Bug 603198 - SELinux AVC denials with lirc irman
SELinux AVC denials with lirc irman
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
13
All Linux
low Severity medium
: ---
: ---
Assigned To: Miroslav Grepl
Ben Levenson
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2010-06-11 16:22 EDT by Carsten Clasohm
Modified: 2010-07-06 13:08 EDT (History)
0 users

See Also:
Fixed In Version: selinux-policy-3.7.19-33.fc13
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-07-06 13:08:40 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Carsten Clasohm 2010-06-11 16:22:02 EDT
Description of problem:

When SELinux is in enforcing mode, lirc cannot access /dev/ttyS0. This breaks lirc's support for "irman" infrared receivers, which are connected to the serial port.


Version-Release number of selected component (if applicable):

lirc-0.8.6-7.fc13.x86_64
selinux-policy-targeted-3.7.19-23.fc13.noarch


How reproducible:

always


Steps to Reproduce:
1. configure lirc for irman
2. "service lirc start" as root
3. "irw" as normal user

  
Actual results:

This is shown in /var/log/messages:

lircd-0.8.6[8239]: lircd(irman) ready, using /var/run/lirc/lircd
lircd-0.8.6[8239]: accepted new client on /var/run/lirc/lircd
lircd-0.8.6[8239]: could not open /dev/ttyS0
lircd-0.8.6[8239]: irman_init(): Permission denied
lircd-0.8.6[8239]: Failed to initialize hardware

There are no AVC denied entries in /var/log/audit/audit.log except for the following:

avc:  denied  { open } for  pid=6214 comm="lircd" name="ttyS0" dev=devtmpfs ino=5540 scontext=unconfined_u:system_r:lircd_t:s0 tcontext=system_u:object_r:tty_device_t:s0 tclass=chr_file

But even if I create and load a SELinux module with the following content, lircd still cannot access /dev/ttyS0 as long as SELinux is in enforcing mode. lirc only works if I put SELinux into permissive mode with "setenforce 0". No SELinux messages are logged in this case.

policy_module(lirccustom, 1.0)

require {
        type lircd_t;
        type tty_device_t;
}

allow lircd_t tty_device_t:chr_file { open };


Expected results:

lirc configured for irman should work with SELinux in enforcing mode.


Additional info:
Comment 1 Daniel Walsh 2010-06-16 13:14:44 EDT
Miroslav add

term_use_unallocated_ttys(lircd_t)
Comment 2 Miroslav Grepl 2010-06-16 16:27:10 EDT
Fixed in selinux-policy-3.7.19-30.fc13
Comment 3 Fedora Update System 2010-06-30 15:54:21 EDT
selinux-policy-3.7.19-33.fc13 has been submitted as an update for Fedora 13.
http://admin.fedoraproject.org/updates/selinux-policy-3.7.19-33.fc13
Comment 4 Fedora Update System 2010-07-01 14:48:12 EDT
selinux-policy-3.7.19-33.fc13 has been pushed to the Fedora 13 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update selinux-policy'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/selinux-policy-3.7.19-33.fc13
Comment 5 Fedora Update System 2010-07-06 13:06:39 EDT
selinux-policy-3.7.19-33.fc13 has been pushed to the Fedora 13 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.