fc-5 and selinux
Daniel J Walsh
dwalsh at redhat.com
Wed Mar 22 15:08:35 UTC 2006
Eric Tanguy wrote:
> Le mardi 21 mars 2006 à 14:28 -0500, Daniel J Walsh a écrit :
>
>> Tanguy Eric wrote:
>>
>>> I think it's a selinux problem :
>>> i can't use my usb scanner unless i'm root
>>> i can't mount cdrom and ext3 usb partition unless i'm root
>>>
>>> How can i use this in simple user ?
>>> Eric
>>>
>>>
>>>
>>>
>> Are you seeing AVC messages in /var/log/messages? /var/log/audit/audit.log?
>>
>> You can see if it is SELinux causing the problems by executing
>> setenforce 0 as root, and then see if the devices work correctly.
>>
>> Dan
>>
>>
> When i plug my usb scanneri found this in dmesg :
> usb 3-2: new high speed USB device using ehci_hcd and address 8
> usb 3-2: configuration #1 chosen from 1 choice
> audit(1143014471.120:170): avc: denied { getattr } for pid=2699
> comm="pam_console_app" name="008" dev=tmpfs ino=20684
> scontext=system_u:system_r:pam_console_t:s0-s0:c0.c255
> tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file
>
> as user : scanimage -L
> device `v4l:/dev/video1' is a Noname Creative NX virtual device
> device `v4l:/dev/video0' is a Noname BT878 video (Pinnacle PCTV Stud
> virtual device
>
> sudo scanimage -L
> Password:
> device `v4l:/dev/video1' is a Noname Creative NX virtual device
> device `v4l:/dev/video0' is a Noname BT878 video (Pinnacle PCTV Stud
> virtual device
> device `snapscan:libusb:003:008' is a EPSON EPSON Scanner flatbed
> scanner
>
> if i plug a usb disk containing a usb fat32 partition and a ext3
> partition :
>
> i can see in dmesg :
> Initializing USB Mass Storage driver...
> scsi0 : SCSI emulation for USB Mass Storage devices
> usb-storage: device found at 9
> usb-storage: waiting for device to settle before scanning
> usbcore: registered new driver usb-storage
> USB Mass Storage support registered.
> Vendor: HDS72258 Model: 0VLAT20 Rev: V32O
> Type: Direct-Access ANSI SCSI revision: 00
> SCSI device sda: 160836480 512-byte hdwr sectors (82348 MB)
> sda: Write Protect is off
> sda: Mode Sense: 03 00 00 00
> sda: assuming drive cache: write through
> SCSI device sda: 160836480 512-byte hdwr sectors (82348 MB)
> sda: Write Protect is off
> sda: Mode Sense: 03 00 00 00
> sda: assuming drive cache: write through
> sda: sda1 sda2
> sd 0:0:0:0: Attached scsi disk sda
> usb-storage: device scan complete
> sd 0:0:0:0: Attached scsi generic sg0 type 0
> audit(1143014745.045:172): avc: denied { getattr } for pid=2826
> comm="pam_console_app" name="008" dev=tmpfs ino=20684
> scontext=system_u:system_r:pam_console_t:s0-s0:c0.c255
> tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file
> audit(1143014745.117:173): avc: denied { getattr } for pid=2830
> comm="pam_console_app" name="008" dev=tmpfs ino=20684
> scontext=system_u:system_r:pam_console_t:s0-s0:c0.c255
> tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file
>
> as user in my desktop only the fat32 partition is mounted
>
> if i plug my usb cd/dvd reader writer with the fc5 dvd in it .
> I found in dmesg :
> usb 3-1: new high speed USB device using ehci_hcd and address 10
> usb 3-1: configuration #1 chosen from 1 choice
> scsi1 : SCSI emulation for USB Mass Storage devices
> usb-storage: device found at 10
> usb-storage: waiting for device to settle before scanning
> audit(1143014878.670:179): avc: denied { getattr } for pid=2913
> comm="pam_console_app" name="008" dev=tmpfs ino=20684
> scontext=system_u:system_r:pam_console_t:s0-s0:c0.c255
> tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file
> Vendor: PLEXTOR Model: DVDR PX-708A Rev: 1.09
> Type: CD-ROM ANSI SCSI revision: 00
> 1:0:0:0: Attached scsi generic sg1 type 5
> usb-storage: device scan complete
> sr0: scsi3-mmc drive: 40x/40x writer cd/rw xa/form2 cdda tray
> sr 1:0:0:0: Attached scsi CD-ROM sr0
> audit(1143014883.606:180): avc: denied { getattr } for pid=2926
> comm="pam_console_app" name="008" dev=tmpfs ino=20684
> scontext=system_u:system_r:pam_console_t:s0-s0:c0.c255
> tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file
> audit(1143014883.682:181): avc: denied { getattr } for pid=2951
> comm="pam_console_app" name="008" dev=tmpfs ino=20684
> scontext=system_u:system_r:pam_console_t:s0-s0:c0.c255
> tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file
> audit(1143014921.500:182): avc: denied { getattr } for pid=2258
> comm="hald" name="/" dev=sda2 ino=2 scontext=system_u:system_r:hald_t:s0
> tcontext=system_u:object_r:file_t:s0 tclass=dir
> audit(1143014921.688:183): avc: denied { getattr } for pid=2967
> comm="hal-system-stor" name="/" dev=sda2 ino=2
> scontext=system_u:system_r:hald_t:s0
> tcontext=system_u:object_r:file_t:s0 tclass=dir
> audit(1143014921.688:184): avc: denied { getattr } for pid=2967
> comm="hal-system-stor" name="/" dev=sda2 ino=2
> scontext=system_u:system_r:hald_t:s0
> tcontext=system_u:object_r:file_t:s0 tclass=dir
> audit(1143014921.692:185): avc: denied { search } for pid=2971
> comm="touch" name="/" dev=sda2 ino=2
> scontext=system_u:system_r:hald_t:s0
> tcontext=system_u:object_r:file_t:s0 tclass=dir
> audit(1143014921.692:186): avc: denied { search } for pid=2971
> comm="touch" name="/" dev=sda2 ino=2
> scontext=system_u:system_r:hald_t:s0
> tcontext=system_u:object_r:file_t:s0 tclass=dir
> audit(1143014921.692:187): avc: denied { getattr } for pid=2967
> comm="hal-system-stor" name="/" dev=sda2 ino=2
> scontext=system_u:system_r:hald_t:s0
> tcontext=system_u:object_r:file_t:s0 tclass=dir
>
> and the dvd is not mounted.
>
> Eric
>
>
>
You seem to have a labeing problem since you have files labeled with
file_t? Can you relabel your system
touch /.autorelabel; reboot
Clear your log files and run the machine in permissive mode.
setenforce 0
Plug in your scanner and make sure it works.
Not can you send the AVC messages.
You can also execute
grep pam_console /var/log/audit/audit.log | audit2allow -M scanner
semodule -i scanner.pp
Which will update your policy to allow it to use the scanner in
enforcing mode while we update policy.
Dan
More information about the fedora-list
mailing list