Description of problem: I run selinux in enforcing mode. I have selinux-policy-targeted-3.0.8-58.fc8 and lirc-0.8.2-2.fc8 installed. When I try to use the lircm mouse, which is defined in xorg.conf, the system boots fine and both lircd and lircmd start fine (only since selinux-policy-targeted-3.0.8-58.fc8, however), the devices /dev/lircd and /dev/lircmd are created at boot by the 2 daemons, but selinux prevents Xorg from using /dev/lircmd, with a permission denied error. When I run selinux in permissive mode, Xorg can use /dev/lircmd just fine. Version-Release number of selected component (if applicable): selinux-policy-targeted-3.0.8-58.fc8 How reproducible: Simply define a second mouse, LircMouse, device /dev/lircm, in xorg.conf and boot the machine while in targeted enforcing mode. Steps to Reproduce: 1. Turn on the computer. 2. Watch both daemons, lircd and lircmd get started as the computer boots. 3. Log into an X graphical screen and take a look at the services running and discover that lircmd is no longer running (this part is now solved since selinux-policy-targeted-3.0.8-58.fc8) ; also inspect /var/log/Xorg.0.log and discover that xf86OpenSerial: Cannot open device /dev/lircm, Permission denied (this part still needs attention). Actual results: The lirc mouse can only be used when selinux is in permissive mode or disabled. Selinux does not allow /usr/bin/Xorg to use the device, /dev/lircmd. Expected results: The lirc mouse should work alongside the standard mouse, so that the mouse pointer can be controlled remotely, like it is supposed to work. Additional info: Raw Audit Messages avc: denied { read write } for comm=X dev=tmpfs egid=0 euid=0 exe=/usr/bin/Xorg exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name=lircm pid=2055 scontext=system_u:system_r:xdm_xserver_t:s0-s0:c0.c1023 sgid=0 subj=system_u:system_r:xdm_xserver_t:s0-s0:c0.c1023 suid=0 tclass=fifo_file tcontext=system_u:object_r:device_t:s0 tty=tty7 uid=0 Also: I have contacted Dan Walsh about the problem. He appears to be willing to help me work around the problem (hopefully to resolution), but I would like to see the problem solved entirely, so that no other users will have to deal with this again for all future releases of fedora and selinux. This entails having lirc, lircd and lircmd properly handled by the targeted policy, so that a user can use selinux in enforcing mode without encountering problems necessitating disabling it.
Fixed in selinux-policy-3.0.8-58.fc8
Why are lircd and lircm being created in /dev instead of /var/run/xorg perhaps? I think cr
Currently we don't have a good label for these socket/fifo_files, so xserver is not allowed to communicate with them.
How can it be fixed in selinux-policy-3.0.8-58.fc8 when is doesn't work? It only works in selinux-policy-3.0.8-58.fc8 when selinux is put into permissive mode, but not in enforcing.
(In reply to comment #2) > Why are lircd and lircm being created in /dev instead of /var/run/xorg perhaps? They are not xorg specific. /var/run/lirc might be better, but apps tend to expect to find them in /dev.
So, what's happening on this?
This is relating to F8 and we are into F10. Lirc has radicaly changed. This should be closed and a new bug relevant to F10 opeed, should the need arise. I have not tried lircm with the new lirc, so I don't know how it reacts.