Bug 121545 - SELinux and Palm devices (with avc messages)
Summary: SELinux and Palm devices (with avc messages)
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: policy
Version: rawhide
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Russell Coker
QA Contact: Ben Levenson
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2004-04-22 17:34 UTC by Dax Kelson
Modified: 2007-11-30 22:10 UTC (History)
2 users (show)

Fixed In Version: FC4
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2005-09-06 04:28:20 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)

Description Dax Kelson 2004-04-22 17:34:47 UTC 
Description of problem:

I have a Treo 600 Palm OS 5.2 pda, cell phone, OGG/MP3/WMA player,
mobile email, and mobile ssh client.

When I plug it in, it shows up at /dev/usb/ttyUSB1

Many of the binaries from the pilot-link package want to read and
write to that character device file. For sure the pilot-xfer utility.

For example,

audit(1082445673.351:0): avc:  denied  { read write } for  pid=3647
exe=/usr/bin/pilot-xfer name=ttyUSB1 dev=hda8 ino=1210304
scontext=user_u:user_r:user_t tcontext=system_u:object_r:tty_device_t
tclass=chr_file

Additionally, I need to sync Evolution's calendar and address book
with my Treo. Evolution uses gnome-pilot and it's gpilotd daemon to
communicate with Palm devices.

Currently this results in failure with the following avc message:

audit(1082445978.961:0): avc:  denied  { read write } for  pid=3735
exe=/usr/libexec/gpilotd name=ttyUSB1 dev=hda8 ino=1210304
scontext=user_u:user_r:user_t tcontext=system_u:object_r:tty_device_t
tclass=chr_file
Comment 1 Daniel Walsh 2004-04-22 21:12:56 UTC 
Change devices to usbtty_device_t and allowed users to r/w them.

Fixed in policy-1.11.2-18.  Requires you

restorecon /dev/usb/*tty*

After policy upgrade.
Comment 2 Dax Kelson 2004-04-26 19:22:21 UTC 
I was able to test this last night.

You also need to allow 'getattr'.

audit(1082998593.843:0): avc:  denied  { getattr } for  pid=2983
exe=/usr/bin/pilot-xfer path=/dev/usb/ttyUSB1 dev=hda6 ino=700639
scontext=user_u:user_r:user_t
tcontext=system_u:object_r:usbtty_device_t tclass=chr_file
 
[dkelson@mentor dkelson]$ ls -al /dev/usb/
?---------   ? ?    ?         ?            ? auer0
?---------   ? ?    ?         ?            ? auer1
?---------   ? ?    ?         ?            ? auer10
[snip]
?---------   ? ?    ?         ?            ? ttyUSB0
?---------   ? ?    ?         ?            ? ttyUSB1
?---------   ? ?    ?         ?            ? ttyUSB10
?---------   ? ?    ?         ?            ? ttyUSB11

[dkelson@mentor dkelson]$ pilot-xfer -p /dev/usb/ttyUSB1 -L
  
   Please check the permissions on /dev/usb/ttyUSB1..
   Possible solution:
  
        chmod 0666 /dev/usb/ttyUSB1
  
   Unable to bind to port: /dev/usb/ttyUSB1
   Please use --help for more information
Comment 3 Dax Kelson 2004-04-26 19:23:33 UTC 
BTW, I suspect that CUPS is now unhappy because of this policy change.

When CUPS starts I get:

audit(1082997701.658:0): avc:  denied  { write } for  pid=1557
exe=/usr/lib/cups/backend/serial name=ttyUSB6 dev=hda6 ino=700650
scontext=system_u:system_r:cupsd_t
tcontext=system_u:object_r:usbtty_device_t tclass=chr_file
audit(1082997701.658:0): avc:  denied  { write } for  pid=1557
exe=/usr/lib/cups/backend/serial name=ttyUSB7 dev=hda6 ino=700651
scontext=system_u:system_r:cupsd_t
tcontext=system_u:object_r:usbtty_device_t tclass=chr_file
audit(1082997701.658:0): avc:  denied  { write } for  pid=1557
exe=/usr/lib/cups/backend/serial name=ttyUSB8 dev=hda6 ino=700652
scontext=system_u:system_r:cupsd_t
tcontext=system_u:object_r:usbtty_device_t tclass=chr_file
Comment 4 Rahul Sundaram 2005-09-05 00:38:26 UTC 

is this fixed now?
Comment 5 Dax Kelson 2005-09-06 04:28:20 UTC 
yes
Note You need to log in before you can comment on or make changes to this bug.