Re: fc-5 and selinux

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Eric Tanguy wrote:

Le mercredi 22 mars 2006 à 20:49 +0100, Eric Tanguy a écrit :

Le mercredi 22 mars 2006 à 10:08 -0500, Daniel J Walsh a écrit :

Eric Tanguy wrote:

Le mardi 21 mars 2006 à 14:28 -0500, Daniel J Walsh a écrit :

Tanguy Eric wrote:

I think it's a selinux problem :
i can't use my usb scanner unless i'm root
i can't mount cdrom and ext3 usb partition unless i'm root

How can i use this in simple user ?
Eric



Are you seeing AVC messages in /var/log/messages? /var/log/audit/audit.log?
You can see if it is SELinux causing the problems by executing setenforce 0 as root, and then see if the devices work correctly. 

Dan


When i plug my usb scanneri found this in dmesg :
usb 3-2: new high speed USB device using ehci_hcd and address 8
usb 3-2: configuration #1 chosen from 1 choice
audit(1143014471.120:170): avc:  denied  { getattr } for  pid=2699
comm="pam_console_app" name="008" dev=tmpfs ino=20684
scontext=system_u:system_r:pam_console_t:s0-s0:c0.c255
tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file

as user : scanimage -L
device `v4l:/dev/video1' is a Noname Creative NX virtual device
device `v4l:/dev/video0' is a Noname BT878 video (Pinnacle PCTV Stud
virtual device

sudo scanimage -L
Password:
device `v4l:/dev/video1' is a Noname Creative NX virtual device
device `v4l:/dev/video0' is a Noname BT878 video (Pinnacle PCTV Stud
virtual device
device `snapscan:libusb:003:008' is a EPSON EPSON Scanner flatbed
scanner

if i plug a usb disk containing a usb fat32 partition and a ext3
partition :
i can see in dmesg : Initializing USB Mass Storage driver... 
scsi0 : SCSI emulation for USB Mass Storage devices
usb-storage: device found at 9
usb-storage: waiting for device to settle before scanning
usbcore: registered new driver usb-storage
USB Mass Storage support registered.
  Vendor: HDS72258  Model: 0VLAT20           Rev: V32O
  Type:   Direct-Access                      ANSI SCSI revision: 00
SCSI device sda: 160836480 512-byte hdwr sectors (82348 MB)
sda: Write Protect is off
sda: Mode Sense: 03 00 00 00
sda: assuming drive cache: write through
SCSI device sda: 160836480 512-byte hdwr sectors (82348 MB)
sda: Write Protect is off
sda: Mode Sense: 03 00 00 00
sda: assuming drive cache: write through
 sda: sda1 sda2
sd 0:0:0:0: Attached scsi disk sda
usb-storage: device scan complete
sd 0:0:0:0: Attached scsi generic sg0 type 0
audit(1143014745.045:172): avc:  denied  { getattr } for  pid=2826
comm="pam_console_app" name="008" dev=tmpfs ino=20684
scontext=system_u:system_r:pam_console_t:s0-s0:c0.c255
tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file
audit(1143014745.117:173): avc:  denied  { getattr } for  pid=2830
comm="pam_console_app" name="008" dev=tmpfs ino=20684
scontext=system_u:system_r:pam_console_t:s0-s0:c0.c255
tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file

as user in my desktop only the fat32 partition is mounted

if i plug my usb cd/dvd reader writer with the fc5 dvd in it .
I found in dmesg : usb 3-1: new high speed USB device using ehci_hcd and address 10 
usb 3-1: configuration #1 chosen from 1 choice
scsi1 : SCSI emulation for USB Mass Storage devices
usb-storage: device found at 10
usb-storage: waiting for device to settle before scanning
audit(1143014878.670:179): avc:  denied  { getattr } for  pid=2913
comm="pam_console_app" name="008" dev=tmpfs ino=20684
scontext=system_u:system_r:pam_console_t:s0-s0:c0.c255
tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file
  Vendor: PLEXTOR   Model: DVDR   PX-708A    Rev: 1.09
  Type:   CD-ROM                             ANSI SCSI revision: 00
 1:0:0:0: Attached scsi generic sg1 type 5
usb-storage: device scan complete
sr0: scsi3-mmc drive: 40x/40x writer cd/rw xa/form2 cdda tray
sr 1:0:0:0: Attached scsi CD-ROM sr0
audit(1143014883.606:180): avc:  denied  { getattr } for  pid=2926
comm="pam_console_app" name="008" dev=tmpfs ino=20684
scontext=system_u:system_r:pam_console_t:s0-s0:c0.c255
tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file
audit(1143014883.682:181): avc:  denied  { getattr } for  pid=2951
comm="pam_console_app" name="008" dev=tmpfs ino=20684
scontext=system_u:system_r:pam_console_t:s0-s0:c0.c255
tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file
audit(1143014921.500:182): avc:  denied  { getattr } for  pid=2258
comm="hald" name="/" dev=sda2 ino=2 scontext=system_u:system_r:hald_t:s0
tcontext=system_u:object_r:file_t:s0 tclass=dir
audit(1143014921.688:183): avc:  denied  { getattr } for  pid=2967
comm="hal-system-stor" name="/" dev=sda2 ino=2
scontext=system_u:system_r:hald_t:s0
tcontext=system_u:object_r:file_t:s0 tclass=dir
audit(1143014921.688:184): avc:  denied  { getattr } for  pid=2967
comm="hal-system-stor" name="/" dev=sda2 ino=2
scontext=system_u:system_r:hald_t:s0
tcontext=system_u:object_r:file_t:s0 tclass=dir
audit(1143014921.692:185): avc:  denied  { search } for  pid=2971
comm="touch" name="/" dev=sda2 ino=2
scontext=system_u:system_r:hald_t:s0
tcontext=system_u:object_r:file_t:s0 tclass=dir
audit(1143014921.692:186): avc:  denied  { search } for  pid=2971
comm="touch" name="/" dev=sda2 ino=2
scontext=system_u:system_r:hald_t:s0
tcontext=system_u:object_r:file_t:s0 tclass=dir
audit(1143014921.692:187): avc:  denied  { getattr } for  pid=2967
comm="hal-system-stor" name="/" dev=sda2 ino=2
scontext=system_u:system_r:hald_t:s0
tcontext=system_u:object_r:file_t:s0 tclass=dir

and the dvd is not mounted.

Eric
You seem to have a labeing problem since you have files labeled with file_t? Can you relabel your system 
touch /.autorelabel; reboot

Clear your log files and run the machine in permissive mode.

setenforce 0

Plug in your scanner and make sure it works.

Not can you send the AVC messages.

You can also execute

grep pam_console /var/log/audit/audit.log | audit2allow -M scanner

semodule -i scanner.pp
Which will update your policy to allow it to use the scanner in enforcing mode while we update policy. 


Dan

I already try to relabel the system and the problem is the same.
In enforcing mode the scanner works fine if it is already plugged at the
boot but does not work if i unplug it and replug it.
If i disable selinux all work fine.
I didn't try in permissive mode.
I will try it and send you the avc messages
from /var/log/audit/audit.log

this is one point but i had no answers about usb disk and usb cdrom ?
Eric
First of al, i can't find /var/log/audit/audit.log : $ls -la /var/log/ 
total 1912
drwxr-xr-x 10 root root   4096 mar 22 22:51 .
drwxr-xr-x 23 root root   4096 mar 21 16:20 ..
-rw-r-----  1 root root   2135 mar 22 22:51 acpid
-rw-------  1 root root  24192 mar 21 09:48 anaconda.log
-rw-------  1 root root 146974 mar 21 09:48 anaconda.syslog
-rw-------  1 root root  39011 mar 21 09:48 anaconda.xlog
-rw-------  1 root root      0 mar 21 10:20 boot.log
-rw-------  1 root utmp      0 mar 21 09:38 btmp
-rw-------  1 root root  50186 mar 22 22:51 cron
drwxr-xr-x  2 lp   sys    4096 mar 21 10:24 cups
-rw-r--r--  1 root root  19090 mar 22 22:50 dmesg
drwxr-xr-x  2 root root   4096 mar 22 22:51 gdm
drwx------  2 root root   4096 fév 12 00:12 httpd
drwxrwx---  2 root ircd   4096 fév 15 01:16 ircd
-rw-r--r--  1 root root 146292 mar 22 22:51 lastlog
drwxr-xr-x  2 root root   4096 mar 21 09:38 mail
-rw-------  1 root root  20773 mar 22 22:51 maillog
-rw-------  1 root root 829727 mar 22 22:55 messages
drwx------  2 root root   4096 fév 12 09:49 ppp
-rw-r--r--  1 root root  68029 mar 22 21:42 prelink.log
-rw-r--r--  1 root root  31300 mar 22 21:42 rpmpkgs
drwx------  2 root root   4096 fév 13 17:36 samba
-rw-r--r--  1 root root  64863 mar 21 18:36 scrollkeeper.log
-rw-------  1 root root 155455 mar 22 22:53 secure
-rw-------  1 root root      0 mar 21 10:20 spooler
drwxr-xr-x  2 root root   4096 mar  1 16:29 vbox
-rw-rw-r--  1 root utmp 143616 mar 22 22:54 wtmp
-rw-r--r--  1 root root  42470 mar 22 22:51 Xorg.0.log
-rw-r--r--  1 root root  42525 mar 22 22:34 Xorg.0.log.old
-rw-r--r--  1 root root  16530 mar 22 22:47 yum.log

Why there is no /var/log/audit in my sustem ?

I tried the scanner is permissive mode and it works fine as user :
Mar 22 22:52:05 bureau bonobo-activation-server (root-2663): Duff env.
var ''
Mar 22 22:54:09 bureau kernel: usb 3-2: USB disconnect, address 2
Mar 22 22:54:12 bureau kernel: usb 3-2: new high speed USB device using
ehci_hcd and address 8
Mar 22 22:54:13 bureau kernel: usb 3-2: configuration #1 chosen from 1
choice
Mar 22 22:54:13 bureau kernel: audit(1143064453.308:18): avc:  denied
{ getattr } for  pid=2776 comm="pam_console_app" name="008" dev=tmpfs
ino=13410 scontext=system_u:system_r:pam_console_t:s0-s0:c0.c255
tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file

Eric
auditd is disabled by default in FC5. You can install the audit daemon and it will work like it did in devel. 

pam_console has those privs in the updated policy.
Dan


--
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux