This service will be undergoing maintenance at 00:00 UTC, 2016-09-28. It is expected to last about 1 hours
Bug 140059 - Strict SELinux policy blocks new scanner permissions work
Strict SELinux policy blocks new scanner permissions work
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: selinux-policy-strict (Show other bugs)
rawhide
All Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
:
Depends On:
Blocks: 133471
  Show dependency treegraph
 
Reported: 2004-11-19 11:05 EST by W. Michael Petullo
Modified: 2007-11-30 17:10 EST (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-04-19 14:28:30 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)
AVC messages after attaching my USB scanner (4.26 KB, text/plain)
2006-04-05 21:51 EDT, W. Michael Petullo
no flags Details

  None (edit)
Description W. Michael Petullo 2004-11-19 11:05:23 EST
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.5)
Gecko/20041107 Firefox/1.0

Description of problem:
The Linux hotplug subsystem now creates a symbolic link from
/dev/usb/scannerXXX to /proc/bus/usb/YYY/ZZZ.  The purpose of this is
to let pam_console set the permissions on the scanner device so that
users may use the scanner.

Currently, pam_console sets the appropriate Unix permissions on
/proc/bus/usb/YYY/ZZZ when SELinux is not running.  However, when
SELinux is enforcing Fedora's strict policy this does not work.

I don't yet have the associated AVC messages.  I hope to investigate
this matter more over the weekend and provide some more information. 
I did note that the link /dev/usb/scannerXXX had a context of
device_t.  I imagine this should be scanner_device_t.  I also noticed
that xdm.te has dontaudit statements for probes of /proc, so this may
be keeping some avc messages from being logged.

Version-Release number of selected component (if applicable):
selinux-policy-strict-1.19.1-11

How reproducible:
Always

Steps to Reproduce:
1.  Log in to a system with a USB scanner attached and SELinux NOT
enforcing its policy.

2.  Log in to a system with a USB scanner attached and SELinux
enforcing its policy.
    

Actual Results:  Following scenario one, the scanner was assigned
permissions allowing me to use it.

Following scenario two, the scanner was NOT assigned the appropriate
permissions.

Expected Results:  The scanner's permissions should be set correctly
regardless of the SELinux policy.

Additional info:
Comment 1 Daniel Walsh 2004-11-20 06:22:15 EST
Were you able to use the scanner even with the failure.  I have tried
a USB scanner and I have found it to work without writing the symlink.
xsane still found the device.  And hal/hotplug set the device to be
owned by the console user.
Comment 2 W. Michael Petullo 2004-11-20 12:12:23 EST
Here are the steps I took to get this procedure working with Fedora's
strict SELinux policy:

1.  Add the following line to /etc/hotplug/usb/libusbscanner, directly
following ``ln -sf "${DEVICE}" "${DEVDIR}/${DEVNAME}":'' ``chcon -h
system_u:object_r:scanner_device_t "${DEVDIR}/${DEVNAME}".''

2.  Add the following rules to allow permission changing when a user
logs in:

allow xdm_t scanner_device_t:lnk_file { read getattr };
allow xdm_t usbfs_t:file { getattr setattr };
allow xdm_t usbfs_t:dir search;
allow pam_console_t scanner_device_t:lnk_file { read getattr };
allow pam_console_t usbfs_t:file { getattr setattr };
allow pam_console_t usbfs_t:dir search;
allow local_login_t scanner_device_t:lnk_file { read getattr };
allow local_login_t usbfs_t:file { getattr setattr };
allow local_login_t usbfs_t:dir search;

3.  Add the following rules to allow the creation/unlink of the
/dev/usb/scanner-???:??? link in the first place:

allow hotplug_t scanner_device_t:lnk_file unlink;
allow hotplug_t scanner_device_t:lnk_file relabelto;

4.  Allow scanimage to manipulate scanner.  Currently I get:
Nov 20 11:12:45 imp kernel: audit(1100970765.086:0): avc:  denied  {
read } for  pid=7932 exe=/usr/bin/scanimage name=scanner-002:017
dev=tmpfs ino=20209 scontext=user_u:user_r:user_t
tcontext=system_u:object_r:scanner_device_t tclass=lnk_file
Nov 20 11:12:45 imp kernel: audit(1100970765.087:0): avc:  denied  {
write } for  pid=7932 exe=/usr/bin/scanimage name=017 dev=usbfs
ino=20136 scontext=user_u:user_r:user_t
tcontext=system_u:object_r:usbfs_t tclass=file

I would rather add a rule like "/dev/usb/scanner-???:???  -l 
system_u:object_r:scanner_device_t" and use restorecon in step one. 
But I can't figure out how to get restorecon to relabel symbolic
links.  Restorecon /dev/usb/scanner-002:012 says "Warning!
/dev/usb/scanner-002:017 refers to a symbolic link, not following last
component."

I don't quite understand the question posed in comment #1.  If the
link is not created then how does pam_console change the permissions
on /proc/bus/usb/...?  Did you plug the scanner in while you were
already logged in (that's cheating)?
Comment 3 Daniel Walsh 2004-11-22 14:36:06 EST
I am seeing none of this and mine just works.  
I have tried to plug in the scanner while logged in and it works, I
have plugged it in while logged out then logged in and it works.  I am
seeing no AVC messages.  And pam_console is not trying to do anything
with /dev/usb, which doesn't even exist on my machine.

What version of hotplug are you using?

rpm -q hotplug udev
hotplug-2004_04_01-6
hotplug-2004_04_01-8
udev-039-10.FC3.2


Dan
Comment 4 W. Michael Petullo 2004-11-22 15:00:16 EST
Dan: I'm sorry, but for some reason I thought you had been following
bug #121511, "extend console.perms to cover /proc/bus/usb/*."

I will have to check my version numbers after work.  What are the
permissions on the node in for you scanner in /proc/bus/usb/???/??? ?
 Is your scanner application suid root?  I am confused because if you
look at bug #121511 you will see that most people's scanner device is
owned by root and not writable by non-root users.  Because of this,
pam_console must set the scanner's permissions.  This is what is being
blocked by SELinux.

I think the code that fixed bug #121511 was added to
sane-backends-1.0.15-2 and hotplug-2004_04_01-10.
Comment 5 Daniel Walsh 2004-11-22 15:23:12 EST
I am seeing /proc/bus/usb/*.* owned by dwalsh, after it is plugged in.
 It is being set by udev/hotplug.  (Although I have not been able to
track down where.)  I am doing this on FC3  not rawhide.  So this
might be something new

rpm -q sane-backends
sane-backends-1.0.14-6

Comment 6 W. Michael Petullo 2004-11-22 15:33:18 EST
Right.  This is post-FC3 stuff (bug's Version field is devel).  See
bug #121511 for what needs fixing and how it is being fixed.
Comment 7 Tim Waugh 2004-11-23 05:15:03 EST
Daniel: um, now I'm really confused -- I *know* that it doesn't work properly in
FC3 to have the scanner connected before logging in!  You say "owned by dwalsh,
after it is plugged in" -- the case we are looking at is where the scanner is
continuously connected from boot.  In that instance, I'm quite amazed to hear
that it works for you, since it doesn't work for anyone else (unless you happen
to have a multifunction device driven by hpoj, in which case it's all different).

The place where /proc/bus/usb/* gets ownership set is
/etc/hotplug/usb/libusbscanner, but the version shipped in FC3 certainly does
not cope with a continuously connected scanner.  It gets run once, before log
in, and does the chown there and then.
Comment 8 Daniel Walsh 2004-11-23 09:46:41 EST
Your right, I just tried it again and it does fail. 

Sorry,  
Comment 9 Daniel Walsh 2004-12-10 13:37:28 EST
This should be fixed in sane-backend-1.0.15-8
Comment 10 W. Michael Petullo 2004-12-12 19:53:01 EST
I'm using sane-backends-1.0.15-8 and this does NOT seem to be fixed. 
The scanner device's permissions are set when I log in with SELinux
not enforcing its policy.  However, then I log in with Fedora's strict
policy being enforced, the ownership is not set.  In the latter case,
the device continues to be owned by root.

sane-backends-1.0.15-8
selinux-policy-strict-1.19.12-2
Comment 11 Tim Waugh 2005-01-11 05:14:36 EST
Is this all working now?
Comment 12 W. Michael Petullo 2005-01-12 22:12:11 EST
I'm still having the same problem with selinux-policy-strict-1.20.1-3.
 I don't see any AVC messages, though.  The scanner device's
permissions are set correctly when SELinux is off and not set when
SELinux is on.
Comment 13 W. Michael Petullo 2006-04-04 19:23:00 EDT
Using Fedora Core 5, the SELinux policy still seems to cause pam_console_app to
fail.  As a result, the permissions on a scanner that is plugged in AFTER a user
has logged in will not be set properly.  This is true of BOTH the strict and
targeted policy.  Everything works when SELinux is not enforcing its policy.
Comment 14 Daniel Walsh 2006-04-05 08:41:32 EDT
What avc's are you seeing?  
Comment 15 W. Michael Petullo 2006-04-05 21:51:25 EDT
Created attachment 127384 [details]
AVC messages after attaching my USB scanner

After looking at the AVC messages, I suspect that this may be because I am
using LDAP and accessing it over TLS.  I think the SELinux policy should be
fixed to support this.
Comment 16 Daniel Walsh 2006-04-14 09:26:56 EDT
fixed in selinux-policy-2.2.32-1.FC5.
Comment 17 W. Michael Petullo 2006-04-19 14:28:30 EDT
I can confirm that this is fixed in the targeted policy.  I have not tried the
strict policy.

Note You need to log in before you can comment on or make changes to this bug.