Description of problem: Latest hal-0.5.9-0.git20070218.fc7 that hits Rawhide tomorrow will require a new more privileges as we now add/remove ACL's on devices. This is for fast user switching. In the future more access than just v4l_device_t and sound_device_t is needed; these are just the AVC's generated when plugging in a) webcam (add/remove ACL's on /dev/video0) b) USB sound card (add/remove ACL's on /dev/snd/*, /dev/dsp etc.) c) PTP based camera (add/remove ACL's on /dev/usb/*) Again, I'd like to reiterate that I'd like to maintain the SELinux security policy for hal myself in the upstream project such that I can fix this up *before* it hits Rawhide. Also, as the upstream maintainer I'm in a very good position to know what hald is supposed to be allowed to do. Thanks. Details follow: [root@gemini ~]# cat /var/log/audit/audit.log |grep hald type=AVC msg=audit(1171846538.889:76): avc: denied { setattr } for pid=5723 comm="setfacl" name="dsp2" dev=tmpfs ino=52213 scontext=system_u:system_r:hald_t:s0 tcontext=system_u:object_r:sound_device_t:s0 tclass=chr_file type=SYSCALL msg=audit(1171846538.889:76): arch=40000003 syscall=226 success=yes exit=0 a0=94cb038 a1=3efc4f a2=94cc1b0 a3=2c items=0 ppid=5722 pid=5723 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="setfacl" exe="/usr/bin/setfacl" subj=system_u:system_r:hald_t:s0 key=(null) type=AVC msg=audit(1171846539.286:77): avc: denied { fowner } for pid=5751 comm="setfacl" capability=3 scontext=system_u:system_r:hald_t:s0 tcontext=system_u:system_r:hald_t:s0 tclass=capability type=SYSCALL msg=audit(1171846539.286:77): arch=40000003 syscall=226 success=yes exit=0 a0=8e03038 a1=ac4c4f a2=8e041b0 a3=2c items=0 ppid=5745 pid=5751 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="setfacl" exe="/usr/bin/setfacl" subj=system_u:system_r:hald_t:s0 key=(null) type=AVC msg=audit(1171846620.965:78): avc: denied { setattr } for pid=5853 comm="setfacl" name="video0" dev=tmpfs ino=52963 scontext=system_u:system_r:hald_t:s0 tcontext=system_u:object_r:v4l_device_t:s0 tclass=chr_file type=SYSCALL msg=audit(1171846620.965:78): arch=40000003 syscall=226 success=yes exit=0 a0=92b9038 a1=39ac4f a2=92ba1b0 a3=2c items=0 ppid=5852 pid=5853 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="setfacl" exe="/usr/bin/setfacl" subj=system_u:system_r:hald_t:s0 key=(null) [root@gemini ~]# [root@gemini ~]# cat /var/log/audit/audit.log |grep hald|audit2allow #============= hald_t ============== allow hald_t hald_t : capability fowner; allow hald_t sound_device_t : chr_file setattr; allow hald_t v4l_device_t : chr_file setattr;
Btw, only /usr/libexec/hal-acl-tool needs to be able to do this. Is it possible to create a new domain e.g. hald_acl_tool_t just for this to ensure that only this program can add/remove ACL's on file in /dev?
Yes, we could break this out. I will start separating it, and we can play with it on Friday if you are in the office. We can also talk about breaking out the hal policy package. my hesitation right now is how can we do initial installs. We need to get the policy labeling right during install.
Fixed in selinux-policy-2.5.9-1.fc7
Should be fixed in the current release