libgpod HAL callout and SELinux denials

Todd Zullinger tmz at pobox.com
Sun Jan 4 15:34:14 UTC 2009 

Hi,

I help maintain libgpod upstream and in Fedora.  We install a hal
callout¹ to handle newer iPods, which make some very useful and
required information accessible only via a SCSI query of the iPod.
The callout is meant to make the needed query and store the
information retrieved (which is is an XML file) on the iPod where it
can subsequently be read by a normal user.

To do this, the callout mounts the iPod to a temporary location,
queries the device, saves the XML, and unmounts.  This causes a number
of denials which I will attach.  I'd like to get some help in
determining what things need fixed in the callout code and what things
need policy changes.  If I need to, I can package a policy module in
libgpod, though having it in the main selinux policy would be
preferable I think.

The libgpod callout code is in:

https://gtkpod.svn.sourceforge.net/svnroot/gtkpod/libgpod/trunk/tools/

Most of the interesting code is in hal-callout.c, but the other files
are probably worth a look as well.

FWIW, the callout currently uses /tmp/ipodXXXXXX (via mkdtemp) as the
temporary mount point.  I did try moving that to /media to see if that
worked any better, but AFAICT, it caused the same denials.  Moving the
temp mount out of /tmp is not a problem (and is probably a good idea
anyway).

Any help will be much appreciated.

¹ http://people.freedesktop.org/~david/hal-spec/hal-spec.html#device-properties-info-callouts

-- 
Todd        OpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
We can't be so fixated on our desire to preserve the rights of
ordinary Americans.
    -- William Jefferson Clinton (USA TODAY, 11 March 1993, page 2A)

-------------- next part --------------
----
time->Sun Jan  4 09:54:56 2009
type=SYSCALL msg=audit(1231080896.291:1697): arch=40000003 syscall=21 success=yes exit=0 a0=bfed16d7 a1=81fbd20 a2=bfed1a1d a3=0 items=0 ppid=2080 pid=21577 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="libgpod-callout" exe="/usr/lib/hal/scripts/libgpod-callout" subj=system_u:system_r:hald_t:s0 key=(null)
type=AVC msg=audit(1231080896.291:1697): avc:  denied  { mount } for  pid=21577 comm="libgpod-callout" name="/" dev=sdb2 ino=1 scontext=system_u:system_r:hald_t:s0 tcontext=system_u:object_r:dosfs_t:s0 tclass=filesystem
type=AVC msg=audit(1231080896.291:1697): avc:  denied  { mounton } for  pid=21577 comm="libgpod-callout" path="/tmp/ipodtSpXXY" dev=dm-1 ino=363384 scontext=system_u:system_r:hald_t:s0 tcontext=system_u:object_r:hald_tmp_t:s0 tclass=dir
----
time->Sun Jan  4 09:54:56 2009
type=SYSCALL msg=audit(1231080896.304:1698): arch=40000003 syscall=5 success=yes exit=3 a0=81fca00 a1=80c2 a2=1b6 a3=80c2 items=0 ppid=2080 pid=21577 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="libgpod-callout" exe="/usr/lib/hal/scripts/libgpod-callout" subj=system_u:system_r:hald_t:s0 key=(null)
type=AVC msg=audit(1231080896.304:1698): avc:  denied  { read write } for  pid=21577 comm="libgpod-callout" name="SysInfoExtended.DAPDNU" dev=sdb2 ino=19721 scontext=system_u:system_r:hald_t:s0 tcontext=system_u:object_r:dosfs_t:s0 tclass=file
type=AVC msg=audit(1231080896.304:1698): avc:  denied  { create } for  pid=21577 comm="libgpod-callout" name="SysInfoExtended.DAPDNU" scontext=system_u:system_r:hald_t:s0 tcontext=system_u:object_r:dosfs_t:s0 tclass=file
type=AVC msg=audit(1231080896.304:1698): avc:  denied  { add_name } for  pid=21577 comm="libgpod-callout" name="SysInfoExtended.DAPDNU" scontext=system_u:system_r:hald_t:s0 tcontext=system_u:object_r:dosfs_t:s0 tclass=dir
type=AVC msg=audit(1231080896.304:1698): avc:  denied  { write } for  pid=21577 comm="libgpod-callout" name="Device" dev=sdb2 ino=19720 scontext=system_u:system_r:hald_t:s0 tcontext=system_u:object_r:dosfs_t:s0 tclass=dir
----
time->Sun Jan  4 09:54:56 2009
type=SYSCALL msg=audit(1231080896.305:1699): arch=40000003 syscall=197 success=yes exit=0 a0=3 a1=bfecf764 a2=5ceff4 a3=81fcaa8 items=0 ppid=2080 pid=21577 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="libgpod-callout" exe="/usr/lib/hal/scripts/libgpod-callout" subj=system_u:system_r:hald_t:s0 key=(null)
type=AVC msg=audit(1231080896.305:1699): avc:  denied  { getattr } for  pid=21577 comm="libgpod-callout" path="/tmp/ipodtSpXXY/iPod_Control/Device/SysInfoExtended.DAPDNU" dev=sdb2 ino=19721 scontext=system_u:system_r:hald_t:s0 tcontext=system_u:object_r:dosfs_t:s0 tclass=file
----
time->Sun Jan  4 09:54:56 2009
type=SYSCALL msg=audit(1231080896.360:1700): arch=40000003 syscall=38 success=yes exit=0 a0=81fb8b0 a1=81fbba8 a2=73925c a3=1 items=0 ppid=2080 pid=21577 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="libgpod-callout" exe="/usr/lib/hal/scripts/libgpod-callout" subj=system_u:system_r:hald_t:s0 key=(null)
type=AVC msg=audit(1231080896.360:1700): avc:  denied  { unlink } for  pid=21577 comm="libgpod-callout" name="SysInfoExtended" dev=sdb2 ino=19722 scontext=system_u:system_r:hald_t:s0 tcontext=system_u:object_r:dosfs_t:s0 tclass=file
type=AVC msg=audit(1231080896.360:1700): avc:  denied  { rename } for  pid=21577 comm="libgpod-callout" name="SysInfoExtended.DAPDNU" dev=sdb2 ino=19721 scontext=system_u:system_r:hald_t:s0 tcontext=system_u:object_r:dosfs_t:s0 tclass=file
type=AVC msg=audit(1231080896.360:1700): avc:  denied  { remove_name } for  pid=21577 comm="libgpod-callout" name="SysInfoExtended.DAPDNU" dev=sdb2 ino=19721 scontext=system_u:system_r:hald_t:s0 tcontext=system_u:object_r:dosfs_t:s0 tclass=dir
----
time->Sun Jan  4 09:54:56 2009
type=SYSCALL msg=audit(1231080896.360:1701): arch=40000003 syscall=22 success=yes exit=0 a0=81fbd20 a1=48 a2=81fbba8 a3=81fbb60 items=0 ppid=2080 pid=21577 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="libgpod-callout" exe="/usr/lib/hal/scripts/libgpod-callout" subj=system_u:system_r:hald_t:s0 key=(null)
type=AVC msg=audit(1231080896.360:1701): avc:  denied  { unmount } for  pid=21577 comm="libgpod-callout" scontext=system_u:system_r:hald_t:s0 tcontext=system_u:object_r:dosfs_t:s0 tclass=filesystem
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 542 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20090104/5d2fb598/attachment.sig>

More information about the fedora-selinux-list mailing list