I have bought for Red Hat testing Logitech QuickCam Messenger (which works perfectly out-of-the-box, thanks Hans!) but when connecting it as staff_u and trying ekiga on it I get a line of AVC denials so I had to try it in Permissive mode: Souhrn: SELinux is preventing gstreamer-prope (staff_t) "read write" v4l_device_t. Podrobný popis: SELinux denied access requested by gstreamer-prope. It is not expected that this access is required by gstreamer-prope and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Povolení přístupu: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Další informace: Kontext zdroje staff_u:staff_r:staff_t:s0-s0:c0.c1023 Kontext cíle system_u:object_r:v4l_device_t:s0 Objekty cíle video0 [ chr_file ] Zdroj gstreamer-prope Cesta zdroje /usr/bin/gstreamer-properties Port <Neznámé> Počítač bradford RPM balíčky zdroje gnome-media-2.27.90.fix-1.fc11 RPM balíčky cíle RPM politiky selinux-policy-3.6.12-78.fc11 Selinux povolen True Typ politiky targeted MLS povoleno True Vynucovací režim Enforcing Název zásuvného modulu catchall Název počítače bradford Platforma Linux bradford 2.6.30.5-28.rc2.fc11.x86_64 #1 SMP Fri Aug 14 21:56:43 EDT 2009 x86_64 x86_64 Počet upozornění 1 Poprvé viděno Čt 20. srpen 2009, 10:27:05 CEST Naposledy viděno Čt 20. srpen 2009, 10:27:05 CEST Místní ID 9e8a4ca8-f5a8-467f-9a20-5e16d99cdf7a Čísla řádků Původní zprávy auditu node=bradford type=AVC msg=audit(1250756825.364:31801): avc: denied { read write } for pid=4982 comm="gstreamer-prope" name="video0" dev=tmpfs ino=193486 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:object_r:v4l_device_t:s0 tclass=chr_file node=bradford type=SYSCALL msg=audit(1250756825.364:31801): arch=c000003e syscall=2 success=no exit=-13 a0=22e9410 a1=2 a2=1 a3=1 items=0 ppid=4933 pid=4982 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=pts0 ses=2 comm="gstreamer-prope" exe="/usr/bin/gstreamer-properties" subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key=(null) ----------------------------------------------- Souhrn: SELinux is preventing gstreamer-prope (staff_t) "write" v4l_device_t. Podrobný popis: [SELinux je v uvolněném režimu, operace by byla odmítnuta, ale byla povolena kvůli uvolněnému režimu.] SELinux denied access requested by gstreamer-prope. It is not expected that this access is required by gstreamer-prope and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Povolení přístupu: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Další informace: Kontext zdroje staff_u:staff_r:staff_t:s0-s0:c0.c1023 Kontext cíle system_u:object_r:v4l_device_t:s0 Objekty cíle video0 [ chr_file ] Zdroj gstreamer-prope Cesta zdroje /usr/bin/gstreamer-properties Port <Neznámé> Počítač bradford RPM balíčky zdroje gnome-media-2.27.90.fix-1.fc11 RPM balíčky cíle RPM politiky selinux-policy-3.6.12-78.fc11 Selinux povolen True Typ politiky targeted MLS povoleno True Vynucovací režim Permissive Název zásuvného modulu catchall Název počítače bradford Platforma Linux bradford 2.6.30.5-28.rc2.fc11.x86_64 #1 SMP Fri Aug 14 21:56:43 EDT 2009 x86_64 x86_64 Počet upozornění 1 Poprvé viděno Čt 20. srpen 2009, 10:27:37 CEST Naposledy viděno Čt 20. srpen 2009, 10:27:37 CEST Místní ID 054e0c90-1cb2-4617-bcab-407c55331a87 Čísla řádků Původní zprávy auditu node=bradford type=AVC msg=audit(1250756857.366:31811): avc: denied { write } for pid=5101 comm="gstreamer-prope" name="video0" dev=tmpfs ino=193486 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:object_r:v4l_device_t:s0 tclass=chr_file node=bradford type=SYSCALL msg=audit(1250756857.366:31811): arch=c000003e syscall=2 success=yes exit=14 a0=d18c00 a1=2 a2=1 a3=1 items=0 ppid=5054 pid=5101 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=pts1 ses=2 comm="gstreamer-prope" exe="/usr/bin/gstreamer-properties" subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key=(null) -------------------------------- Souhrn: SELinux is preventing ekiga (staff_t) "read" v4l_device_t. Podrobný popis: [SELinux je v uvolněném režimu, operace by byla odmítnuta, ale byla povolena kvůli uvolněnému režimu.] SELinux denied access requested by ekiga. It is not expected that this access is required by ekiga and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Povolení přístupu: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Další informace: Kontext zdroje staff_u:staff_r:staff_t:s0-s0:c0.c1023 Kontext cíle system_u:object_r:v4l_device_t:s0 Objekty cíle video0 [ chr_file ] Zdroj gstreamer-prope Cesta zdroje /usr/bin/gstreamer-properties Port <Neznámé> Počítač bradford RPM balíčky zdroje ekiga-3.2.5-2.fc11 RPM balíčky cíle RPM politiky selinux-policy-3.6.12-78.fc11 Selinux povolen True Typ politiky targeted MLS povoleno True Vynucovací režim Permissive Název zásuvného modulu catchall Název počítače bradford Platforma Linux bradford 2.6.30.5-28.rc2.fc11.x86_64 #1 SMP Fri Aug 14 21:56:43 EDT 2009 x86_64 x86_64 Počet upozornění 5 Poprvé viděno Čt 20. srpen 2009, 10:27:37 CEST Naposledy viděno Čt 20. srpen 2009, 10:45:04 CEST Místní ID 5903c9be-11c0-4c9c-9cde-8ca53fbd5a22 Čísla řádků Původní zprávy auditu node=bradford type=AVC msg=audit(1250757904.106:31813): avc: denied { read } for pid=5461 comm="ekiga" name="video0" dev=tmpfs ino=193486 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:object_r:v4l_device_t:s0 tclass=chr_file node=bradford type=AVC msg=audit(1250757904.106:31813): avc: denied { open } for pid=5461 comm="ekiga" name="video0" dev=tmpfs ino=193486 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:object_r:v4l_device_t:s0 tclass=chr_file node=bradford type=SYSCALL msg=audit(1250757904.106:31813): arch=c000003e syscall=2 success=yes exit=27 a0=c0edd0 a1=800 a2=7fffd54e6520 a3=7fffd54e6280 items=0 ppid=5460 pid=5461 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=pts1 ses=2 comm="ekiga" exe="/usr/bin/ekiga" subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key=(null)
Audit2allow is probably too kind to me when it suggests: #============= staff_sudo_t ============== allow staff_sudo_t staff_t:tcp_socket { read write }; #============= staff_t ============== allow staff_t v4l_device_t:chr_file { read write open }; bradford:~# (I guess the second rule could make some sense)
This does not seem to be a libv4l problem, but rather a selinux-policy one, changing component.
(In reply to comment #2) > This does not seem to be a libv4l problem, but rather a selinux-policy one, > changing component. You are probably right, this is so widespread all over the place that it was my mistake to pin it to one individual component.
What are the security ramifications of allowing a confined user read/write these devices? /dev/vtx.* -c system_u:object_r:v4l_device_t:s0 /dev/vbi.* -c system_u:object_r:v4l_device_t:s0 /dev/tlk[0-3] -c system_u:object_r:v4l_device_t:s0 /dev/dvb/.* -c system_u:object_r:v4l_device_t:s0 /dev/video.* -c system_u:object_r:v4l_device_t:s0 /dev/radio.* -c system_u:object_r:v4l_device_t:s0 /dev/em8300.* -c system_u:object_r:v4l_device_t:s0 /dev/raw1394.* -c system_u:object_r:v4l_device_t:s0 /dev/winradio. -c system_u:object_r:v4l_device_t:s0 /dev/sonypi -c system_u:object_r:v4l_device_t:s0 /dev/vttuner -c system_u:object_r:v4l_device_t:s0
I think we should probably allow it. Miroslav add dev_read_video_dev($1) dev_write_video_dev($1) to userdom_xwindows_client
Fixed in selinux-policy-3.6.12-79.fc11
any reason this is still open?