Bug 395101 - /usr/bin/Xorg is unable to use /dev/lircmd: permission denied
/usr/bin/Xorg is unable to use /dev/lircmd: permission denied
Product: Fedora
Classification: Fedora
Component: lirc (Show other bugs)
i386 Linux
low Severity urgent
: ---
: ---
Assigned To: Jarod Wilson
Fedora Extras Quality Assurance
Depends On:
  Show dependency treegraph
Reported: 2007-11-21 20:01 EST by Peter Gückel
Modified: 2008-10-24 13:54 EDT (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2008-10-24 13:54:07 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Peter Gückel 2007-11-21 20:01:52 EST
Description of problem:

I run selinux in enforcing mode. I have selinux-policy-targeted-3.0.8-58.fc8 and
lirc-0.8.2-2.fc8 installed. When I try to use the lircm mouse, which is defined
in xorg.conf, the system boots fine and both lircd and lircmd start fine (only
since selinux-policy-targeted-3.0.8-58.fc8, however), the devices /dev/lircd and
/dev/lircmd are created at boot by the 2 daemons, but selinux prevents Xorg from
using /dev/lircmd, with a permission denied error. When I run selinux in
permissive mode, Xorg can use /dev/lircmd just fine.

Version-Release number of selected component (if applicable):


How reproducible:

Simply define a second mouse, LircMouse, device /dev/lircm, in xorg.conf and
boot the machine while in targeted enforcing mode.

Steps to Reproduce:
1. Turn on the computer.
2. Watch both daemons, lircd and lircmd get started as the computer boots.
3. Log into an X graphical screen and take a look at the services running and
discover that lircmd is no longer running (this part is now solved since
selinux-policy-targeted-3.0.8-58.fc8) ; also inspect /var/log/Xorg.0.log and
discover that xf86OpenSerial: Cannot open device /dev/lircm, Permission denied
(this part still needs attention).
Actual results:

The lirc mouse can only be used when selinux is in permissive mode or disabled.
Selinux does not allow /usr/bin/Xorg to use the device, /dev/lircmd.

Expected results:

The lirc mouse should work alongside the standard mouse, so that the mouse
pointer can be controlled remotely, like it is supposed to work.

Additional info:

Raw Audit Messages

avc: denied { read write } for comm=X dev=tmpfs egid=0 euid=0 
exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name=lircm pid=2055
scontext=system_u:system_r:xdm_xserver_t:s0-s0:c0.c1023 sgid=0
subj=system_u:system_r:xdm_xserver_t:s0-s0:c0.c1023 suid=0 tclass=fifo_file
tcontext=system_u:object_r:device_t:s0 tty=tty7 uid=0

Also: I have contacted Dan Walsh about the problem. He appears to be willing to
help me work around the problem (hopefully to resolution), but I would like to
see the problem solved entirely, so that no other users will have to deal with
this again for all future releases of fedora and selinux. This entails having
lirc, lircd and lircmd properly handled by the targeted policy, so that a user
can use selinux in enforcing mode without encountering problems necessitating
disabling it.
Comment 1 Daniel Walsh 2007-11-26 11:20:54 EST
Fixed in selinux-policy-3.0.8-58.fc8
Comment 2 Daniel Walsh 2007-11-26 13:14:49 EST
Why are lircd and lircm being created in /dev instead of /var/run/xorg perhaps?

I think cr
Comment 3 Daniel Walsh 2007-11-26 13:15:38 EST
Currently we don't have a good label for these socket/fifo_files, so xserver is
not allowed to communicate with them.
Comment 4 Peter Gückel 2007-11-26 13:58:51 EST
How can it be fixed in selinux-policy-3.0.8-58.fc8 when is doesn't work? It only
works in selinux-policy-3.0.8-58.fc8 when selinux is put into permissive mode,
but not in enforcing.
Comment 5 Ville Skyttä 2007-11-27 02:47:49 EST
(In reply to comment #2)
> Why are lircd and lircm being created in /dev instead of /var/run/xorg perhaps?

They are not xorg specific.  /var/run/lirc might be better, but apps tend to
expect to find them in /dev.
Comment 6 Peter Gückel 2008-01-23 23:55:23 EST
So, what's happening on this?
Comment 7 Peter Gückel 2008-10-24 13:54:07 EDT
This is relating to F8 and we are into F10. Lirc has radicaly changed. This should be closed and a new bug relevant to F10 opeed, should the need arise. I have not tried lircm with the new lirc, so I don't know how it reacts.

Note You need to log in before you can comment on or make changes to this bug.