dahl 2004-12-13 22:35:39 UTC

I also found that gthumb fails to rotate picture located on a fat
filesystem. It moves the file to /tmp rotates it and writes it back.
But  the mv back fails with this. It seems to work then on file is
located on ext3

Dec 13 23:24:50 localhost kernel: audit(1102976690.391:0): avc: 
denied  { assoc iate } for  pid=4217 exe=/bin/mv name=pb210004.jpg
scontext=user_u:object_r:tmp_ t tcontext=system_u:object_r:dosfs_t
tclass=filesystem

Comment 12 Daniel Walsh 2005-05-12 17:24:54 UTC

Fixed in rawhide selinux-policy-targeted-1.24.14-2

Note You need to log in before you can comment on or make changes to this bug.