Udev AVC spawning a script
Daniel J Walsh
dwalsh at redhat.com
Mon Jun 4 13:51:39 UTC 2007
Aurelien Bompard wrote:
> Hi,
>
> I comaintain synce (a framework to connect to PocketPC devices) in Fedora,
> and since Fedora 7 it does not autoconnect the device when plugged in.
>
> Autoconnection is done by an Udev rule :
> # cat /etc/udev/rules.d/60-synce.rules
> ACTION=="add", SUBSYSTEM=="usb_device", SYSFS{idVendor}=="0bb4",
> SYSFS{idProduct}=="0a06", SYMLINK+="ipaq",
> RUN+="/usr/bin/synce-serial-start"
>
> synce-serial-start is a shell script that sources a
> file: /usr/share/synce/synce-serial-common
>
> On F7, I get AVC messages for getattr and read permissions from
> synce-serial-start to this file:
>
> type=AVC msg=audit(1180872169.345:3815): avc: denied { getattr } for
> pid=31270 comm="synce-serial-st" name="synce-serial-common" dev=sda2
> ino=438256 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:usr_t:s0 tclass=file
>
> type=AVC_PATH msg=audit(1180872169.345:3815):
> path="/usr/share/synce/synce-serial-common"
>
> type=AVC msg=audit(1180872169.345:3816): avc: denied { read } for
> pid=31270 comm="synce-serial-st" name="synce-serial-common" dev=sda2
> ino=438256 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:usr_t:s0 tclass=file
>
> How should I label /usr/share/synce/synce-serial-common to allow access from
> udev_t ?
> And in general, how can I view which labels are allowed (and in which way)
> for a given type ?
>
> Thanks !
>
> Aurélien
>
I will update policy to allow this priv ( 2.6.4-13). I don't think you
should relabel the file. Discoving what a domain can do is somewhat
difficult. There are tools in setools that allow you to make queries.
Like can this domain access this type? And you can probably generate a
report of all the types a domain can access.
Also reading the policy is not that difficult.
files_read_usr_files(udev_t)
Adds the privs.
More information about the fedora-selinux-list
mailing list