Bug 172394 - avc denied message for makedev with pcmcia modem
avc denied message for makedev with pcmcia modem
Status: CLOSED NOTABUG
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
4
All Linux
medium Severity medium
: ---
: ---
Assigned To: Russell Coker
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2005-11-03 13:51 EST by Orion Poplawski
Modified: 2007-11-30 17:11 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-12-08 16:01:43 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Orion Poplawski 2005-11-03 13:51:53 EST
Description of problem:

This is on a laptop, get the following messages at boot.

System has a pcmcia modem card:

PRODID_1="Psion"
PRODID_2="Gold Card 56K Combine iT"
PRODID_3="56K+Fax"
PRODID_4="V8.35"
MANFID=016c,0006
FUNCID=2

with enforcing:


Nov  3 11:41:02 iditarod kernel: audit(1131043246.071:2): avc:  denied  { write
} for  pid=1450 comm="MAKEDEV" name="fscreate" dev=proc ino=95027223
scontext=system_u:system_r:cardmgr_t tcontext=system_u:system_r:cardmgr_t
tclass=file
Nov  3 11:41:02 iditarod kernel: audit(1131043246.071:3): avc:  denied  { chown
} for  pid=1450 comm="MAKEDEV" capability=0 scontext=system_u:system_r:cardmgr_t
tcontext=system_u:system_r:cardmgr_t tclass=capability
Nov  3 11:41:02 iditarod kernel: audit(1131043246.083:4): avc:  denied  {
associate } for  pid=1454 comm="ln" name="modem"
scontext=system_u:object_r:cardmgr_lnk_t tcontext=system_u:object_r:tmpfs_t
tclass=filesystem

with permissive:

Nov  3 10:20:36 iditarod kernel: audit(1131038423.971:2): avc:  denied  { search
} for  pid=1442 comm="MAKEDEV" name="contexts" dev=hda2 ino=352586
scontext=system_u:system_r:cardmgr_t
tcontext=system_u:object_r:default_context_t tclass=dir
Nov  3 10:20:36 iditarod kernel: audit(1131038423.971:3): avc:  denied  { search
} for  pid=1442 comm="MAKEDEV" name="files" dev=hda2 ino=352592
scontext=system_u:system_r:cardmgr_t tcontext=system_u:object_r:file_context_t
tclass=dir
Nov  3 10:20:36 iditarod kernel: audit(1131038423.971:4): avc:  denied  { read }
for  pid=1442 comm="MAKEDEV" name="file_contexts" dev=hda2 ino=352590
scontext=system_u:system_r:cardmgr_t tcontext=system_u:object_r:file_context_t
tclass=file
Nov  3 10:20:36 iditarod kernel: audit(1131038423.983:5): avc:  denied  { read
write } for  pid=1442 comm="MAKEDEV" name="context" dev=selinuxfs ino=5
scontext=system_u:system_r:cardmgr_t tcontext=system_u:object_r:security_t
tclass=file
Nov  3 10:20:36 iditarod kernel: audit(1131038423.983:6): avc:  denied  {
check_context } for  pid=1442 comm="MAKEDEV"
scontext=system_u:system_r:cardmgr_t tcontext=system_u:object_r:security_t
tclass=security
Nov  3 10:20:36 iditarod kernel: audit(1131038424.231:7): avc:  denied  { write
} for  pid=1442 comm="MAKEDEV" name="fscreate" dev=proc ino=94502935
scontext=system_u:system_r:cardmgr_t tcontext=system_u:system_r:cardmgr_t
tclass=file
Nov  3 10:20:36 iditarod kernel: audit(1131038424.231:8): avc:  denied  {
setfscreate } for  pid=1442 comm="MAKEDEV" scontext=system_u:system_r:cardmgr_t
tcontext=system_u:system_r:cardmgr_t tclass=process
Nov  3 10:20:36 iditarod kernel: audit(1131038424.231:9): avc:  denied  { create
} for  pid=1442 comm="MAKEDEV" name="ttyS1-"
scontext=system_u:system_r:cardmgr_t tcontext=system_u:object_r:tty_device_t
tclass=chr_file
Nov  3 10:20:36 iditarod kernel: audit(1131038424.231:10): avc:  denied  {
setattr } for  pid=1442 comm="MAKEDEV" name="ttyS1-" dev=tmpfs ino=4680
scontext=system_u:system_r:cardmgr_t tcontext=system_u:object_r:tty_device_t
tclass=chr_file
Nov  3 10:20:36 iditarod kernel: audit(1131038424.231:11): avc:  denied  { chown
} for  pid=1442 comm="MAKEDEV" capability=0 scontext=system_u:system_r:cardmgr_t
tcontext=system_u:system_r:cardmgr_t tclass=capability
Nov  3 10:20:36 iditarod kernel: audit(1131038424.231:12): avc:  denied  {
rename } for  pid=1442 comm="MAKEDEV" name="ttyS1-" dev=tmpfs ino=4680
scontext=system_u:system_r:cardmgr_t tcontext=system_u:object_r:tty_device_t
tclass=chr_file
Nov  3 10:20:36 iditarod kernel: audit(1131038424.331:13): avc:  denied  {
associate } for  pid=1472 comm="ln" name="modem"
scontext=system_u:object_r:cardmgr_lnk_t tcontext=system_u:object_r:tmpfs_t
tclass=filesystem
Nov  3 10:20:36 iditarod kernel: audit(1131038425.824:14): avc:  denied  { read
} for  pid=1667 comm="portmap" name="nsswitch.conf" dev=hda2 ino=354041
scontext=system_u:system_r:portmap_t tcontext=system_u:object_r:etc_runtime_t
tclass=file
Nov  3 10:20:36 iditarod kernel: audit(1131038425.824:15): avc:  denied  {
getattr } for  pid=1667 comm="portmap" name="nsswitch.conf" dev=hda2 ino=354041
scontext=system_u:system_r:portmap_t tcontext=system_u:object_r:etc_runtime_t
tclass=file

Version-Release number of selected component (if applicable):
selinux-policy-targeted-1.27.1-2.6

How reproducible:
everytime
Comment 1 Orion Poplawski 2005-11-10 12:04:56 EST
The portmap messages seem unrelated, but I'm seeing on other systems as well:

Nov 10 08:52:25 makani kernel: audit(1131637933.908:3): avc:  denied  { read }
for  pid=2308 comm="portmap" name="nsswitch.conf" dev=hda5 ino=289813
scontext=system_u:system_r:portmap_t tcontext=system_u:object_r:etc_runtime_t
tclass=file
Comment 2 Daniel Walsh 2005-11-30 15:37:46 EST
Did some program/script create the /etc/nsswitch.conf file  It should have a
file context of etc_t on it.  restorecon /etc/nsswitch.conf should fix.

I would disable cardmgr transition to make it work.

setsebool -P cardmgr_disable_trans=1

Cardmgr needs to run MAKEDEV and MAKEDEV is too powerfull, so it doesn't make
sense to muck around with the policy and cardmgr is going away in FC5.


Comment 3 Orion Poplawski 2005-12-08 16:01:43 EST
/etc/nsswitch.conf is installed by cfengine.  Looks like it got set back to
etc_t at some point.  I edited the file, let cfengine replace and stayed at
etc_t.  Perhaps a relic from some other config?

Thanks for the cargmgr boolean.

Note You need to log in before you can comment on or make changes to this bug.