Bug 1931334 - SELinux prevents pcscd getattr access to filesystem /sys
Summary: SELinux prevents pcscd getattr access to filesystem /sys
Keywords:
Status: CLOSED DUPLICATE of bug 1928611
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: 33
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: ---
Assignee: Zdenek Pytela
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2021-02-22 08:20 UTC by Dick Marinus
Modified: 2021-02-24 20:35 UTC (History)
1 user (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2021-02-24 20:35:00 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)

Description Dick Marinus 2021-02-22 08:20:39 UTC 
Description of problem:


When I connect my Yubikey I get the following audit message:

type=AVC msg=audit(1613981663.969:1064): avc:  denied  { getattr } for  pid=731 comm="pcscd" name="/" dev="sysfs" ino=1 scontext=system_u:system_r:pcscd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=filesystem permissive=0

audit2allow suggests the following policy:

module my-pcscd 1.0;

require {
	type device_t;
	type sysfs_t;
	type pcscd_t;
	class chr_file { ioctl open read write };
	class filesystem getattr;
}

#============= pcscd_t ==============
allow pcscd_t device_t:chr_file { ioctl open read write };
allow pcscd_t sysfs_t:filesystem getattr;
Comment 1 Zdenek Pytela 2021-02-22 19:55:30 UTC 
Hi,

The permission in the description will be allowed in the next build, see bz#1928611.

You however have some others, can you share more details? 

ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts today
ls -lRZ /dev | grep ^c.*:device_t:
Comment 2 Dick Marinus 2021-02-23 19:44:23 UTC 
Very nice!

# ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts today
(removed pid, date/time and deduplicated)
 avc:  denied  { getattr } for  pid=xxx comm=pcscd name=/ dev="sysfs" ino=1 scontext=system_u:system_r:pcscd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=filesystem permissive=0 
 avc:  denied  { getattr } for  pid=xxx comm=rngd name=/ dev="sysfs" ino=1 scontext=system_u:system_r:rngd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=filesystem permissive=0 
 avc:  denied  { map } for  pid=xxx comm=gnome-shell path=/var/lib/flatpak/exports/share/icons/hicolor/icon-theme.cache dev="sda2" ino=654653 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=file permissive=0 
 avc:  denied  { read } for  pid=xxx comm=gnome-shell name=org.signal.Signal.desktop dev="sda2" ino=654663 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=lnk_file permissive=0 
 avc:  denied  { read } for  pid=xxx comm=rpm name=rpmdb.sqlite dev="sda2" ino=785404 scontext=system_u:system_r:setroubleshootd_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file permissive=0 
 avc:  denied  { read write } for  pid=xxx comm=rngd name=002 dev="devtmpfs" ino=183 scontext=system_u:system_r:rngd_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=0 


# ls -lRZ /dev | grep ^c.*:device_t:
crw-rw----. 1 root  kvm     system_u:object_r:device_t:s0               10,  62 23 feb 20:37 udmabuf
crw-------. 1 root root system_u:object_r:device_t:s0 251, 0 23 feb 20:37 system
Comment 3 Zdenek Pytela 2021-02-24 20:35:00 UTC 

*** This bug has been marked as a duplicate of bug 1928611 ***
Note You need to log in before you can comment on or make changes to this bug.