From Bugzilla Helper: User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.5) Gecko/20041107 Firefox/1.0 Description of problem: The Linux hotplug subsystem now creates a symbolic link from /dev/usb/scannerXXX to /proc/bus/usb/YYY/ZZZ. The purpose of this is to let pam_console set the permissions on the scanner device so that users may use the scanner. Currently, pam_console sets the appropriate Unix permissions on /proc/bus/usb/YYY/ZZZ when SELinux is not running. However, when SELinux is enforcing Fedora's strict policy this does not work. I don't yet have the associated AVC messages. I hope to investigate this matter more over the weekend and provide some more information. I did note that the link /dev/usb/scannerXXX had a context of device_t. I imagine this should be scanner_device_t. I also noticed that xdm.te has dontaudit statements for probes of /proc, so this may be keeping some avc messages from being logged. Version-Release number of selected component (if applicable): selinux-policy-strict-1.19.1-11 How reproducible: Always Steps to Reproduce: 1. Log in to a system with a USB scanner attached and SELinux NOT enforcing its policy. 2. Log in to a system with a USB scanner attached and SELinux enforcing its policy. Actual Results: Following scenario one, the scanner was assigned permissions allowing me to use it. Following scenario two, the scanner was NOT assigned the appropriate permissions. Expected Results: The scanner's permissions should be set correctly regardless of the SELinux policy. Additional info:
Were you able to use the scanner even with the failure. I have tried a USB scanner and I have found it to work without writing the symlink. xsane still found the device. And hal/hotplug set the device to be owned by the console user.
Here are the steps I took to get this procedure working with Fedora's strict SELinux policy: 1. Add the following line to /etc/hotplug/usb/libusbscanner, directly following ``ln -sf "${DEVICE}" "${DEVDIR}/${DEVNAME}":'' ``chcon -h system_u:object_r:scanner_device_t "${DEVDIR}/${DEVNAME}".'' 2. Add the following rules to allow permission changing when a user logs in: allow xdm_t scanner_device_t:lnk_file { read getattr }; allow xdm_t usbfs_t:file { getattr setattr }; allow xdm_t usbfs_t:dir search; allow pam_console_t scanner_device_t:lnk_file { read getattr }; allow pam_console_t usbfs_t:file { getattr setattr }; allow pam_console_t usbfs_t:dir search; allow local_login_t scanner_device_t:lnk_file { read getattr }; allow local_login_t usbfs_t:file { getattr setattr }; allow local_login_t usbfs_t:dir search; 3. Add the following rules to allow the creation/unlink of the /dev/usb/scanner-???:??? link in the first place: allow hotplug_t scanner_device_t:lnk_file unlink; allow hotplug_t scanner_device_t:lnk_file relabelto; 4. Allow scanimage to manipulate scanner. Currently I get: Nov 20 11:12:45 imp kernel: audit(1100970765.086:0): avc: denied { read } for pid=7932 exe=/usr/bin/scanimage name=scanner-002:017 dev=tmpfs ino=20209 scontext=user_u:user_r:user_t tcontext=system_u:object_r:scanner_device_t tclass=lnk_file Nov 20 11:12:45 imp kernel: audit(1100970765.087:0): avc: denied { write } for pid=7932 exe=/usr/bin/scanimage name=017 dev=usbfs ino=20136 scontext=user_u:user_r:user_t tcontext=system_u:object_r:usbfs_t tclass=file I would rather add a rule like "/dev/usb/scanner-???:??? -l system_u:object_r:scanner_device_t" and use restorecon in step one. But I can't figure out how to get restorecon to relabel symbolic links. Restorecon /dev/usb/scanner-002:012 says "Warning! /dev/usb/scanner-002:017 refers to a symbolic link, not following last component." I don't quite understand the question posed in comment #1. If the link is not created then how does pam_console change the permissions on /proc/bus/usb/...? Did you plug the scanner in while you were already logged in (that's cheating)?
I am seeing none of this and mine just works. I have tried to plug in the scanner while logged in and it works, I have plugged it in while logged out then logged in and it works. I am seeing no AVC messages. And pam_console is not trying to do anything with /dev/usb, which doesn't even exist on my machine. What version of hotplug are you using? rpm -q hotplug udev hotplug-2004_04_01-6 hotplug-2004_04_01-8 udev-039-10.FC3.2 Dan
Dan: I'm sorry, but for some reason I thought you had been following bug #121511, "extend console.perms to cover /proc/bus/usb/*." I will have to check my version numbers after work. What are the permissions on the node in for you scanner in /proc/bus/usb/???/??? ? Is your scanner application suid root? I am confused because if you look at bug #121511 you will see that most people's scanner device is owned by root and not writable by non-root users. Because of this, pam_console must set the scanner's permissions. This is what is being blocked by SELinux. I think the code that fixed bug #121511 was added to sane-backends-1.0.15-2 and hotplug-2004_04_01-10.
I am seeing /proc/bus/usb/*.* owned by dwalsh, after it is plugged in. It is being set by udev/hotplug. (Although I have not been able to track down where.) I am doing this on FC3 not rawhide. So this might be something new rpm -q sane-backends sane-backends-1.0.14-6
Right. This is post-FC3 stuff (bug's Version field is devel). See bug #121511 for what needs fixing and how it is being fixed.
Daniel: um, now I'm really confused -- I *know* that it doesn't work properly in FC3 to have the scanner connected before logging in! You say "owned by dwalsh, after it is plugged in" -- the case we are looking at is where the scanner is continuously connected from boot. In that instance, I'm quite amazed to hear that it works for you, since it doesn't work for anyone else (unless you happen to have a multifunction device driven by hpoj, in which case it's all different). The place where /proc/bus/usb/* gets ownership set is /etc/hotplug/usb/libusbscanner, but the version shipped in FC3 certainly does not cope with a continuously connected scanner. It gets run once, before log in, and does the chown there and then.
Your right, I just tried it again and it does fail. Sorry,
This should be fixed in sane-backend-1.0.15-8
I'm using sane-backends-1.0.15-8 and this does NOT seem to be fixed. The scanner device's permissions are set when I log in with SELinux not enforcing its policy. However, then I log in with Fedora's strict policy being enforced, the ownership is not set. In the latter case, the device continues to be owned by root. sane-backends-1.0.15-8 selinux-policy-strict-1.19.12-2
Is this all working now?
I'm still having the same problem with selinux-policy-strict-1.20.1-3. I don't see any AVC messages, though. The scanner device's permissions are set correctly when SELinux is off and not set when SELinux is on.
Using Fedora Core 5, the SELinux policy still seems to cause pam_console_app to fail. As a result, the permissions on a scanner that is plugged in AFTER a user has logged in will not be set properly. This is true of BOTH the strict and targeted policy. Everything works when SELinux is not enforcing its policy.
What avc's are you seeing?
Created attachment 127384 [details] AVC messages after attaching my USB scanner After looking at the AVC messages, I suspect that this may be because I am using LDAP and accessing it over TLS. I think the SELinux policy should be fixed to support this.
fixed in selinux-policy-2.2.32-1.FC5.
I can confirm that this is fixed in the targeted policy. I have not tried the strict policy.