Description of problem: I want to let HAL/PolicyKit give people access via ACLs to scanner devices so they can use them from their SANE-enabled applications. While this works for USB devices, I see no changes on the SCSI-generic devices for scanners even though these HAL rules are in effect: <!-- SCSI scanners --> <match key="@info.parent:scsi.type" string="scanner"> <match key="info.category" string="scsi_generic"> <append key="info.capabilities" type="strlist">access_control</append> <merge key="access_control.file" type="copy_property">linux.device_file</merge> <merge key="access_control.type" type="string">scanner</merge> </match> </match> I straced hald and found that, with SELinux enforcing, the setxattr on the device file isn't permitted. Version-Release number of selected component (if applicable): selinux-policy-3.0.8-81.fc8 selinux-policy-targeted-3.0.8-81.fc8 selinux-policy-devel-3.0.8-81.fc8 How reproducible: Reproducible Steps to Reproduce: 1. Have HAL rules from above in place 2. With a switched on SCSI scanner attached, enable it by way of 'echo "scsi add-single-device ..." > /proc/scsi/scsi' Actual results: No ACLs granted on device file (/dev/sg3 in my case) for the console user. [pid 17993] execve("/usr/libexec/hal-acl-tool", ["/usr/libexec/hal-acl-tool"..., "--add-device"...], [/* 33 vars */]) = 0 Process 17996 attached (waiting for parent) Process 17996 resumed (parent 17993 ready) [pid 17996] execve("/sbin/setfacl", ["setfacl"..., "-m"..., "u:500:rw"..., "/dev/sg3"...], [/* 33 vars */]) = -1 ENOENT (No such file or directory) [pid 17996] execve("/usr/sbin/setfacl", ["setfacl"..., "-m"..., "u:500:rw"..., "/dev/sg3"...], [/* 33 vars */]) = -1 ENOENT (No such file or directory) [pid 17996] execve("/bin/setfacl", ["setfacl"..., "-m"..., "u:500:rw"..., "/dev/sg3"...], [/* 33 vars */]) = -1 ENOENT (No such file or directory) [pid 17996] execve("/usr/bin/setfacl", ["setfacl"..., "-m"..., "u:500:rw"..., "/dev/sg3"...], [/* 33 vars */]Process 17993 suspended ) = 0 [pid 17996] getxattr("/dev/sg3", "system.posix_acl_access"..., 0x7fff23eab680, 132) = -1 ENODATA (No data available) [pid 17996] setxattr("/dev/sg3", "system.posix_acl_access"..., "\x02\x00\x00\x00\x01\x00\x06\x00\xff\xff\xff\xff\x02\x00\x06\x00\xf4\x01\x00\x00\x04\x00\x06\x00\xff\xff\xff\xff\x10\x00\x06\x00\xff\xff\xff\xff \x00\x00\x00\xff\xff\xff\xff", 44, 0) = -1 EACCES (Permission denied) Raw Audit Messages : avc: denied { setattr } for comm=setfacl dev=tmpfs egid=0 euid=0 exe=/usr/bin/setfacl exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name=sg3 pid=17996 scontext=unconfined_u:system_r:hald_acl_t:s0 sgid=0 subj=unconfined_u:system_r:hald_acl_t:s0 suid=0 tclass=chr_file tcontext=system_u:object_r:scsi_generic_device_t:s0 tty=(none) uid=0 Expected results: ACLs get set on the device file.
You can allow this for now by executing # audit2allow -M mypol -i /var/log/audit/audit.log # semodule -i mypol.pp Fixed in selinux-policy-3.0.8-85.fc8
Closing all bugs that have been in modified for over a month. Please reopen if the bug is not actually fixed.