Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.
Bug 1505121 - selinux preventing conman from accessing local serial devices
selinux preventing conman from accessing local serial devices
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: selinux-policy (Show other bugs)
7.3
x86_64 Linux
unspecified Severity urgent
: rc
: ---
Assigned To: Lukas Vrabec
Milos Malik
:
: 1471581 (view as bug list)
Depends On:
Blocks: 1422276
  Show dependency treegraph
 
Reported: 2017-10-22 08:13 EDT by Brian J. Murrell
Modified: 2018-04-10 08:45 EDT (History)
6 users (show)

See Also:
Fixed In Version: selinux-policy-3.13.1-176.el7
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2018-04-10 08:44:59 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2018:0763 None None None 2018-04-10 08:45 EDT

  None (edit)
Description Brian J. Murrell 2017-10-22 08:13:39 EDT
Source Context                system_u:system_r:conman_t:s0
Target Context                system_u:object_r:usbtty_device_t:s0
Target Objects                /dev/ttyUSB0 [ chr_file ]
Source                        conmand
Source Path                   /usr/sbin/conmand
Port                          <Unknown>
Host                          server.interlinx.bc.ca
Source RPM Packages           conman-0.2.7-15.el7.x86_64
Target RPM Packages  
Policy RPM                    selinux-policy-3.13.1-102.el7_3.16.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     server.interlinx.bc.ca
Platform                      Linux server.interlinx.bc.ca
                              3.10.0-514.26.2.el7.x86_64 #1 SMP Tue Jul 4
                              15:04:05 UTC 2017 x86_64 x86_64
Alert Count                   11
First Seen                    2017-07-16 20:31:47 EDT
Last Seen                     2017-10-22 08:07:28 EDT
Local ID                      1100d346-f897-49e9-bf6d-22cfdecc24e4

Raw Audit Messages   
type=AVC msg=audit(1508674048.600:187897): avc:  denied  { getattr } for  pid=25763 comm="conmand" path="/dev/ttyUSB0" dev="devtmpfs" ino=12585 scontext=system_u:system_r:conman_t:s0 tcontext=system_u:object_r:usbtty_device_t:s0 tclass=chr_file


type=SYSCALL msg=audit(1508674048.600:187897): arch=x86_64 syscall=stat success=no exit=EACCES a0=7f2d237b1d40 a1=7ffffe36e210 a2=7ffffe36e210 a3=7f2d21e8e4c0 items=0 ppid=1 pid=25763 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=conmand exe=/usr/sbin/conmand subj=system_u:system_r:conman_t:s0 key=(null)

Hash: conmand,conman_t,usbtty_device_t,chr_file,getattr
Comment 2 Brian J. Murrell 2017-10-22 08:31:54 EDT
Additionally, once policy is created to allow the above:

type=AVC msg=audit(1508674048.600:187897): avc:  denied  { getattr } for  pid=25763 comm="conmand" path="/dev/ttyUSB0" dev="devtmpfs" ino=12585 scontext=system_u:system_r:conman_t
type=AVC msg=audit(1508674705.617:187937): avc:  denied  { read write } for  pid=26095 comm="conmand" name="ttyUSB0" dev="devtmpfs" ino=12585 scontext=system_u:system_r:conman_t:s
type=AVC msg=audit(1508674861.679:187962): avc:  denied  { open } for  pid=26211 comm="conmand" path="/dev/ttyUSB0" dev="devtmpfs" ino=12585 scontext=system_u:system_r:conman_t:s0
type=AVC msg=audit(1508675101.392:187971): avc:  denied  { lock } for  pid=26314 comm="conmand" path="/dev/ttyUSB0" dev="devtmpfs" ino=12585 scontext=system_u:system_r:conman_t:s0
type=AVC msg=audit(1508675311.530:187978): avc:  denied  { ioctl } for  pid=26432 comm="conmand" path="/dev/ttyUSB0" dev="devtmpfs" ino=12585 scontext=system_u:system_r:conman_t:s
Comment 7 Brad Peters 2017-12-14 18:37:41 EST
*** Bug 1471581 has been marked as a duplicate of this bug. ***
Comment 10 errata-xmlrpc 2018-04-10 08:44:59 EDT
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:0763

Note You need to log in before you can comment on or make changes to this bug.