Bug 603198 - SELinux AVC denials with lirc irman
Summary: SELinux AVC denials with lirc irman
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: 13
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Ben Levenson
Depends On:
TreeView+ depends on / blocked
Reported: 2010-06-11 20:22 UTC by Carsten Clasohm
Modified: 2010-07-06 17:08 UTC (History)
0 users

Fixed In Version: selinux-policy-3.7.19-33.fc13
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2010-07-06 17:08:40 UTC

Attachments (Terms of Use)

Description Carsten Clasohm 2010-06-11 20:22:02 UTC
Description of problem:

When SELinux is in enforcing mode, lirc cannot access /dev/ttyS0. This breaks lirc's support for "irman" infrared receivers, which are connected to the serial port.

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1. configure lirc for irman
2. "service lirc start" as root
3. "irw" as normal user

Actual results:

This is shown in /var/log/messages:

lircd-0.8.6[8239]: lircd(irman) ready, using /var/run/lirc/lircd
lircd-0.8.6[8239]: accepted new client on /var/run/lirc/lircd
lircd-0.8.6[8239]: could not open /dev/ttyS0
lircd-0.8.6[8239]: irman_init(): Permission denied
lircd-0.8.6[8239]: Failed to initialize hardware

There are no AVC denied entries in /var/log/audit/audit.log except for the following:

avc:  denied  { open } for  pid=6214 comm="lircd" name="ttyS0" dev=devtmpfs ino=5540 scontext=unconfined_u:system_r:lircd_t:s0 tcontext=system_u:object_r:tty_device_t:s0 tclass=chr_file

But even if I create and load a SELinux module with the following content, lircd still cannot access /dev/ttyS0 as long as SELinux is in enforcing mode. lirc only works if I put SELinux into permissive mode with "setenforce 0". No SELinux messages are logged in this case.

policy_module(lirccustom, 1.0)

require {
        type lircd_t;
        type tty_device_t;

allow lircd_t tty_device_t:chr_file { open };

Expected results:

lirc configured for irman should work with SELinux in enforcing mode.

Additional info:

Comment 1 Daniel Walsh 2010-06-16 17:14:44 UTC
Miroslav add


Comment 2 Miroslav Grepl 2010-06-16 20:27:10 UTC
Fixed in selinux-policy-3.7.19-30.fc13

Comment 3 Fedora Update System 2010-06-30 19:54:21 UTC
selinux-policy-3.7.19-33.fc13 has been submitted as an update for Fedora 13.

Comment 4 Fedora Update System 2010-07-01 18:48:12 UTC
selinux-policy-3.7.19-33.fc13 has been pushed to the Fedora 13 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update selinux-policy'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/selinux-policy-3.7.19-33.fc13

Comment 5 Fedora Update System 2010-07-06 17:06:39 UTC
selinux-policy-3.7.19-33.fc13 has been pushed to the Fedora 13 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.