Funny AVC from USB CD plugin

Daniel J Walsh dwalsh at redhat.com
Mon Jan 7 16:56:45 UTC 2008


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Tom London wrote:
> Running latest Rawhide, targeted/enforcing.
> 
> Plugging in an 'old USB CD drive', I got the following audit message:
> 
> [root at localhost ~]# sealert -l fb77e7e0-3515-4866-9a8f-e1db99f9b4b8
> 
> Summary:
> 
> SELinux is preventing ln(/bin/ln) (udev_t) "create" to <Unknown> (etc_t).
> 
> Detailed Description:
> 
> SELinux denied access requested by ln(/bin/ln). It is not expected that this
> access is required by ln(/bin/ln) and this access may signal an intrusion
> attempt. It is also possible that the specific version or configuration of the
> application is causing it to require additional access.
> 
> Allowing Access:
> 
> Sometimes labeling problems can cause SELinux denials. You could try to restore
> the default system file context for <Unknown>, restorecon -v <Unknown> If this
> does not work, there is currently no automatic way to allow this access.
> Instead, you can generate a local policy module to allow this access - see FAQ
> (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
> SELinux protection altogether. Disabling SELinux protection is not recommended.
> Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
> against this package.
> 
> Additional Information:
> 
> Source Context                system_u:system_r:udev_t:SystemLow-SystemHigh
> Target Context                system_u:object_r:etc_t
> Target Objects                None [ lnk_file ]
> Source                        ln(/bin/ln)
> Port                          <Unknown>
> Host                          localhost.localdomain
> Source RPM Packages
> Target RPM Packages
> Policy RPM                    selinux-policy-3.2.5-8.fc9
> Selinux Enabled               True
> Policy Type                   targeted
> MLS Enabled                   True
> Enforcing Mode                Enforcing
> Plugin Name                   catchall_file
> Host Name                     localhost.localdomain
> Platform                      Linux localhost.localdomain
>                               2.6.24-0.136.rc6.git12.fc9 #1 SMP Sat Jan 5
>                               12:46:45 EST 2008 i686 i686
> Alert Count                   2
> First Seen                    Sun Jan  6 10:30:15 2008
> Last Seen                     Sun Jan  6 10:30:15 2008
> Local ID                      fb77e7e0-3515-4866-9a8f-e1db99f9b4b8
> Line Numbers
> 
> Raw Audit Messages
> 
> host=localhost.localdomain type=AVC msg=audit(1199644215.878:31): avc:
>  denied  { create } for  pid=6933 comm="ln" name=".is-writeable"
> scontext=system_u:system_r:udev_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:etc_t:s0 tclass=lnk_file
> 
> host=localhost.localdomain type=SYSCALL msg=audit(1199644215.878:31):
> arch=40000003 syscall=83 success=no exit=-13 a0=bff3ddc3 a1=bff3ddcd
> a2=804f77c a3=0 items=0 ppid=6931 pid=6933 auid=4294967295 uid=0 gid=0
> euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="ln"
> exe="/bin/ln" subj=system_u:system_r:udev_t:s0-s0:c0.c1023 key=(null)
> 
> 
> Here are the messages from /var/log/messages:
> 
> Jan  6 10:30:05 localhost kernel: usb 2-2: new full speed USB device
> using uhci_hcd and address 4
> Jan  6 10:30:06 localhost kernel: usb 2-2: configuration #1 chosen from 1 choice
> Jan  6 10:30:06 localhost kernel: scsi8 : SCSI emulation for USB Mass
> Storage devices
> Jan  6 10:30:06 localhost kernel: usb-storage: device found at 4
> Jan  6 10:30:06 localhost kernel: usb-storage: waiting for device to
> settle before scanning
> Jan  6 10:30:11 localhost kernel: usb-storage: device scan complete
> Jan  6 10:30:11 localhost kernel: scsi 8:0:0:0: CD-ROM            IBM
>     USB CD-ROM       20A4 PQ: 0 ANSI: 0 CCS
> Jan  6 10:30:11 localhost kernel: sr1: scsi3-mmc drive: 10x/10x cd/rw
> xa/form2 cdda pop-up
> Jan  6 10:30:11 localhost kernel: sr 8:0:0:0: Attached scsi CD-ROM sr1
> Jan  6 10:30:11 localhost kernel: sr 8:0:0:0: Attached scsi generic sg2 type 5
> Jan  6 10:30:18 localhost setroubleshoot: #012    SELinux is
> preventing ln(/bin/ln) (udev_t) "create" to <Unknown>
> (etc_t).#012     For complete SELinux messages. run sealert -l
> fb77e7e0-3515-4866-9a8f-e1db99f9b4b8
> 
> 
> Putting system in permissive mode, I get these:
> 
> type=AVC msg=audit(1199645179.126:34): avc:  denied  { create } for
> pid=7782 comm="ln" name=".is-writeable"
> scontext=system_u:system_r:udev_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:etc_t:s0 tclass=lnk_file
> type=SYSCALL msg=audit(1199645179.126:34): arch=40000003 syscall=83
> success=yes exit=0 a0=bfb56db6 a1=bfb56dc0 a2=804f77c a3=0 items=0
> ppid=7780 pid=7782 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
> egid=0 sgid=0 fsgid=0 tty=(none) comm="ln" exe="/bin/ln"
> subj=system_u:system_r:udev_t:s0-s0:c0.c1023 key=(null)
> type=AVC msg=audit(1199645179.245:35): avc:  denied  { unlink } for
> pid=7783 comm="rm" name=".is-writeable" dev=dm-0 ino=11076747
> scontext=system_u:system_r:udev_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:etc_t:s0 tclass=lnk_file
> type=SYSCALL msg=audit(1199645179.245:35): arch=40000003 syscall=301
> success=yes exit=0 a0=ffffff9c a1=bfa17dc0 a2=0 a3=bfa17dc0 items=0
> ppid=7780 pid=7783 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
> egid=0 sgid=0 fsgid=0 tty=(none) comm="rm" exe="/bin/rm"
> subj=system_u:system_r:udev_t:s0-s0:c0.c1023 key=(null)
> type=AVC msg=audit(1199645179.255:36): avc:  denied  { append } for
> pid=7780 comm="write_cd_rules" name="70-persistent-cd.rules" dev=dm-0
> ino=11076866 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:etc_t:s0 tclass=file
> type=SYSCALL msg=audit(1199645179.255:36): arch=40000003 syscall=5
> success=yes exit=3 a0=8a98400 a1=8441 a2=1b6 a3=8441 items=0 ppid=7761
> pid=7780 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
> sgid=0 fsgid=0 tty=(none) comm="write_cd_rules" exe="/bin/bash"
> subj=system_u:system_r:udev_t:s0-s0:c0.c1023 key=(null)
> 
> udev issue?
> 
> tom
Yes report it as a bug there.  I have a fealing it should be something
done in the post install script and not by udev.   udev writing its own
config files is probably a bad idea.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkeCWc0ACgkQrlYvE4MpobMJQwCgicGwHVWLjo3mFaVNx7ExilO1
jDsAoNlzbXVlmqkGeea7KaI8HmEJwqlg
=tBkg
-----END PGP SIGNATURE-----




More information about the fedora-selinux-list mailing list