fc-5 and selinux
Eric Tanguy
eric.tanguy at univ-nantes.fr
Thu Mar 23 22:04:23 UTC 2006
Le jeudi 23 mars 2006 à 11:02 -0500, Daniel J Walsh a écrit :
> Eric Tanguy wrote:
> > Le mercredi 22 mars 2006 à 20:49 +0100, Eric Tanguy a écrit :
> >
> >> Le mercredi 22 mars 2006 à 10:08 -0500, Daniel J Walsh a écrit :
> >>
> >>> Eric Tanguy wrote:
> >>>
> >>>> Le mardi 21 mars 2006 à 14:28 -0500, Daniel J Walsh a écrit :
> >>>>
> >>>>
> >>>>> Tanguy Eric wrote:
> >>>>>
> >>>>>
> >>>>>> I think it's a selinux problem :
> >>>>>> i can't use my usb scanner unless i'm root
> >>>>>> i can't mount cdrom and ext3 usb partition unless i'm root
> >>>>>>
> >>>>>> How can i use this in simple user ?
> >>>>>> Eric
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>> Are you seeing AVC messages in /var/log/messages? /var/log/audit/audit.log?
> >>>>>
> >>>>> You can see if it is SELinux causing the problems by executing
> >>>>> setenforce 0 as root, and then see if the devices work correctly.
> >>>>>
> >>>>> Dan
> >>>>>
> >>>>>
> >>>>>
> >>>> When i plug my usb scanneri found this in dmesg :
> >>>> usb 3-2: new high speed USB device using ehci_hcd and address 8
> >>>> usb 3-2: configuration #1 chosen from 1 choice
> >>>> audit(1143014471.120:170): avc: denied { getattr } for pid=2699
> >>>> comm="pam_console_app" name="008" dev=tmpfs ino=20684
> >>>> scontext=system_u:system_r:pam_console_t:s0-s0:c0.c255
> >>>> tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file
> >>>>
> >>>> as user : scanimage -L
> >>>> device `v4l:/dev/video1' is a Noname Creative NX virtual device
> >>>> device `v4l:/dev/video0' is a Noname BT878 video (Pinnacle PCTV Stud
> >>>> virtual device
> >>>>
> >>>> sudo scanimage -L
> >>>> Password:
> >>>> device `v4l:/dev/video1' is a Noname Creative NX virtual device
> >>>> device `v4l:/dev/video0' is a Noname BT878 video (Pinnacle PCTV Stud
> >>>> virtual device
> >>>> device `snapscan:libusb:003:008' is a EPSON EPSON Scanner flatbed
> >>>> scanner
> >>>>
> >>>> if i plug a usb disk containing a usb fat32 partition and a ext3
> >>>> partition :
> >>>>
> >>>> i can see in dmesg :
> >>>> Initializing USB Mass Storage driver...
> >>>> scsi0 : SCSI emulation for USB Mass Storage devices
> >>>> usb-storage: device found at 9
> >>>> usb-storage: waiting for device to settle before scanning
> >>>> usbcore: registered new driver usb-storage
> >>>> USB Mass Storage support registered.
> >>>> Vendor: HDS72258 Model: 0VLAT20 Rev: V32O
> >>>> Type: Direct-Access ANSI SCSI revision: 00
> >>>> SCSI device sda: 160836480 512-byte hdwr sectors (82348 MB)
> >>>> sda: Write Protect is off
> >>>> sda: Mode Sense: 03 00 00 00
> >>>> sda: assuming drive cache: write through
> >>>> SCSI device sda: 160836480 512-byte hdwr sectors (82348 MB)
> >>>> sda: Write Protect is off
> >>>> sda: Mode Sense: 03 00 00 00
> >>>> sda: assuming drive cache: write through
> >>>> sda: sda1 sda2
> >>>> sd 0:0:0:0: Attached scsi disk sda
> >>>> usb-storage: device scan complete
> >>>> sd 0:0:0:0: Attached scsi generic sg0 type 0
> >>>> audit(1143014745.045:172): avc: denied { getattr } for pid=2826
> >>>> comm="pam_console_app" name="008" dev=tmpfs ino=20684
> >>>> scontext=system_u:system_r:pam_console_t:s0-s0:c0.c255
> >>>> tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file
> >>>> audit(1143014745.117:173): avc: denied { getattr } for pid=2830
> >>>> comm="pam_console_app" name="008" dev=tmpfs ino=20684
> >>>> scontext=system_u:system_r:pam_console_t:s0-s0:c0.c255
> >>>> tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file
> >>>>
> >>>> as user in my desktop only the fat32 partition is mounted
> >>>>
> >>>> if i plug my usb cd/dvd reader writer with the fc5 dvd in it .
> >>>> I found in dmesg :
> >>>> usb 3-1: new high speed USB device using ehci_hcd and address 10
> >>>> usb 3-1: configuration #1 chosen from 1 choice
> >>>> scsi1 : SCSI emulation for USB Mass Storage devices
> >>>> usb-storage: device found at 10
> >>>> usb-storage: waiting for device to settle before scanning
> >>>> audit(1143014878.670:179): avc: denied { getattr } for pid=2913
> >>>> comm="pam_console_app" name="008" dev=tmpfs ino=20684
> >>>> scontext=system_u:system_r:pam_console_t:s0-s0:c0.c255
> >>>> tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file
> >>>> Vendor: PLEXTOR Model: DVDR PX-708A Rev: 1.09
> >>>> Type: CD-ROM ANSI SCSI revision: 00
> >>>> 1:0:0:0: Attached scsi generic sg1 type 5
> >>>> usb-storage: device scan complete
> >>>> sr0: scsi3-mmc drive: 40x/40x writer cd/rw xa/form2 cdda tray
> >>>> sr 1:0:0:0: Attached scsi CD-ROM sr0
> >>>> audit(1143014883.606:180): avc: denied { getattr } for pid=2926
> >>>> comm="pam_console_app" name="008" dev=tmpfs ino=20684
> >>>> scontext=system_u:system_r:pam_console_t:s0-s0:c0.c255
> >>>> tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file
> >>>> audit(1143014883.682:181): avc: denied { getattr } for pid=2951
> >>>> comm="pam_console_app" name="008" dev=tmpfs ino=20684
> >>>> scontext=system_u:system_r:pam_console_t:s0-s0:c0.c255
> >>>> tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file
> >>>> audit(1143014921.500:182): avc: denied { getattr } for pid=2258
> >>>> comm="hald" name="/" dev=sda2 ino=2 scontext=system_u:system_r:hald_t:s0
> >>>> tcontext=system_u:object_r:file_t:s0 tclass=dir
> >>>> audit(1143014921.688:183): avc: denied { getattr } for pid=2967
> >>>> comm="hal-system-stor" name="/" dev=sda2 ino=2
> >>>> scontext=system_u:system_r:hald_t:s0
> >>>> tcontext=system_u:object_r:file_t:s0 tclass=dir
> >>>> audit(1143014921.688:184): avc: denied { getattr } for pid=2967
> >>>> comm="hal-system-stor" name="/" dev=sda2 ino=2
> >>>> scontext=system_u:system_r:hald_t:s0
> >>>> tcontext=system_u:object_r:file_t:s0 tclass=dir
> >>>> audit(1143014921.692:185): avc: denied { search } for pid=2971
> >>>> comm="touch" name="/" dev=sda2 ino=2
> >>>> scontext=system_u:system_r:hald_t:s0
> >>>> tcontext=system_u:object_r:file_t:s0 tclass=dir
> >>>> audit(1143014921.692:186): avc: denied { search } for pid=2971
> >>>> comm="touch" name="/" dev=sda2 ino=2
> >>>> scontext=system_u:system_r:hald_t:s0
> >>>> tcontext=system_u:object_r:file_t:s0 tclass=dir
> >>>> audit(1143014921.692:187): avc: denied { getattr } for pid=2967
> >>>> comm="hal-system-stor" name="/" dev=sda2 ino=2
> >>>> scontext=system_u:system_r:hald_t:s0
> >>>> tcontext=system_u:object_r:file_t:s0 tclass=dir
> >>>>
> >>>> and the dvd is not mounted.
> >>>>
> >>>> Eric
> >>>>
> >>>>
> >>>>
> >>>>
> >>> You seem to have a labeing problem since you have files labeled with
> >>> file_t? Can you relabel your system
> >>> touch /.autorelabel; reboot
> >>>
> >>> Clear your log files and run the machine in permissive mode.
> >>>
> >>> setenforce 0
> >>>
> >>> Plug in your scanner and make sure it works.
> >>>
> >>> Not can you send the AVC messages.
> >>>
> >>> You can also execute
> >>>
> >>> grep pam_console /var/log/audit/audit.log | audit2allow -M scanner
> >>>
> >>> semodule -i scanner.pp
> >>>
> >>> Which will update your policy to allow it to use the scanner in
> >>> enforcing mode while we update policy.
> >>>
> >>>
> >>> Dan
> >>>
> >> I already try to relabel the system and the problem is the same.
> >> In enforcing mode the scanner works fine if it is already plugged at the
> >> boot but does not work if i unplug it and replug it.
> >> If i disable selinux all work fine.
> >> I didn't try in permissive mode.
> >> I will try it and send you the avc messages
> >> from /var/log/audit/audit.log
> >>
> >> this is one point but i had no answers about usb disk and usb cdrom ?
> >> Eric
> >>
> >>
> > First of al, i can't find /var/log/audit/audit.log :
> > $ls -la /var/log/
> > total 1912
> > drwxr-xr-x 10 root root 4096 mar 22 22:51 .
> > drwxr-xr-x 23 root root 4096 mar 21 16:20 ..
> > -rw-r----- 1 root root 2135 mar 22 22:51 acpid
> > -rw------- 1 root root 24192 mar 21 09:48 anaconda.log
> > -rw------- 1 root root 146974 mar 21 09:48 anaconda.syslog
> > -rw------- 1 root root 39011 mar 21 09:48 anaconda.xlog
> > -rw------- 1 root root 0 mar 21 10:20 boot.log
> > -rw------- 1 root utmp 0 mar 21 09:38 btmp
> > -rw------- 1 root root 50186 mar 22 22:51 cron
> > drwxr-xr-x 2 lp sys 4096 mar 21 10:24 cups
> > -rw-r--r-- 1 root root 19090 mar 22 22:50 dmesg
> > drwxr-xr-x 2 root root 4096 mar 22 22:51 gdm
> > drwx------ 2 root root 4096 fév 12 00:12 httpd
> > drwxrwx--- 2 root ircd 4096 fév 15 01:16 ircd
> > -rw-r--r-- 1 root root 146292 mar 22 22:51 lastlog
> > drwxr-xr-x 2 root root 4096 mar 21 09:38 mail
> > -rw------- 1 root root 20773 mar 22 22:51 maillog
> > -rw------- 1 root root 829727 mar 22 22:55 messages
> > drwx------ 2 root root 4096 fév 12 09:49 ppp
> > -rw-r--r-- 1 root root 68029 mar 22 21:42 prelink.log
> > -rw-r--r-- 1 root root 31300 mar 22 21:42 rpmpkgs
> > drwx------ 2 root root 4096 fév 13 17:36 samba
> > -rw-r--r-- 1 root root 64863 mar 21 18:36 scrollkeeper.log
> > -rw------- 1 root root 155455 mar 22 22:53 secure
> > -rw------- 1 root root 0 mar 21 10:20 spooler
> > drwxr-xr-x 2 root root 4096 mar 1 16:29 vbox
> > -rw-rw-r-- 1 root utmp 143616 mar 22 22:54 wtmp
> > -rw-r--r-- 1 root root 42470 mar 22 22:51 Xorg.0.log
> > -rw-r--r-- 1 root root 42525 mar 22 22:34 Xorg.0.log.old
> > -rw-r--r-- 1 root root 16530 mar 22 22:47 yum.log
> >
> > Why there is no /var/log/audit in my sustem ?
> >
> > I tried the scanner is permissive mode and it works fine as user :
> > Mar 22 22:52:05 bureau bonobo-activation-server (root-2663): Duff env.
> > var ''
> > Mar 22 22:54:09 bureau kernel: usb 3-2: USB disconnect, address 2
> > Mar 22 22:54:12 bureau kernel: usb 3-2: new high speed USB device using
> > ehci_hcd and address 8
> > Mar 22 22:54:13 bureau kernel: usb 3-2: configuration #1 chosen from 1
> > choice
> > Mar 22 22:54:13 bureau kernel: audit(1143064453.308:18): avc: denied
> > { getattr } for pid=2776 comm="pam_console_app" name="008" dev=tmpfs
> > ino=13410 scontext=system_u:system_r:pam_console_t:s0-s0:c0.c255
> > tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file
> >
> > Eric
> >
> >
> auditd is disabled by default in FC5. You can install the audit daemon
> and it will work like it did in devel.
Ok i installed it.
>
> pam_console has those privs in the updated policy.
> Dan
why (when) this policy will be available as update ?
Eric
More information about the fedora-list
mailing list