603198 – SELinux AVC denials with lirc irman

Bug 603198 - SELinux AVC denials with lirc irman

Summary: SELinux AVC denials with lirc irman

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy-targeted
Sub Component:
Version:	13
Hardware:	All
OS:	Linux
Priority:	low
Severity:	medium
Target Milestone:	---
Assignee:	Miroslav Grepl
QA Contact:	Ben Levenson
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2010-06-11 20:22 UTC by Carsten Clasohm
Modified:	2010-07-06 17:08 UTC (History)
CC List:	0 users
Fixed In Version:	selinux-policy-3.7.19-33.fc13
Clone Of:
Environment:
Last Closed:	2010-07-06 17:08:40 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Carsten Clasohm 2010-06-11 20:22:02 UTC

Description of problem:

When SELinux is in enforcing mode, lirc cannot access /dev/ttyS0. This breaks lirc's support for "irman" infrared receivers, which are connected to the serial port.


Version-Release number of selected component (if applicable):

lirc-0.8.6-7.fc13.x86_64
selinux-policy-targeted-3.7.19-23.fc13.noarch


How reproducible:

always


Steps to Reproduce:
1. configure lirc for irman
2. "service lirc start" as root
3. "irw" as normal user

  
Actual results:

This is shown in /var/log/messages:

lircd-0.8.6[8239]: lircd(irman) ready, using /var/run/lirc/lircd
lircd-0.8.6[8239]: accepted new client on /var/run/lirc/lircd
lircd-0.8.6[8239]: could not open /dev/ttyS0
lircd-0.8.6[8239]: irman_init(): Permission denied
lircd-0.8.6[8239]: Failed to initialize hardware

There are no AVC denied entries in /var/log/audit/audit.log except for the following:

avc:  denied  { open } for  pid=6214 comm="lircd" name="ttyS0" dev=devtmpfs ino=5540 scontext=unconfined_u:system_r:lircd_t:s0 tcontext=system_u:object_r:tty_device_t:s0 tclass=chr_file

But even if I create and load a SELinux module with the following content, lircd still cannot access /dev/ttyS0 as long as SELinux is in enforcing mode. lirc only works if I put SELinux into permissive mode with "setenforce 0". No SELinux messages are logged in this case.

policy_module(lirccustom, 1.0)

require {
        type lircd_t;
        type tty_device_t;
}

allow lircd_t tty_device_t:chr_file { open };


Expected results:

lirc configured for irman should work with SELinux in enforcing mode.


Additional info:

Comment 1 Daniel Walsh 2010-06-16 17:14:44 UTC

Miroslav add

term_use_unallocated_ttys(lircd_t)

Comment 2 Miroslav Grepl 2010-06-16 20:27:10 UTC

Fixed in selinux-policy-3.7.19-30.fc13

Comment 3 Fedora Update System 2010-06-30 19:54:21 UTC

selinux-policy-3.7.19-33.fc13 has been submitted as an update for Fedora 13.
http://admin.fedoraproject.org/updates/selinux-policy-3.7.19-33.fc13

Comment 4 Fedora Update System 2010-07-01 18:48:12 UTC

selinux-policy-3.7.19-33.fc13 has been pushed to the Fedora 13 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update selinux-policy'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/selinux-policy-3.7.19-33.fc13

Comment 5 Fedora Update System 2010-07-06 17:06:39 UTC

selinux-policy-3.7.19-33.fc13 has been pushed to the Fedora 13 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.