fc-5 and selinux
Eric Tanguy
eric.tanguy at univ-nantes.fr
Wed Mar 22 21:58:38 UTC 2006
Le mercredi 22 mars 2006 à 20:49 +0100, Eric Tanguy a écrit :
> Le mercredi 22 mars 2006 à 10:08 -0500, Daniel J Walsh a écrit :
> > Eric Tanguy wrote:
> > > Le mardi 21 mars 2006 à 14:28 -0500, Daniel J Walsh a écrit :
> > >
> > >> Tanguy Eric wrote:
> > >>
> > >>> I think it's a selinux problem :
> > >>> i can't use my usb scanner unless i'm root
> > >>> i can't mount cdrom and ext3 usb partition unless i'm root
> > >>>
> > >>> How can i use this in simple user ?
> > >>> Eric
> > >>>
> > >>>
> > >>>
> > >>>
> > >> Are you seeing AVC messages in /var/log/messages? /var/log/audit/audit.log?
> > >>
> > >> You can see if it is SELinux causing the problems by executing
> > >> setenforce 0 as root, and then see if the devices work correctly.
> > >>
> > >> Dan
> > >>
> > >>
> > > When i plug my usb scanneri found this in dmesg :
> > > usb 3-2: new high speed USB device using ehci_hcd and address 8
> > > usb 3-2: configuration #1 chosen from 1 choice
> > > audit(1143014471.120:170): avc: denied { getattr } for pid=2699
> > > comm="pam_console_app" name="008" dev=tmpfs ino=20684
> > > scontext=system_u:system_r:pam_console_t:s0-s0:c0.c255
> > > tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file
> > >
> > > as user : scanimage -L
> > > device `v4l:/dev/video1' is a Noname Creative NX virtual device
> > > device `v4l:/dev/video0' is a Noname BT878 video (Pinnacle PCTV Stud
> > > virtual device
> > >
> > > sudo scanimage -L
> > > Password:
> > > device `v4l:/dev/video1' is a Noname Creative NX virtual device
> > > device `v4l:/dev/video0' is a Noname BT878 video (Pinnacle PCTV Stud
> > > virtual device
> > > device `snapscan:libusb:003:008' is a EPSON EPSON Scanner flatbed
> > > scanner
> > >
> > > if i plug a usb disk containing a usb fat32 partition and a ext3
> > > partition :
> > >
> > > i can see in dmesg :
> > > Initializing USB Mass Storage driver...
> > > scsi0 : SCSI emulation for USB Mass Storage devices
> > > usb-storage: device found at 9
> > > usb-storage: waiting for device to settle before scanning
> > > usbcore: registered new driver usb-storage
> > > USB Mass Storage support registered.
> > > Vendor: HDS72258 Model: 0VLAT20 Rev: V32O
> > > Type: Direct-Access ANSI SCSI revision: 00
> > > SCSI device sda: 160836480 512-byte hdwr sectors (82348 MB)
> > > sda: Write Protect is off
> > > sda: Mode Sense: 03 00 00 00
> > > sda: assuming drive cache: write through
> > > SCSI device sda: 160836480 512-byte hdwr sectors (82348 MB)
> > > sda: Write Protect is off
> > > sda: Mode Sense: 03 00 00 00
> > > sda: assuming drive cache: write through
> > > sda: sda1 sda2
> > > sd 0:0:0:0: Attached scsi disk sda
> > > usb-storage: device scan complete
> > > sd 0:0:0:0: Attached scsi generic sg0 type 0
> > > audit(1143014745.045:172): avc: denied { getattr } for pid=2826
> > > comm="pam_console_app" name="008" dev=tmpfs ino=20684
> > > scontext=system_u:system_r:pam_console_t:s0-s0:c0.c255
> > > tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file
> > > audit(1143014745.117:173): avc: denied { getattr } for pid=2830
> > > comm="pam_console_app" name="008" dev=tmpfs ino=20684
> > > scontext=system_u:system_r:pam_console_t:s0-s0:c0.c255
> > > tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file
> > >
> > > as user in my desktop only the fat32 partition is mounted
> > >
> > > if i plug my usb cd/dvd reader writer with the fc5 dvd in it .
> > > I found in dmesg :
> > > usb 3-1: new high speed USB device using ehci_hcd and address 10
> > > usb 3-1: configuration #1 chosen from 1 choice
> > > scsi1 : SCSI emulation for USB Mass Storage devices
> > > usb-storage: device found at 10
> > > usb-storage: waiting for device to settle before scanning
> > > audit(1143014878.670:179): avc: denied { getattr } for pid=2913
> > > comm="pam_console_app" name="008" dev=tmpfs ino=20684
> > > scontext=system_u:system_r:pam_console_t:s0-s0:c0.c255
> > > tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file
> > > Vendor: PLEXTOR Model: DVDR PX-708A Rev: 1.09
> > > Type: CD-ROM ANSI SCSI revision: 00
> > > 1:0:0:0: Attached scsi generic sg1 type 5
> > > usb-storage: device scan complete
> > > sr0: scsi3-mmc drive: 40x/40x writer cd/rw xa/form2 cdda tray
> > > sr 1:0:0:0: Attached scsi CD-ROM sr0
> > > audit(1143014883.606:180): avc: denied { getattr } for pid=2926
> > > comm="pam_console_app" name="008" dev=tmpfs ino=20684
> > > scontext=system_u:system_r:pam_console_t:s0-s0:c0.c255
> > > tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file
> > > audit(1143014883.682:181): avc: denied { getattr } for pid=2951
> > > comm="pam_console_app" name="008" dev=tmpfs ino=20684
> > > scontext=system_u:system_r:pam_console_t:s0-s0:c0.c255
> > > tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file
> > > audit(1143014921.500:182): avc: denied { getattr } for pid=2258
> > > comm="hald" name="/" dev=sda2 ino=2 scontext=system_u:system_r:hald_t:s0
> > > tcontext=system_u:object_r:file_t:s0 tclass=dir
> > > audit(1143014921.688:183): avc: denied { getattr } for pid=2967
> > > comm="hal-system-stor" name="/" dev=sda2 ino=2
> > > scontext=system_u:system_r:hald_t:s0
> > > tcontext=system_u:object_r:file_t:s0 tclass=dir
> > > audit(1143014921.688:184): avc: denied { getattr } for pid=2967
> > > comm="hal-system-stor" name="/" dev=sda2 ino=2
> > > scontext=system_u:system_r:hald_t:s0
> > > tcontext=system_u:object_r:file_t:s0 tclass=dir
> > > audit(1143014921.692:185): avc: denied { search } for pid=2971
> > > comm="touch" name="/" dev=sda2 ino=2
> > > scontext=system_u:system_r:hald_t:s0
> > > tcontext=system_u:object_r:file_t:s0 tclass=dir
> > > audit(1143014921.692:186): avc: denied { search } for pid=2971
> > > comm="touch" name="/" dev=sda2 ino=2
> > > scontext=system_u:system_r:hald_t:s0
> > > tcontext=system_u:object_r:file_t:s0 tclass=dir
> > > audit(1143014921.692:187): avc: denied { getattr } for pid=2967
> > > comm="hal-system-stor" name="/" dev=sda2 ino=2
> > > scontext=system_u:system_r:hald_t:s0
> > > tcontext=system_u:object_r:file_t:s0 tclass=dir
> > >
> > > and the dvd is not mounted.
> > >
> > > Eric
> > >
> > >
> > >
> > You seem to have a labeing problem since you have files labeled with
> > file_t? Can you relabel your system
> > touch /.autorelabel; reboot
> >
> > Clear your log files and run the machine in permissive mode.
> >
> > setenforce 0
> >
> > Plug in your scanner and make sure it works.
> >
> > Not can you send the AVC messages.
> >
> > You can also execute
> >
> > grep pam_console /var/log/audit/audit.log | audit2allow -M scanner
> >
> > semodule -i scanner.pp
> >
> > Which will update your policy to allow it to use the scanner in
> > enforcing mode while we update policy.
> >
> >
> > Dan
> I already try to relabel the system and the problem is the same.
> In enforcing mode the scanner works fine if it is already plugged at the
> boot but does not work if i unplug it and replug it.
> If i disable selinux all work fine.
> I didn't try in permissive mode.
> I will try it and send you the avc messages
> from /var/log/audit/audit.log
>
> this is one point but i had no answers about usb disk and usb cdrom ?
> Eric
>
First of al, i can't find /var/log/audit/audit.log :
$ls -la /var/log/
total 1912
drwxr-xr-x 10 root root 4096 mar 22 22:51 .
drwxr-xr-x 23 root root 4096 mar 21 16:20 ..
-rw-r----- 1 root root 2135 mar 22 22:51 acpid
-rw------- 1 root root 24192 mar 21 09:48 anaconda.log
-rw------- 1 root root 146974 mar 21 09:48 anaconda.syslog
-rw------- 1 root root 39011 mar 21 09:48 anaconda.xlog
-rw------- 1 root root 0 mar 21 10:20 boot.log
-rw------- 1 root utmp 0 mar 21 09:38 btmp
-rw------- 1 root root 50186 mar 22 22:51 cron
drwxr-xr-x 2 lp sys 4096 mar 21 10:24 cups
-rw-r--r-- 1 root root 19090 mar 22 22:50 dmesg
drwxr-xr-x 2 root root 4096 mar 22 22:51 gdm
drwx------ 2 root root 4096 fév 12 00:12 httpd
drwxrwx--- 2 root ircd 4096 fév 15 01:16 ircd
-rw-r--r-- 1 root root 146292 mar 22 22:51 lastlog
drwxr-xr-x 2 root root 4096 mar 21 09:38 mail
-rw------- 1 root root 20773 mar 22 22:51 maillog
-rw------- 1 root root 829727 mar 22 22:55 messages
drwx------ 2 root root 4096 fév 12 09:49 ppp
-rw-r--r-- 1 root root 68029 mar 22 21:42 prelink.log
-rw-r--r-- 1 root root 31300 mar 22 21:42 rpmpkgs
drwx------ 2 root root 4096 fév 13 17:36 samba
-rw-r--r-- 1 root root 64863 mar 21 18:36 scrollkeeper.log
-rw------- 1 root root 155455 mar 22 22:53 secure
-rw------- 1 root root 0 mar 21 10:20 spooler
drwxr-xr-x 2 root root 4096 mar 1 16:29 vbox
-rw-rw-r-- 1 root utmp 143616 mar 22 22:54 wtmp
-rw-r--r-- 1 root root 42470 mar 22 22:51 Xorg.0.log
-rw-r--r-- 1 root root 42525 mar 22 22:34 Xorg.0.log.old
-rw-r--r-- 1 root root 16530 mar 22 22:47 yum.log
Why there is no /var/log/audit in my sustem ?
I tried the scanner is permissive mode and it works fine as user :
Mar 22 22:52:05 bureau bonobo-activation-server (root-2663): Duff env.
var ''
Mar 22 22:54:09 bureau kernel: usb 3-2: USB disconnect, address 2
Mar 22 22:54:12 bureau kernel: usb 3-2: new high speed USB device using
ehci_hcd and address 8
Mar 22 22:54:13 bureau kernel: usb 3-2: configuration #1 chosen from 1
choice
Mar 22 22:54:13 bureau kernel: audit(1143064453.308:18): avc: denied
{ getattr } for pid=2776 comm="pam_console_app" name="008" dev=tmpfs
ino=13410 scontext=system_u:system_r:pam_console_t:s0-s0:c0.c255
tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file
Eric
More information about the fedora-list
mailing list