Bug 187436 - policy denies udev pam_console_apply on dev/dvb
policy denies udev pam_console_apply on dev/dvb
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
5
All Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2006-03-30 16:54 EST by Jón Fairbairn
Modified: 2007-11-30 17:11 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-05-05 11:01:13 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Jón Fairbairn 2006-03-30 16:54:09 EST
Description of problem:
udev fails to set user/group on /dev/dvb/adapter*/* when module is loaded

Version-Release number of selected component (if applicable):
selinux-policy-targeted-2.2.25-2.fc5

How reproducible:
always

Steps to Reproduce:
1. put a file in //etc/security/console.perms.d/ like:
# classes
<dvb>=/dev/dvb/adapter*/*
<video>=/dev/video*

# permissions
<console> 0660 <dvb>    0660 root.household
<console> 0660 <video>  0660 root.household

2. load the driver for the dvb adapter
3.
  
Actual results:
audit log contains lines:
type=AVC msg=audit(1143754601.828:2966): avc:  denied  { getattr } for 
pid=23278 comm="pam_console_app" name="frontend0" dev=tmpfs ino=51473
scontext=system_u:system_r:pam_console_t:s0-s0:c0.c255
tcontext=system_u:object_r:device_t:s0 tclass=chr_file

type=SYSCALL msg=audit(1143754601.828:2966): arch=c000003e syscall=6 success=no
exit=-13 a0=6390f0 a1=7fffffe2fda0 a2=7fffffe2fda0 a3=639102 items=1 pid=23278
auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
comm="pam_console_app" exe="/sbin/pam_console_apply"

type=AVC_PATH msg=audit(1143754601.828:2966):  path="/dev/dvb/adapter0/frontend0"
type=CWD msg=audit(1143754601.828:2966):  cwd="/"
type=PATH msg=audit(1143754601.828:2966): item=0
name="/dev/dvb/adapter0/frontend0" flags=0  inode=51473 dev=00:0f mode=020600
ouid=0 ogid=0 rdev=d4:03

and the device nodes are created with owner and group root.

Expected results:
/dev/dvb/adapter0/frontend0 (and all the others) should be given permissions
according to the pam rules

Additional info:
Comment 1 Daniel Walsh 2006-03-31 11:46:29 EST
Could you try

semanage fcontext -a -t v4l_device_t "/dev/dvb/.*" 
restorecon -R -v /dev/dvb

and see if it works?

Comment 2 Jón Fairbairn 2006-03-31 12:06:36 EST
# semanage fcontext -a -t v4l_device_t "/dev/dvb/.*"
(no output)
# restorecon -R -v /dev/dvb
restorecon set context /dev/dvb/adapter0->system_u:object_r:v4l_device_t
failed:'Permission denied'
restorecon reset /dev/dvb/adapter0/net0 context
system_u:object_r:device_t->system_u:object_r:v4l_device_t
restorecon reset /dev/dvb/adapter0/dvr0 context
system_u:object_r:device_t->system_u:object_r:v4l_device_t
restorecon reset /dev/dvb/adapter0/demux0 context
system_u:object_r:device_t->system_u:object_r:v4l_device_t
restorecon reset /dev/dvb/adapter0/frontend0 context
system_u:object_r:device_t->system_u:object_r:v4l_device_t

After that, removing the driver and reloading it results in the console owner
owning the devices
$ ls --lcon /dev/dvb/adapter0/
total 0
crw-rw---- 1 system_u:object_r:v4l_device_t   jf root 212, 4 Mar 31 18:07 demux0
crw-rw---- 1 system_u:object_r:v4l_device_t   jf root 212, 5 Mar 31 18:07 dvr0
crw-rw---- 1 system_u:object_r:v4l_device_t   jf root 212, 3 Mar 31 18:07 frontend0
crw-rw---- 1 system_u:object_r:v4l_device_t   jf root 212, 7 Mar 31 18:07 net0

presumably the restorecon is unneccessary if the driver isn't loaded, since the
device nodes don't exist until it is loaded, and it'll happen then?

The first error refers to the directory:
$ ls --lcon /dev/dvb/adapter0/ -d
drwxr-xr-x 2 system_u:object_r:device_t       root root 120 Mar 31 18:07
/dev/dvb/adapter0//

but that's fine

Comment 3 Daniel Walsh 2006-03-31 12:21:57 EST
Actually I gave you the wrong command

#delete the previous
semanage fcontext -d -t v4l_device_t "/dev/dvb/.*"
# Readd the command specifying -c for chr_device
semanage fcontext -a -t v4l_device_t -f"-c" "/dev/dvb/.*"
# List the device
semanage fcontext -l | grep dvb
/dev/dvb/.*                                        character device  
system_u:object_r:v4l_device_t:s0


Next policy update should have this change.
Comment 4 Jón Fairbairn 2006-03-31 12:27:21 EST
That works too.

Many thanks.
Comment 5 Daniel Walsh 2006-04-03 12:32:52 EDT
Fixed in selinux-policy-2.2.29-2.fc5
Comment 7 Daniel Walsh 2006-05-05 11:01:13 EDT
Closing as these have been marked as modified, for a while.  Feel free to reopen
if not fixed

Note You need to log in before you can comment on or make changes to this bug.