Bug 432600 - setfacl by hal-acl-tool can't modify ACLs on SCSI generic devices
setfacl by hal-acl-tool can't modify ACLs on SCSI generic devices
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
8
All Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-02-13 04:22 EST by Nils Philippsen
Modified: 2008-11-17 17:03 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-11-17 17:03:05 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Nils Philippsen 2008-02-13 04:22:39 EST
Description of problem:
I want to let HAL/PolicyKit give people access via ACLs to scanner devices so
they can use them from their SANE-enabled applications. While this works for USB
devices, I see no changes on the SCSI-generic devices for scanners even though
these HAL rules are in effect:

    <!-- SCSI scanners -->
    <match key="@info.parent:scsi.type" string="scanner">
      <match key="info.category" string="scsi_generic">
        <append key="info.capabilities" type="strlist">access_control</append>
        <merge key="access_control.file"
type="copy_property">linux.device_file</merge>
        <merge key="access_control.type" type="string">scanner</merge>
      </match>
    </match>

I straced hald and found that, with SELinux enforcing, the setxattr on the
device file isn't permitted.

Version-Release number of selected component (if applicable):
selinux-policy-3.0.8-81.fc8
selinux-policy-targeted-3.0.8-81.fc8
selinux-policy-devel-3.0.8-81.fc8

How reproducible:
Reproducible

Steps to Reproduce:
1. Have HAL rules from above in place
2. With a switched on SCSI scanner attached, enable it by way of 'echo "scsi
add-single-device ..." > /proc/scsi/scsi'
  
Actual results:
No ACLs granted on device file (/dev/sg3 in my case) for the console user.

[pid 17993] execve("/usr/libexec/hal-acl-tool", ["/usr/libexec/hal-acl-tool"...,
"--add-device"...], [/* 33 vars */]) = 0
Process 17996 attached (waiting for parent)
Process 17996 resumed (parent 17993 ready)
[pid 17996] execve("/sbin/setfacl", ["setfacl"..., "-m"..., "u:500:rw"...,
"/dev/sg3"...], [/* 33 vars */]) = -1 ENOENT (No such file or directory)
[pid 17996] execve("/usr/sbin/setfacl", ["setfacl"..., "-m"..., "u:500:rw"...,
"/dev/sg3"...], [/* 33 vars */]) = -1 ENOENT (No such file or directory)
[pid 17996] execve("/bin/setfacl", ["setfacl"..., "-m"..., "u:500:rw"...,
"/dev/sg3"...], [/* 33 vars */]) = -1 ENOENT (No such file or directory)
[pid 17996] execve("/usr/bin/setfacl", ["setfacl"..., "-m"..., "u:500:rw"...,
"/dev/sg3"...], [/* 33 vars */]Process 17993 suspended
) = 0
[pid 17996] getxattr("/dev/sg3", "system.posix_acl_access"..., 0x7fff23eab680,
132) = -1 ENODATA (No data available)
[pid 17996] setxattr("/dev/sg3", "system.posix_acl_access"...,
"\x02\x00\x00\x00\x01\x00\x06\x00\xff\xff\xff\xff\x02\x00\x06\x00\xf4\x01\x00\x00\x04\x00\x06\x00\xff\xff\xff\xff\x10\x00\x06\x00\xff\xff\xff\xff
\x00\x00\x00\xff\xff\xff\xff", 44, 0) = -1 EACCES (Permission denied)

Raw Audit Messages :

avc: denied { setattr } for comm=setfacl dev=tmpfs egid=0 euid=0
exe=/usr/bin/setfacl exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name=sg3 pid=17996
scontext=unconfined_u:system_r:hald_acl_t:s0 sgid=0
subj=unconfined_u:system_r:hald_acl_t:s0 suid=0 tclass=chr_file
tcontext=system_u:object_r:scsi_generic_device_t:s0 tty=(none) uid=0

Expected results:
ACLs get set on the device file.
Comment 1 Daniel Walsh 2008-02-13 09:10:38 EST
You can allow this for now by executing 

# audit2allow -M mypol -i /var/log/audit/audit.log 
# semodule -i mypol.pp

Fixed in selinux-policy-3.0.8-85.fc8

Comment 2 Daniel Walsh 2008-11-17 17:03:05 EST
Closing all bugs that have been in modified for over a month.  Please reopen if the bug is not actually fixed.

Note You need to log in before you can comment on or make changes to this bug.