Bug 121545 - SELinux and Palm devices (with avc messages)
SELinux and Palm devices (with avc messages)
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: policy (Show other bugs)
rawhide
All Linux
medium Severity medium
: ---
: ---
Assigned To: Russell Coker
Ben Levenson
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2004-04-22 13:34 EDT by Dax Kelson
Modified: 2007-11-30 17:10 EST (History)
2 users (show)

See Also:
Fixed In Version: FC4
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-09-06 00:28:20 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Dax Kelson 2004-04-22 13:34:47 EDT
Description of problem:

I have a Treo 600 Palm OS 5.2 pda, cell phone, OGG/MP3/WMA player,
mobile email, and mobile ssh client.

When I plug it in, it shows up at /dev/usb/ttyUSB1

Many of the binaries from the pilot-link package want to read and
write to that character device file. For sure the pilot-xfer utility.

For example,

audit(1082445673.351:0): avc:  denied  { read write } for  pid=3647
exe=/usr/bin/pilot-xfer name=ttyUSB1 dev=hda8 ino=1210304
scontext=user_u:user_r:user_t tcontext=system_u:object_r:tty_device_t
tclass=chr_file

Additionally, I need to sync Evolution's calendar and address book
with my Treo. Evolution uses gnome-pilot and it's gpilotd daemon to
communicate with Palm devices.

Currently this results in failure with the following avc message:

audit(1082445978.961:0): avc:  denied  { read write } for  pid=3735
exe=/usr/libexec/gpilotd name=ttyUSB1 dev=hda8 ino=1210304
scontext=user_u:user_r:user_t tcontext=system_u:object_r:tty_device_t
tclass=chr_file
Comment 1 Daniel Walsh 2004-04-22 17:12:56 EDT
Change devices to usbtty_device_t and allowed users to r/w them.

Fixed in policy-1.11.2-18.  Requires you

restorecon /dev/usb/*tty*

After policy upgrade.

Comment 2 Dax Kelson 2004-04-26 15:22:21 EDT
I was able to test this last night.

You also need to allow 'getattr'.

audit(1082998593.843:0): avc:  denied  { getattr } for  pid=2983
exe=/usr/bin/pilot-xfer path=/dev/usb/ttyUSB1 dev=hda6 ino=700639
scontext=user_u:user_r:user_t
tcontext=system_u:object_r:usbtty_device_t tclass=chr_file
 
[dkelson@mentor dkelson]$ ls -al /dev/usb/
?---------   ? ?    ?         ?            ? auer0
?---------   ? ?    ?         ?            ? auer1
?---------   ? ?    ?         ?            ? auer10
[snip]
?---------   ? ?    ?         ?            ? ttyUSB0
?---------   ? ?    ?         ?            ? ttyUSB1
?---------   ? ?    ?         ?            ? ttyUSB10
?---------   ? ?    ?         ?            ? ttyUSB11

[dkelson@mentor dkelson]$ pilot-xfer -p /dev/usb/ttyUSB1 -L
  
   Please check the permissions on /dev/usb/ttyUSB1..
   Possible solution:
  
        chmod 0666 /dev/usb/ttyUSB1
  
   Unable to bind to port: /dev/usb/ttyUSB1
   Please use --help for more information
Comment 3 Dax Kelson 2004-04-26 15:23:33 EDT
BTW, I suspect that CUPS is now unhappy because of this policy change.

When CUPS starts I get:

audit(1082997701.658:0): avc:  denied  { write } for  pid=1557
exe=/usr/lib/cups/backend/serial name=ttyUSB6 dev=hda6 ino=700650
scontext=system_u:system_r:cupsd_t
tcontext=system_u:object_r:usbtty_device_t tclass=chr_file
audit(1082997701.658:0): avc:  denied  { write } for  pid=1557
exe=/usr/lib/cups/backend/serial name=ttyUSB7 dev=hda6 ino=700651
scontext=system_u:system_r:cupsd_t
tcontext=system_u:object_r:usbtty_device_t tclass=chr_file
audit(1082997701.658:0): avc:  denied  { write } for  pid=1557
exe=/usr/lib/cups/backend/serial name=ttyUSB8 dev=hda6 ino=700652
scontext=system_u:system_r:cupsd_t
tcontext=system_u:object_r:usbtty_device_t tclass=chr_file
Comment 4 Rahul Sundaram 2005-09-04 20:38:26 EDT

is this fixed now?
Comment 5 Dax Kelson 2005-09-06 00:28:20 EDT
yes

Note You need to log in before you can comment on or make changes to this bug.