Description of problem: Running latest Rawhide, targeted/enforcing. Plugging in an 'old USB CD drive', I got the following audit message: [root@localhost ~]# sealert -l fb77e7e0-3515-4866-9a8f-e1db99f9b4b8 Summary: SELinux is preventing ln(/bin/ln) (udev_t) "create" to <Unknown> (etc_t). Detailed Description: SELinux denied access requested by ln(/bin/ln). It is not expected that this access is required by ln(/bin/ln) and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for <Unknown>, restorecon -v <Unknown> If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context system_u:system_r:udev_t:SystemLow-SystemHigh Target Context system_u:object_r:etc_t Target Objects None [ lnk_file ] Source ln(/bin/ln) Port <Unknown> Host localhost.localdomain Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.2.5-8.fc9 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall_file Host Name localhost.localdomain Platform Linux localhost.localdomain 2.6.24-0.136.rc6.git12.fc9 #1 SMP Sat Jan 5 12:46:45 EST 2008 i686 i686 Alert Count 2 First Seen Sun Jan 6 10:30:15 2008 Last Seen Sun Jan 6 10:30:15 2008 Local ID fb77e7e0-3515-4866-9a8f-e1db99f9b4b8 Line Numbers Raw Audit Messages host=localhost.localdomain type=AVC msg=audit(1199644215.878:31): avc: denied { create } for pid=6933 comm="ln" name=".is-writeable" scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=lnk_file host=localhost.localdomain type=SYSCALL msg=audit(1199644215.878:31): arch=40000003 syscall=83 success=no exit=-13 a0=bff3ddc3 a1=bff3ddcd a2=804f77c a3=0 items=0 ppid=6931 pid=6933 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="ln" exe="/bin/ln" subj=system_u:system_r:udev_t:s0-s0:c0.c1023 key=(null) Here are the messages from /var/log/messages: Jan 6 10:30:05 localhost kernel: usb 2-2: new full speed USB device using uhci_hcd and address 4 Jan 6 10:30:06 localhost kernel: usb 2-2: configuration #1 chosen from 1 choice Jan 6 10:30:06 localhost kernel: scsi8 : SCSI emulation for USB Mass Storage devices Jan 6 10:30:06 localhost kernel: usb-storage: device found at 4 Jan 6 10:30:06 localhost kernel: usb-storage: waiting for device to settle before scanning Jan 6 10:30:11 localhost kernel: usb-storage: device scan complete Jan 6 10:30:11 localhost kernel: scsi 8:0:0:0: CD-ROM IBM USB CD-ROM 20A4 PQ: 0 ANSI: 0 CCS Jan 6 10:30:11 localhost kernel: sr1: scsi3-mmc drive: 10x/10x cd/rw xa/form2 cdda pop-up Jan 6 10:30:11 localhost kernel: sr 8:0:0:0: Attached scsi CD-ROM sr1 Jan 6 10:30:11 localhost kernel: sr 8:0:0:0: Attached scsi generic sg2 type 5 Jan 6 10:30:18 localhost setroubleshoot: #012 SELinux is preventing ln(/bin/ln) (udev_t) "create" to <Unknown> (etc_t).#012 For complete SELinux messages. run sealert -l fb77e7e0-3515-4866-9a8f-e1db99f9b4b8 Putting system in permissive mode, I get these: type=AVC msg=audit(1199645179.126:34): avc: denied { create } for pid=7782 comm="ln" name=".is-writeable" scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=lnk_file type=SYSCALL msg=audit(1199645179.126:34): arch=40000003 syscall=83 success=yes exit=0 a0=bfb56db6 a1=bfb56dc0 a2=804f77c a3=0 items=0 ppid=7780 pid=7782 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="ln" exe="/bin/ln" subj=system_u:system_r:udev_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1199645179.245:35): avc: denied { unlink } for pid=7783 comm="rm" name=".is-writeable" dev=dm-0 ino=11076747 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=lnk_file type=SYSCALL msg=audit(1199645179.245:35): arch=40000003 syscall=301 success=yes exit=0 a0=ffffff9c a1=bfa17dc0 a2=0 a3=bfa17dc0 items=0 ppid=7780 pid=7783 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="rm" exe="/bin/rm" subj=system_u:system_r:udev_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1199645179.255:36): avc: denied { append } for pid=7780 comm="write_cd_rules" name="70-persistent-cd.rules" dev=dm-0 ino=11076866 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 context=system_u:object_r:etc_t:s0 tclass=file type=SYSCALL msg=audit(1199645179.255:36): arch=40000003 syscall=5 success=yes exit=3 a0=8a98400 a1=8441 a2=1b6 a3=8441 items=0 ppid=7761 pid=7780 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="write_cd_rules" exe="/bin/bash" subj=system_u:system_r:udev_t:s0-s0:c0.c1023 key=(null) Version-Release number of selected component (if applicable): udev-116-3.fc8 How reproducible: Every time Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info:
When I tried this on my machine, udev wanted to write /etc/udev/rules.d/70-persistent-cd.rules Which I think should be done in a post install not in the running of udev.
no, writing /etc/udev/rules.d/70-persistent-cd.rules is intented.
OK. So this file (others too?) are appended as new/different devices are plugged in. Here is current contents of 70-persistent-cd.rules: # This file was automatically generated by the /lib/udev/write_cd_rules # program, probably run by the cd-aliases-generator.rules rules file. # # You can modify it, as long as you keep each rule on a single line # and set the $GENERATED variable. # DVD-RAM_UJ-842 (pci-0000:00:1f.1-scsi-0:0:0:0) ENV{ID_CDROM}=="?*", ENV{ID_PATH}=="pci-0000:00:1f.1-scsi-0:0:0:0", SYMLINK+="cdrom", ENV{GENERATED}="1" ENV{ID_CDROM}=="?*", ENV{ID_PATH}=="pci-0000:00:1f.1-scsi-0:0:0:0", SYMLINK+="cdrw", ENV{GENERATED}="1" ENV{ID_CDROM}=="?*", ENV{ID_PATH}=="pci-0000:00:1f.1-scsi-0:0:0:0", SYMLINK+="dvd", ENV{GENERATED}="1" ENV{ID_CDROM}=="?*", ENV{ID_PATH}=="pci-0000:00:1f.1-scsi-0:0:0:0", SYMLINK+="dvdrw", ENV{GENERATED}="1" # IBM_USB_CD-ROM_Drive (pci-0000:00:1d.7-usb-0:6.3:1.0-scsi-0:0:0:0) ENV{ID_CDROM}=="?*", ENV{ID_SERIAL}=="TEAC_IBM_USB_CD-ROM_Drive_0000000005300129", SYMLINK+="cdrom1", ENV{GENERATED}="1" # IBM_USB_CD-ROM_Drive (pci-0000:00:1d.7-usb-0:6.3:1.0-scsi-0:0:0:0) ENV{ID_CDROM}=="?*", ENV{ID_PATH}=="pci-0000:00:1d.7-usb-0:6.3:1.0-scsi-0:0:0:0", SYMLINK+="cdrom2", ENV{GENERATED}="1" This is a Thinkpad X60. I have 2 'docks', one at home, one at work, each with a different CD/DVD drive (one is a DVD-ROM, the other a DVD-RW). This message was produced when I hot-plugged in a portable USB CD-ROM (an old, USB1 device). Seems a bit funny to be adding this to 'persistent' list, but I presume its description would need to be added somewhere...
Harald, I know it is intended, I am questioning why? And why in /etc? /etc should usually be considered a read/only directory, And things that change should be in /var. /var/lib. /var/run, /var/cache. I can write SELinux rules to allow the cd rules to be written for this file and protect the others. But if this is really not a configuration file then it should be moved to another directory. SELinux likes to be able to write to entire directories instead of certain files in a directory.
Hmm, I know. I'll talk to the udev author.
This is a configuration file. The admin can configure persistent names. New devices are automatically added, if they appear.
I can no longer reproduce this. Shall I presume it is fixed and close?
close this bug. if it ever reoccures, then you can always reopen this bug.