Bug 1442443 - SELinux prevents Lirc from writing to /sys/
Summary: SELinux prevents Lirc from writing to /sys/
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 25
Hardware: x86_64
OS: Linux
unspecified
medium
Target Milestone: ---
Assignee: Lukas Vrabec
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-04-14 19:18 UTC by Gustavo Maciel Dias Vieira
Modified: 2017-04-25 02:23 UTC (History)
7 users (show)

Fixed In Version: selinux-policy-3.13.1-225.13.fc25
Clone Of:
Environment:
Last Closed: 2017-04-25 02:23:42 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)

Description Gustavo Maciel Dias Vieira 2017-04-14 19:18:28 UTC 
Description of problem:
When Lirc is configured to use the "default" driver in /etc/lirc/lirc_options.conf, it disables the kernel internal processing of signals as keystrokes (devinput, I guess). It appears to do this by writing to /sys/class/rc/rc0/protocols.

SELinux blocks Lirc from configuring the kernel protocols and when using the "default" driver I get duplicate keys.


Version-Release number of selected component (if applicable):
lirc-compat-0.9.4c-8.fc25.x86_64
lirc-config-0.9.4c-8.fc25.noarch
lirc-core-0.9.4c-8.fc25.x86_64
lirc-doc-0.9.4c-8.fc25.noarch
lirc-drv-ftdi-0.9.4c-8.fc25.x86_64
lirc-drv-portaudio-0.9.4c-8.fc25.x86_64
lirc-libs-0.9.4c-8.fc25.x86_64
lirc-tools-gui-0.9.4c-8.fc25.x86_64
selinux-policy-3.13.1-225.11.fc25.noarch
selinux-policy-targeted-3.13.1-225.11.fc25.noarch


How reproducible:
Deterministic


Steps to Reproduce:
Configure Lirc to use the "default" driver in /etc/lirc/lirc_options.conf

Try and use an application that both processes Lirc input and keyboard inputs.


Actual results:
Duplicate keys

Expected results:
Only the Lirc input should be processed.


Additional info:

The AVCs I get are:

type=AVC msg=audit(1488155185.855:113): avc:  denied  { write } for  pid=776 comm="lircd" name="protocols" dev="sysfs" ino=20350 scontext=system_u:system_r:lircd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=0
type=AVC msg=audit(1488155185.855:114): avc:  denied  { write } for  pid=776 comm="lircd" name="protocols" dev="sysfs" ino=20350 scontext=system_u:system_r:lircd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=0


If I create and install the following module, Lirc works as expected:

module lircsysfs 1.0;

require {
	type sysfs_t;
	type lircd_t;
	class file write;
}

#============= lircd_t ==============
allow lircd_t sysfs_t:file write;
Comment 1 Fedora Update System 2017-04-19 20:36:23 UTC 
selinux-policy-3.13.1-225.13.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2017-0af0456dcc
Comment 2 Fedora Update System 2017-04-20 18:25:02 UTC 
selinux-policy-3.13.1-225.13.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-0af0456dcc
Comment 3 Fedora Update System 2017-04-25 02:23:42 UTC 
selinux-policy-3.13.1-225.13.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.