Re: fc-5 and selinux

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Le mercredi 22 mars 2006 à 10:08 -0500, Daniel J Walsh a écrit :
> Eric Tanguy wrote:
> > Le mardi 21 mars 2006 à 14:28 -0500, Daniel J Walsh a écrit :
> >   
> >> Tanguy Eric wrote:
> >>     
> >>> I think it's a selinux problem :
> >>> i can't use my usb scanner unless i'm root
> >>> i can't mount cdrom and ext3 usb partition unless i'm root
> >>>
> >>> How can i use this in simple user ?
> >>> Eric
> >>>
> >>>
> >>>   
> >>>       
> >> Are you seeing AVC messages in /var/log/messages? /var/log/audit/audit.log?
> >>
> >> You can see if it is SELinux causing the problems by executing 
> >> setenforce 0 as root, and then see if the devices work correctly.
> >>
> >> Dan
> >>
> >>     
> > When i plug my usb scanneri found this in dmesg :
> > usb 3-2: new high speed USB device using ehci_hcd and address 8
> > usb 3-2: configuration #1 chosen from 1 choice
> > audit(1143014471.120:170): avc:  denied  { getattr } for  pid=2699
> > comm="pam_console_app" name="008" dev=tmpfs ino=20684
> > scontext=system_u:system_r:pam_console_t:s0-s0:c0.c255
> > tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file
> >
> > as user : scanimage -L
> > device `v4l:/dev/video1' is a Noname Creative NX virtual device
> > device `v4l:/dev/video0' is a Noname BT878 video (Pinnacle PCTV Stud
> > virtual device
> >
> > sudo scanimage -L
> > Password:
> > device `v4l:/dev/video1' is a Noname Creative NX virtual device
> > device `v4l:/dev/video0' is a Noname BT878 video (Pinnacle PCTV Stud
> > virtual device
> > device `snapscan:libusb:003:008' is a EPSON EPSON Scanner flatbed
> > scanner
> >
> > if i plug a usb disk containing a usb fat32 partition and a ext3
> > partition :
> >
> > i can see in dmesg : 
> > Initializing USB Mass Storage driver...
> > scsi0 : SCSI emulation for USB Mass Storage devices
> > usb-storage: device found at 9
> > usb-storage: waiting for device to settle before scanning
> > usbcore: registered new driver usb-storage
> > USB Mass Storage support registered.
> >   Vendor: HDS72258  Model: 0VLAT20           Rev: V32O
> >   Type:   Direct-Access                      ANSI SCSI revision: 00
> > SCSI device sda: 160836480 512-byte hdwr sectors (82348 MB)
> > sda: Write Protect is off
> > sda: Mode Sense: 03 00 00 00
> > sda: assuming drive cache: write through
> > SCSI device sda: 160836480 512-byte hdwr sectors (82348 MB)
> > sda: Write Protect is off
> > sda: Mode Sense: 03 00 00 00
> > sda: assuming drive cache: write through
> >  sda: sda1 sda2
> > sd 0:0:0:0: Attached scsi disk sda
> > usb-storage: device scan complete
> > sd 0:0:0:0: Attached scsi generic sg0 type 0
> > audit(1143014745.045:172): avc:  denied  { getattr } for  pid=2826
> > comm="pam_console_app" name="008" dev=tmpfs ino=20684
> > scontext=system_u:system_r:pam_console_t:s0-s0:c0.c255
> > tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file
> > audit(1143014745.117:173): avc:  denied  { getattr } for  pid=2830
> > comm="pam_console_app" name="008" dev=tmpfs ino=20684
> > scontext=system_u:system_r:pam_console_t:s0-s0:c0.c255
> > tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file
> >
> > as user in my desktop only the fat32 partition is mounted
> >
> > if i plug my usb cd/dvd reader writer with the fc5 dvd in it .
> > I found in dmesg : 
> > usb 3-1: new high speed USB device using ehci_hcd and address 10
> > usb 3-1: configuration #1 chosen from 1 choice
> > scsi1 : SCSI emulation for USB Mass Storage devices
> > usb-storage: device found at 10
> > usb-storage: waiting for device to settle before scanning
> > audit(1143014878.670:179): avc:  denied  { getattr } for  pid=2913
> > comm="pam_console_app" name="008" dev=tmpfs ino=20684
> > scontext=system_u:system_r:pam_console_t:s0-s0:c0.c255
> > tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file
> >   Vendor: PLEXTOR   Model: DVDR   PX-708A    Rev: 1.09
> >   Type:   CD-ROM                             ANSI SCSI revision: 00
> >  1:0:0:0: Attached scsi generic sg1 type 5
> > usb-storage: device scan complete
> > sr0: scsi3-mmc drive: 40x/40x writer cd/rw xa/form2 cdda tray
> > sr 1:0:0:0: Attached scsi CD-ROM sr0
> > audit(1143014883.606:180): avc:  denied  { getattr } for  pid=2926
> > comm="pam_console_app" name="008" dev=tmpfs ino=20684
> > scontext=system_u:system_r:pam_console_t:s0-s0:c0.c255
> > tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file
> > audit(1143014883.682:181): avc:  denied  { getattr } for  pid=2951
> > comm="pam_console_app" name="008" dev=tmpfs ino=20684
> > scontext=system_u:system_r:pam_console_t:s0-s0:c0.c255
> > tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file
> > audit(1143014921.500:182): avc:  denied  { getattr } for  pid=2258
> > comm="hald" name="/" dev=sda2 ino=2 scontext=system_u:system_r:hald_t:s0
> > tcontext=system_u:object_r:file_t:s0 tclass=dir
> > audit(1143014921.688:183): avc:  denied  { getattr } for  pid=2967
> > comm="hal-system-stor" name="/" dev=sda2 ino=2
> > scontext=system_u:system_r:hald_t:s0
> > tcontext=system_u:object_r:file_t:s0 tclass=dir
> > audit(1143014921.688:184): avc:  denied  { getattr } for  pid=2967
> > comm="hal-system-stor" name="/" dev=sda2 ino=2
> > scontext=system_u:system_r:hald_t:s0
> > tcontext=system_u:object_r:file_t:s0 tclass=dir
> > audit(1143014921.692:185): avc:  denied  { search } for  pid=2971
> > comm="touch" name="/" dev=sda2 ino=2
> > scontext=system_u:system_r:hald_t:s0
> > tcontext=system_u:object_r:file_t:s0 tclass=dir
> > audit(1143014921.692:186): avc:  denied  { search } for  pid=2971
> > comm="touch" name="/" dev=sda2 ino=2
> > scontext=system_u:system_r:hald_t:s0
> > tcontext=system_u:object_r:file_t:s0 tclass=dir
> > audit(1143014921.692:187): avc:  denied  { getattr } for  pid=2967
> > comm="hal-system-stor" name="/" dev=sda2 ino=2
> > scontext=system_u:system_r:hald_t:s0
> > tcontext=system_u:object_r:file_t:s0 tclass=dir
> >
> > and the dvd is not mounted.
> >
> > Eric
> >
> >
> >   
> You seem to have a labeing problem since you have files labeled with 
> file_t?  Can you relabel your system
> touch /.autorelabel; reboot
> 
> Clear your log files and run the machine in permissive mode.
> 
> setenforce 0
> 
> Plug in your scanner and make sure it works.
> 
> Not can you send the AVC messages.
> 
> You can also execute
> 
> grep pam_console /var/log/audit/audit.log | audit2allow -M scanner
> 
> semodule -i scanner.pp
> 
> Which will update your policy to allow it to use the scanner in 
> enforcing mode while we update policy.
> 
> 
> Dan
I already try to relabel the system and the problem is the same.
In enforcing mode the scanner works fine if it is already plugged at the
boot but does not work if i unplug it and replug it.
If i disable selinux all work fine.
I didn't try in permissive mode.
I will try it and send you the avc messages
from /var/log/audit/audit.log

this is one point but i had no answers about usb disk and usb cdrom ?
Eric


-- 
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux