Bug 194191 - Permissions not set with Digital Camera + LDAP / nscd + SElinux
Permissions not set with Digital Camera + LDAP / nscd + SElinux
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
5
All Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2006-06-05 20:43 EDT by W. Michael Petullo
Modified: 2007-11-30 17:11 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-08-19 11:47:05 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description W. Michael Petullo 2006-06-05 20:43:03 EDT
Description of problem:
When I plug my digital camera in, /usr/libexec/gphoto-set-procperm should set
the permissions on its device node so that the console owner has access to the
camera.  This works fine when SELinux is not enforcing its policy.  However,
when I turn SELinux on, gphoto-set-procperm fails to grant the console owner access.

Version-Release number of selected component (if applicable):
selinux-policy-targeted-2.2.38-1.fc5

How reproducible:
Every time

Steps to Reproduce:
1. Configure system to use LDAPS + nscd to resolve NSS requests
2. Turn on SELinux (enforcing on)
3. Log in as a normal user
4. Attach digital camera to system
  
Actual results:
/dev/bus/usb/00X/00Y still owned by root

Expected results:
/dev/bus/usb/00X/00Y still owned by console owner

Additional info:
I see the following in my audit log:

type=AVC msg=audit(1149554361.473:2567): avc:  denied  { name_connect } for 
pid=13665 comm="chown" dest=636 scontext=system_u:system_r:hald_t:s0
tcontext=system_u:object_r:ldap_port_t:s0 tclass=tcp_socket
type=SYSCALL msg=audit(1149554361.473:2567): arch=40000003 syscall=102
success=no exit=-115 a0=3 a1=bfeba688 a2=5710a8 a3=8faa880 items=0 pid=13665
auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
comm="chown" exe="/bin/chown"
type=SOCKADDR msg=audit(1149554361.473:2567): saddr=0200027CC0A8000A0000000000000000
type=SOCKETCALL msg=audit(1149554361.473:2567): nargs=3 a0=3 a1=8fbbbf0 a2=10
type=AVC msg=audit(1149554361.489:2568): avc:  denied  { search } for  pid=13665
comm="chown" name="pki" dev=hda2 ino=819236 scontext=system_u:system_r:hald_t:s0
tcontext=system_u:object_r:cert_t:s0 tclass=dir
type=AVC msg=audit(1149554361.489:2568): avc:  denied  { read } for  pid=13665
comm="chown" name="cert.pem" dev=hda2 ino=819408
scontext=system_u:system_r:hald_t:s0 tcontext=system_u:object_r:cert_t:s0
tclass=lnk_file
type=AVC msg=audit(1149554361.489:2568): avc:  denied  { read } for  pid=13665
comm="chown" name="ca-bundle.crt" dev=hda2 ino=819411
scontext=system_u:system_r:hald_t:s0 tcontext=system_u:object_r:cert_t:s0
tclass=file
type=SYSCALL msg=audit(1149554361.489:2568): arch=40000003 syscall=5 success=yes
exit=4 a0=51f9b2 a1=8000 a2=1b6 a3=8fc4a20 items=1 pid=13665 auid=4294967295
uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="chown"
exe="/bin/chown"
type=CWD msg=audit(1149554361.489:2568):  cwd="/usr/libexec"
type=PATH msg=audit(1149554361.489:2568): item=0 name="/etc/pki/tls/cert.pem"
flags=101  inode=819411 dev=03:02 mode=0100644 ouid=0 ogid=0 rdev=00:00
type=AVC msg=audit(1149554361.493:2569): avc:  denied  { getattr } for 
pid=13665 comm="chown" name="ca-bundle.crt" dev=hda2 ino=819411
scontext=system_u:system_r:hald_t:s0 tcontext=system_u:object_r:cert_t:s0
tclass=file
type=SYSCALL msg=audit(1149554361.493:2569): arch=40000003 syscall=197
success=yes exit=0 a0=4 a1=bfeba160 a2=2beff4 a3=8fc4a20 items=0 pid=13665
auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
comm="chown" exe="/bin/chown"
type=AVC_PATH msg=audit(1149554361.493:2569): 
path="/etc/pki/tls/certs/ca-bundle.crt"
type=AVC msg=audit(1149554361.537:2570): avc:  denied  { create } for  pid=13666
comm="pam_console_app" scontext=system_u:system_r:pam_console_t:s0-s0:c0.c255
tcontext=system_u:system_r:pam_console_t:s0-s0:c0.c255 tclass=netlink_route_socket
type=SYSCALL msg=audit(1149554361.537:2570): arch=40000003 syscall=102
success=yes exit=3 a0=1 a1=bfb12fbc a2=2beff4 a3=bfb13150 items=0 pid=13666
auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
comm="pam_console_app" exe="/sbin/pam_console_apply"
type=SOCKETCALL msg=audit(1149554361.537:2570): nargs=3 a0=10 a1=3 a2=0
type=AVC msg=audit(1149554361.537:2571): avc:  denied  { bind } for  pid=13666
comm="pam_console_app" scontext=system_u:system_r:pam_console_t:s0-s0:c0.c255
tcontext=system_u:system_r:pam_console_t:s0-s0:c0.c255 tclass=netlink_route_socket
type=SYSCALL msg=audit(1149554361.537:2571): arch=40000003 syscall=102
success=yes exit=0 a0=2 a1=bfb12fbc a2=2beff4 a3=bfb12fcc items=0 pid=13666
auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
comm="pam_console_app" exe="/sbin/pam_console_apply"
type=SOCKADDR msg=audit(1149554361.537:2571): saddr=100000000000000000000000
type=SOCKETCALL msg=audit(1149554361.537:2571): nargs=3 a0=3 a1=bfb12fcc a2=c
type=AVC msg=audit(1149554361.537:2572): avc:  denied  { getattr } for 
pid=13666 comm="pam_console_app"
scontext=system_u:system_r:pam_console_t:s0-s0:c0.c255
tcontext=system_u:system_r:pam_console_t:s0-s0:c0.c255 tclass=netlink_route_socket
type=SYSCALL msg=audit(1149554361.537:2572): arch=40000003 syscall=102
success=yes exit=0 a0=6 a1=bfb12fbc a2=2beff4 a3=bfb12fcc items=0 pid=13666
auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
comm="pam_console_app" exe="/sbin/pam_console_apply"
type=SOCKETCALL msg=audit(1149554361.537:2572): nargs=3 a0=3 a1=bfb12fcc a2=bfb12fd8
type=AVC msg=audit(1149554361.537:2573): avc:  denied  { write } for  pid=13666
comm="pam_console_app" scontext=system_u:system_r:pam_console_t:s0-s0:c0.c255
tcontext=system_u:system_r:pam_console_t:s0-s0:c0.c255 tclass=netlink_route_socket
type=AVC msg=audit(1149554361.537:2573): avc:  denied  { nlmsg_read } for 
pid=13666 comm="pam_console_app"
scontext=system_u:system_r:pam_console_t:s0-s0:c0.c255
tcontext=system_u:system_r:pam_console_t:s0-s0:c0.c255 tclass=netlink_route_socket
type=SYSCALL msg=audit(1149554361.537:2573): arch=40000003 syscall=102
success=yes exit=20 a0=b a1=bfb11f0c a2=2beff4 a3=ffffffcc items=0 pid=13666
auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
comm="pam_console_app" exe="/sbin/pam_console_apply"
type=SOCKADDR msg=audit(1149554361.537:2573): saddr=100000000000000000000000
type=SOCKETCALL msg=audit(1149554361.537:2573): nargs=6 a0=3 a1=bfb12f80 a2=14
a3=0 a4=bfb12f94 a5=c
type=AVC msg=audit(1149554361.541:2574): avc:  denied  { read } for  pid=13666
comm="pam_console_app" scontext=system_u:system_r:pam_console_t:s0-s0:c0.c255
tcontext=system_u:system_r:pam_console_t:s0-s0:c0.c255 tclass=netlink_route_socket
type=SYSCALL msg=audit(1149554361.541:2574): arch=40000003 syscall=102
success=yes exit=128 a0=11 a1=bfb11f18 a2=2beff4 a3=ffffffcc items=0 pid=13666
auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
comm="pam_console_app" exe="/sbin/pam_console_apply"
type=SOCKETCALL msg=audit(1149554361.541:2574): nargs=3 a0=3 a1=bfb12f64 a2=0
Comment 1 Daniel Walsh 2006-06-15 22:32:54 EDT
Fixed in selinux-policy-2.2.47-3
Comment 2 W. Michael Petullo 2006-08-19 11:47:05 EDT
Verified fixed with selinux-policy-2.3.2-1.  Thank you.

Note You need to log in before you can comment on or make changes to this bug.