pam_console_t wants access to device_t:chr_file ?

Tomas Mraz tmraz at redhat.com
Mon Jul 10 09:23:16 UTC 2006 

On Sat, 2006-07-08 at 13:15 -0700, Tom London wrote:
> On 7/8/06, Daniel J Walsh <dwalsh at redhat.com> wrote:
> > Tom London wrote:
> > > Running targeted/enforcing, latest Rawhide.
> > >
> > > Noticed this in /var/log/messages, before auditd is started I guess:
> > >
> > > Jun 29 06:43:48 localhost kernel: audit(1151588567.562:102): avc:
> > > denied  { getattr } for  pid=1526 comm="pam_console_app"
> > > name="usbdev5.5_ep02" dev=tmpfs ino=5143
> > > scontext=system_u:system_r:pam_console_t:s0
> > > tcontext=system_u:object_r:device_t:s0 tclass=chr_file
> > > \
> > The problem is usbdev5.5_ep02 is not labeled correctly.  Is this a real
> > device?  What kind of device is is?
> > > Jun 29 06:43:48 localhost kernel: audit(1151588567.562:103): avc:
> > > denied  { getattr } for  pid=1526 comm="pam_console_app"
> > > name="usbdev5.5_ep81" dev=tmpfs ino=5120
> > > scontext=system_u:system_r:pam_console_t:s0
> > > tcontext=system_u:object_r:device_t:s0 tclass=chr_file
> > > Jun 29 06:43:48 localhost kernel: audit(1151588567.562:104): avc:
> > > denied  { getattr } for  pid=1526 comm="pam_console_app"
> > > name="usbdev5.5_ep00" dev=tmpfs ino=5068
> > > scontext=system_u:system_r:pam_console_t:s0
> > > tcontext=system_u:object_r:device_t:s0 tclass=chr_file
> > >
> > > << actually many, many copies of these....>>
> > >
> Happens every time I boot.  Appears to depend on the usb devices I
> have connected at the time (I have 2 'docks' for my laptop, so the USB
> setup is not the same).
> 
> In this case, 'lsusb' says:
> Bus 005 Device 005: ID 04b8:010a Seiko Epson Corp. Perfection 1640SU
> Bus 005 Device 004: ID 0461:4d03 Primax Electronics, Ltd Kensington
> Mouse-in-a-box
> Bus 005 Device 002: ID 04b3:4484 IBM Corp.
> Bus 005 Device 001: ID 0000:0000
> Bus 002 Device 001: ID 0000:0000
> Bus 003 Device 003: ID 0483:2016 SGS Thomson Microelectronics Fingerprint Reader
> Bus 003 Device 001: ID 0000:0000
> Bus 001 Device 001: ID 0000:0000
> Bus 004 Device 001: ID 0000:0000
> 
> So I'm guessing usbdev5.5_ep* is pointing at this.

It is the scanner device so it should have a scanner_device_t type.
pam_console_apply actually accesses /dev/usb/scanner* or /dev/scanner*
symlink which points to the device node.
-- 
Tomas Mraz <tmraz at redhat.com>

More information about the fedora-selinux-list mailing list