Bug 159540 - new parted requires ability to read /sys
new parted requires ability to read /sys
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Depends On:
  Show dependency treegraph
Reported: 2005-06-03 17:11 EDT by Chris Lumens
Modified: 2007-11-30 17:11 EST (History)
2 users (show)

See Also:
Fixed In Version: 1.23.18-1
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2005-09-04 19:47:56 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Chris Lumens 2005-06-03 17:11:58 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.8) Gecko/20050512 Fedora/1.0.4-2 Firefox/1.0.4

Description of problem:
Future versions of parted are going to be using files under /sys/block/<device> to get information about that device (for instance, the model and manufacturer name).  Currently, this is not allowed by targeted policy resulting in an EACCESS when attempting to read:

type=AVC msg=audit(1117829236.044:1047962): avc:  denied  { read } for  pid=3201 comm="parted" name=device dev=sysfs ino=3402 scontext=root:system_r:fsadm_t tcontext=system_u:object_r:sysfs_t tclass=lnk_file

Here, the file I am trying to read is /sys/block/sda/device/vendor.

Paul Nasrat has come up with the following patch to the policy to allow parted to read from /sys:

--- fsadm.te    2005-05-28 01:23:13.000000000 -0400
+++ /home/clumens/fsadm.te      2005-06-03 16:20:28.000000000 -0400
@@ -19,7 +19,7 @@

 # for swapon
-allow fsadm_t sysfs_t:dir { search getattr };
+allow fsadm_t sysfs_t:dir { search getattr read };

 # Read system information files in /proc.
 r_dir_file(fsadm_t, proc_t)
@@ -43,13 +43,15 @@
 allow fsadm_t device_t:dir r_dir_perms;
 allow fsadm_t device_t:lnk_file r_file_perms;

+# Read /sys files and links
+allow fsadm_t sysfs_t:{ file lnk_file } r_file_perms;

 type fsadm_exec_t, file_type, sysadmfile, exec_type;
 domain_auto_trans(initrc_t, fsadm_exec_t, fsadm_t)

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Apply patches from parted CVS, rebuild and install.
2. Run new parted watch as it falls back on older code (you'll see a warning about using a deprecated scsi ioctl in dmesg).

Additional info:
Comment 1 Daniel Walsh 2005-06-06 11:12:42 EDT
Fixed in selinux-policy-targeted-1.23.18-1

Note You need to log in before you can comment on or make changes to this bug.