Bug 238255 - avc when adding a firewire camera
Summary: avc when adding a firewire camera
Keywords:
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: rawhide
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Ben Levenson
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2007-04-28 11:17 UTC by Stephanos Manos
Modified: 2007-11-30 22:12 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2007-05-21 14:24:30 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)

Description Stephanos Manos 2007-04-28 11:17:01 UTC 
Description of problem:
When plugging a firewire camera on my system i get the following avc error in
setroubleshoot

Summary
    SELinux is preventing /usr/bin/setfacl (hald_acl_t) "getattr" access to
    device /dev/fw1.

Detailed Description
    SELinux has denied the /usr/bin/setfacl (hald_acl_t) "getattr" access to
    device /dev/fw1. /dev/fw1 is mislabeled, this device has the default label
    of the /dev directory, which should not happen.  All Character and/or Block
    Devices should have a label. You can attempt to change the label of the file
    using restorecon -v /dev/fw1. If this device remains labeled device_t, then
    this is a bug in SELinux policy. Please file a
    http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against the selinux-policy
    package. If you look at the other similar devices labels, ls -lZ
    /dev/SIMILAR, and find a type that would work for /dev/fw1, you can use
    chcon -t SIMILAR_TYPE /dev/fw1, If this fixes the problem, you can make this
    permanent by executing semanage fcontext -a -t SIMILAR_TYPE /dev/fw1 If the
    restorecon changes the context, this indicates that the application that
    created the device, created it without using SELinux APIs.  If you can
    figure out which application created the device, please file a
    http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this application.

Allowing Access
    Attempt restorecon -v /dev/fw1 or chcon -t SIMILAR_TYPE /dev/fw1

Additional Information        

Source Context                system_u:system_r:hald_acl_t
Target Context                system_u:object_r:device_t
Target Objects                /dev/fw1 [ chr_file ]
Affected RPM Packages         acl-2.2.39-3.1.fc7 [application]
Policy RPM                    selinux-policy-2.6.1-1.fc7
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   plugins.device
Host Name                     ghost.home-net
Platform                      Linux ghost.home-net 2.6.21-1.3116.fc7 #1 SMP Thu
                              Apr 26 10:36:44 EDT 2007 i686 i686
Alert Count                   4
First Seen                    Σαβ 28 Απρ 2007 02:01:58 μμ EEST
Last Seen                     Σαβ 28 Απρ 2007 02:06:38 μμ EEST
Local ID                      96c87c7e-a0bd-4cc2-a197-3f406e6b28b8
Line Numbers                  

Raw Audit Messages            

avc: denied { getattr } for comm="setfacl" cwd="/usr/libexec" dev=00:10 egid=0
euid=0 exe="/usr/bin/setfacl" exit=-13 fsgid=0 fsuid=0 gid=0 inode=60172 item=0
items=1 mode=020600 name="fw1" obj=system_u:object_r:device_t:s0 ogid=0 ouid=0
path="/dev/fw1" pid=5279 rdev=fb:01 scontext=system_u:system_r:hald_acl_t:s0
sgid=0 subj=system_u:system_r:hald_acl_t:s0 suid=0 tclass=chr_file
tcontext=system_u:object_r:device_t:s0 tty=(none) uid=0
Comment 1 Daniel Walsh 2007-04-28 13:27:01 UTC 
selinux-policy-2.6.1-3.fc7
Comment 2 Stephanos Manos 2007-05-20 18:47:49 UTC 
fixed in latest selinux policy
selinux-policy-2.6.4-6.fc7
Note You need to log in before you can comment on or make changes to this bug.