427808 – Plugging in an 'old USB CD drive' generates AVCs

Bug 427808 - Plugging in an 'old USB CD drive' generates AVCs

Summary: Plugging in an 'old USB CD drive' generates AVCs

Keywords:
Status:	CLOSED RAWHIDE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	udev
Sub Component:
Version:	rawhide
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Harald Hoyer
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2008-01-07 17:24 UTC by Tom London
Modified:	2008-04-13 15:35 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2008-04-13 15:35:00 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Tom London 2008-01-07 17:24:24 UTC

Description of problem:
Running latest Rawhide, targeted/enforcing.

Plugging in an 'old USB CD drive', I got the following audit message:

[root@localhost ~]# sealert -l fb77e7e0-3515-4866-9a8f-e1db99f9b4b8

Summary:

SELinux is preventing ln(/bin/ln) (udev_t) "create" to <Unknown> (etc_t).

Detailed Description:

SELinux denied access requested by ln(/bin/ln). It is not expected that this
access is required by ln(/bin/ln) and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.

Allowing Access:

Sometimes labeling problems can cause SELinux denials. You could try to restore
the default system file context for <Unknown>, restorecon -v <Unknown> If this
does not work, there is currently no automatic way to allow this access.
Instead, you can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                system_u:system_r:udev_t:SystemLow-SystemHigh
Target Context                system_u:object_r:etc_t
Target Objects                None [ lnk_file ]
Source                        ln(/bin/ln)
Port                          <Unknown>
Host                          localhost.localdomain
Source RPM Packages
Target RPM Packages
Policy RPM                    selinux-policy-3.2.5-8.fc9
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall_file
Host Name                     localhost.localdomain
Platform                      Linux localhost.localdomain
                             2.6.24-0.136.rc6.git12.fc9 #1 SMP Sat Jan 5
                             12:46:45 EST 2008 i686 i686
Alert Count                   2
First Seen                    Sun Jan  6 10:30:15 2008
Last Seen                     Sun Jan  6 10:30:15 2008
Local ID                      fb77e7e0-3515-4866-9a8f-e1db99f9b4b8
Line Numbers

Raw Audit Messages

host=localhost.localdomain type=AVC msg=audit(1199644215.878:31): avc:
 denied  { create } for  pid=6933 comm="ln" name=".is-writeable"
scontext=system_u:system_r:udev_t:s0-s0:c0.c1023
tcontext=system_u:object_r:etc_t:s0 tclass=lnk_file

host=localhost.localdomain type=SYSCALL msg=audit(1199644215.878:31):
arch=40000003 syscall=83 success=no exit=-13 a0=bff3ddc3 a1=bff3ddcd
a2=804f77c a3=0 items=0 ppid=6931 pid=6933 auid=4294967295 uid=0 gid=0
euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="ln"
exe="/bin/ln" subj=system_u:system_r:udev_t:s0-s0:c0.c1023 key=(null)


Here are the messages from /var/log/messages:

Jan  6 10:30:05 localhost kernel: usb 2-2: new full speed USB device
using uhci_hcd and address 4
Jan  6 10:30:06 localhost kernel: usb 2-2: configuration #1 chosen from 1 choice
Jan  6 10:30:06 localhost kernel: scsi8 : SCSI emulation for USB Mass
Storage devices
Jan  6 10:30:06 localhost kernel: usb-storage: device found at 4
Jan  6 10:30:06 localhost kernel: usb-storage: waiting for device to
settle before scanning
Jan  6 10:30:11 localhost kernel: usb-storage: device scan complete
Jan  6 10:30:11 localhost kernel: scsi 8:0:0:0: CD-ROM            IBM
   USB CD-ROM       20A4 PQ: 0 ANSI: 0 CCS
Jan  6 10:30:11 localhost kernel: sr1: scsi3-mmc drive: 10x/10x cd/rw
xa/form2 cdda pop-up
Jan  6 10:30:11 localhost kernel: sr 8:0:0:0: Attached scsi CD-ROM sr1
Jan  6 10:30:11 localhost kernel: sr 8:0:0:0: Attached scsi generic sg2 type 5
Jan  6 10:30:18 localhost setroubleshoot: #012    SELinux is
preventing ln(/bin/ln) (udev_t) "create" to &lt;Unknown&gt;
(etc_t).#012     For complete SELinux messages. run sealert -l
fb77e7e0-3515-4866-9a8f-e1db99f9b4b8


Putting system in permissive mode, I get these:

type=AVC msg=audit(1199645179.126:34): avc:  denied  { create } for pid=7782
comm="ln" name=".is-writeable" scontext=system_u:system_r:udev_t:s0-s0:c0.c1023
tcontext=system_u:object_r:etc_t:s0 tclass=lnk_file
type=SYSCALL msg=audit(1199645179.126:34): arch=40000003 syscall=83 success=yes
exit=0 a0=bfb56db6 a1=bfb56dc0 a2=804f77c a3=0 items=0 ppid=7780 pid=7782
auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=(none) comm="ln" exe="/bin/ln" subj=system_u:system_r:udev_t:s0-s0:c0.c1023
key=(null)
type=AVC msg=audit(1199645179.245:35): avc:  denied  { unlink } for pid=7783
comm="rm" name=".is-writeable" dev=dm-0 ino=11076747
scontext=system_u:system_r:udev_t:s0-s0:c0.c1023
tcontext=system_u:object_r:etc_t:s0 tclass=lnk_file
type=SYSCALL msg=audit(1199645179.245:35): arch=40000003 syscall=301 success=yes
exit=0 a0=ffffff9c a1=bfa17dc0 a2=0 a3=bfa17dc0 items=0 ppid=7780 pid=7783
auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=(none) comm="rm" exe="/bin/rm" subj=system_u:system_r:udev_t:s0-s0:c0.c1023
key=(null)
type=AVC msg=audit(1199645179.255:36): avc:  denied  { append } for pid=7780
comm="write_cd_rules" name="70-persistent-cd.rules" dev=dm-0 ino=11076866
scontext=system_u:system_r:udev_t:s0-s0:c0.c1023
context=system_u:object_r:etc_t:s0 tclass=file
type=SYSCALL msg=audit(1199645179.255:36): arch=40000003 syscall=5 success=yes
exit=3 a0=8a98400 a1=8441 a2=1b6 a3=8441 items=0 ppid=7761 pid=7780
auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=(none) comm="write_cd_rules" exe="/bin/bash"
subj=system_u:system_r:udev_t:s0-s0:c0.c1023 key=(null)

Version-Release number of selected component (if applicable):
udev-116-3.fc8

How reproducible:
Every time

Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:

Comment 1 Daniel Walsh 2008-01-07 17:55:45 UTC

When I tried this on my machine, udev wanted to write 

/etc/udev/rules.d/70-persistent-cd.rules

Which I think should be done in a post install not in the running of udev.

Comment 2 Harald Hoyer 2008-01-08 11:48:53 UTC

no, writing /etc/udev/rules.d/70-persistent-cd.rules is intented.

Comment 3 Tom London 2008-01-08 14:34:41 UTC

OK. So this file (others too?) are appended as new/different devices are plugged in.

Here is current contents of 70-persistent-cd.rules:

# This file was automatically generated by the /lib/udev/write_cd_rules
# program, probably run by the cd-aliases-generator.rules rules file.
#
# You can modify it, as long as you keep each rule on a single line
# and set the $GENERATED variable.

# DVD-RAM_UJ-842 (pci-0000:00:1f.1-scsi-0:0:0:0)
ENV{ID_CDROM}=="?*", ENV{ID_PATH}=="pci-0000:00:1f.1-scsi-0:0:0:0",
SYMLINK+="cdrom", ENV{GENERATED}="1"
ENV{ID_CDROM}=="?*", ENV{ID_PATH}=="pci-0000:00:1f.1-scsi-0:0:0:0",
SYMLINK+="cdrw", ENV{GENERATED}="1"
ENV{ID_CDROM}=="?*", ENV{ID_PATH}=="pci-0000:00:1f.1-scsi-0:0:0:0",
SYMLINK+="dvd", ENV{GENERATED}="1"
ENV{ID_CDROM}=="?*", ENV{ID_PATH}=="pci-0000:00:1f.1-scsi-0:0:0:0",
SYMLINK+="dvdrw", ENV{GENERATED}="1"
# IBM_USB_CD-ROM_Drive (pci-0000:00:1d.7-usb-0:6.3:1.0-scsi-0:0:0:0)
ENV{ID_CDROM}=="?*",
ENV{ID_SERIAL}=="TEAC_IBM_USB_CD-ROM_Drive_0000000005300129", SYMLINK+="cdrom1",
ENV{GENERATED}="1"
# IBM_USB_CD-ROM_Drive (pci-0000:00:1d.7-usb-0:6.3:1.0-scsi-0:0:0:0)
ENV{ID_CDROM}=="?*",
ENV{ID_PATH}=="pci-0000:00:1d.7-usb-0:6.3:1.0-scsi-0:0:0:0", SYMLINK+="cdrom2",
ENV{GENERATED}="1"

This is a Thinkpad X60.  I have 2 'docks', one at home, one at work, each with a
different CD/DVD drive (one is a DVD-ROM, the other a DVD-RW).

This message was produced when I hot-plugged in a portable USB CD-ROM (an old,
USB1 device).

Seems a bit funny to be adding this to 'persistent' list, but I presume its
description would need to be added somewhere...

Comment 4 Daniel Walsh 2008-01-08 15:59:18 UTC

Harald, I know it is intended, I am questioning why?  And why in /etc?  /etc
should usually be considered a read/only directory,  And things that change
should be in /var.  /var/lib. /var/run, /var/cache.  I can write SELinux rules
to allow the cd rules to be written for this file and protect the others.  But
if this is really not a configuration file then it should be moved to another
directory.  SELinux likes to be able to write to entire directories instead of
certain files in a directory.

Comment 5 Harald Hoyer 2008-01-09 09:02:10 UTC

Hmm, I know. I'll talk to the udev author.

Comment 6 Harald Hoyer 2008-02-20 11:27:53 UTC

This is a configuration file. The admin can configure persistent names. New
devices are automatically added, if they appear.

Comment 7 Tom London 2008-04-13 01:16:03 UTC

I can no longer reproduce this.

Shall I presume it is fixed and close?

Comment 8 Harald Hoyer 2008-04-13 06:59:25 UTC

close this bug. if it ever reoccures, then you can always reopen this bug.

Note You need to log in before you can comment on or make changes to this bug.