Eric Tanguy wrote:
Le mercredi 22 mars 2006 à 20:49 +0100, Eric Tanguy a écrit :
Le mercredi 22 mars 2006 à 10:08 -0500, Daniel J Walsh a écrit :
Eric Tanguy wrote:
Le mardi 21 mars 2006 à 14:28 -0500, Daniel J Walsh a écrit :
Tanguy Eric wrote:
I think it's a selinux problem :
i can't use my usb scanner unless i'm root
i can't mount cdrom and ext3 usb partition unless i'm root
How can i use this in simple user ?
Eric
Are you seeing AVC messages in /var/log/messages? /var/log/audit/audit.log?
You can see if it is SELinux causing the problems by executing
setenforce 0 as root, and then see if the devices work correctly.
Dan
When i plug my usb scanneri found this in dmesg :
usb 3-2: new high speed USB device using ehci_hcd and address 8
usb 3-2: configuration #1 chosen from 1 choice
audit(1143014471.120:170): avc: denied { getattr } for pid=2699
comm="pam_console_app" name="008" dev=tmpfs ino=20684
scontext=system_u:system_r:pam_console_t:s0-s0:c0.c255
tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file
as user : scanimage -L
device `v4l:/dev/video1' is a Noname Creative NX virtual device
device `v4l:/dev/video0' is a Noname BT878 video (Pinnacle PCTV Stud
virtual device
sudo scanimage -L
Password:
device `v4l:/dev/video1' is a Noname Creative NX virtual device
device `v4l:/dev/video0' is a Noname BT878 video (Pinnacle PCTV Stud
virtual device
device `snapscan:libusb:003:008' is a EPSON EPSON Scanner flatbed
scanner
if i plug a usb disk containing a usb fat32 partition and a ext3
partition :
i can see in dmesg :
Initializing USB Mass Storage driver...
scsi0 : SCSI emulation for USB Mass Storage devices
usb-storage: device found at 9
usb-storage: waiting for device to settle before scanning
usbcore: registered new driver usb-storage
USB Mass Storage support registered.
Vendor: HDS72258 Model: 0VLAT20 Rev: V32O
Type: Direct-Access ANSI SCSI revision: 00
SCSI device sda: 160836480 512-byte hdwr sectors (82348 MB)
sda: Write Protect is off
sda: Mode Sense: 03 00 00 00
sda: assuming drive cache: write through
SCSI device sda: 160836480 512-byte hdwr sectors (82348 MB)
sda: Write Protect is off
sda: Mode Sense: 03 00 00 00
sda: assuming drive cache: write through
sda: sda1 sda2
sd 0:0:0:0: Attached scsi disk sda
usb-storage: device scan complete
sd 0:0:0:0: Attached scsi generic sg0 type 0
audit(1143014745.045:172): avc: denied { getattr } for pid=2826
comm="pam_console_app" name="008" dev=tmpfs ino=20684
scontext=system_u:system_r:pam_console_t:s0-s0:c0.c255
tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file
audit(1143014745.117:173): avc: denied { getattr } for pid=2830
comm="pam_console_app" name="008" dev=tmpfs ino=20684
scontext=system_u:system_r:pam_console_t:s0-s0:c0.c255
tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file
as user in my desktop only the fat32 partition is mounted
if i plug my usb cd/dvd reader writer with the fc5 dvd in it .
I found in dmesg :
usb 3-1: new high speed USB device using ehci_hcd and address 10
usb 3-1: configuration #1 chosen from 1 choice
scsi1 : SCSI emulation for USB Mass Storage devices
usb-storage: device found at 10
usb-storage: waiting for device to settle before scanning
audit(1143014878.670:179): avc: denied { getattr } for pid=2913
comm="pam_console_app" name="008" dev=tmpfs ino=20684
scontext=system_u:system_r:pam_console_t:s0-s0:c0.c255
tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file
Vendor: PLEXTOR Model: DVDR PX-708A Rev: 1.09
Type: CD-ROM ANSI SCSI revision: 00
1:0:0:0: Attached scsi generic sg1 type 5
usb-storage: device scan complete
sr0: scsi3-mmc drive: 40x/40x writer cd/rw xa/form2 cdda tray
sr 1:0:0:0: Attached scsi CD-ROM sr0
audit(1143014883.606:180): avc: denied { getattr } for pid=2926
comm="pam_console_app" name="008" dev=tmpfs ino=20684
scontext=system_u:system_r:pam_console_t:s0-s0:c0.c255
tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file
audit(1143014883.682:181): avc: denied { getattr } for pid=2951
comm="pam_console_app" name="008" dev=tmpfs ino=20684
scontext=system_u:system_r:pam_console_t:s0-s0:c0.c255
tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file
audit(1143014921.500:182): avc: denied { getattr } for pid=2258
comm="hald" name="/" dev=sda2 ino=2 scontext=system_u:system_r:hald_t:s0
tcontext=system_u:object_r:file_t:s0 tclass=dir
audit(1143014921.688:183): avc: denied { getattr } for pid=2967
comm="hal-system-stor" name="/" dev=sda2 ino=2
scontext=system_u:system_r:hald_t:s0
tcontext=system_u:object_r:file_t:s0 tclass=dir
audit(1143014921.688:184): avc: denied { getattr } for pid=2967
comm="hal-system-stor" name="/" dev=sda2 ino=2
scontext=system_u:system_r:hald_t:s0
tcontext=system_u:object_r:file_t:s0 tclass=dir
audit(1143014921.692:185): avc: denied { search } for pid=2971
comm="touch" name="/" dev=sda2 ino=2
scontext=system_u:system_r:hald_t:s0
tcontext=system_u:object_r:file_t:s0 tclass=dir
audit(1143014921.692:186): avc: denied { search } for pid=2971
comm="touch" name="/" dev=sda2 ino=2
scontext=system_u:system_r:hald_t:s0
tcontext=system_u:object_r:file_t:s0 tclass=dir
audit(1143014921.692:187): avc: denied { getattr } for pid=2967
comm="hal-system-stor" name="/" dev=sda2 ino=2
scontext=system_u:system_r:hald_t:s0
tcontext=system_u:object_r:file_t:s0 tclass=dir
and the dvd is not mounted.
Eric
You seem to have a labeing problem since you have files labeled with
file_t? Can you relabel your system
touch /.autorelabel; reboot
Clear your log files and run the machine in permissive mode.
setenforce 0
Plug in your scanner and make sure it works.
Not can you send the AVC messages.
You can also execute
grep pam_console /var/log/audit/audit.log | audit2allow -M scanner
semodule -i scanner.pp
Which will update your policy to allow it to use the scanner in
enforcing mode while we update policy.
Dan
I already try to relabel the system and the problem is the same.
In enforcing mode the scanner works fine if it is already plugged at the
boot but does not work if i unplug it and replug it.
If i disable selinux all work fine.
I didn't try in permissive mode.
I will try it and send you the avc messages
from /var/log/audit/audit.log
this is one point but i had no answers about usb disk and usb cdrom ?
Eric
First of al, i can't find /var/log/audit/audit.log :
$ls -la /var/log/
total 1912
drwxr-xr-x 10 root root 4096 mar 22 22:51 .
drwxr-xr-x 23 root root 4096 mar 21 16:20 ..
-rw-r----- 1 root root 2135 mar 22 22:51 acpid
-rw------- 1 root root 24192 mar 21 09:48 anaconda.log
-rw------- 1 root root 146974 mar 21 09:48 anaconda.syslog
-rw------- 1 root root 39011 mar 21 09:48 anaconda.xlog
-rw------- 1 root root 0 mar 21 10:20 boot.log
-rw------- 1 root utmp 0 mar 21 09:38 btmp
-rw------- 1 root root 50186 mar 22 22:51 cron
drwxr-xr-x 2 lp sys 4096 mar 21 10:24 cups
-rw-r--r-- 1 root root 19090 mar 22 22:50 dmesg
drwxr-xr-x 2 root root 4096 mar 22 22:51 gdm
drwx------ 2 root root 4096 fév 12 00:12 httpd
drwxrwx--- 2 root ircd 4096 fév 15 01:16 ircd
-rw-r--r-- 1 root root 146292 mar 22 22:51 lastlog
drwxr-xr-x 2 root root 4096 mar 21 09:38 mail
-rw------- 1 root root 20773 mar 22 22:51 maillog
-rw------- 1 root root 829727 mar 22 22:55 messages
drwx------ 2 root root 4096 fév 12 09:49 ppp
-rw-r--r-- 1 root root 68029 mar 22 21:42 prelink.log
-rw-r--r-- 1 root root 31300 mar 22 21:42 rpmpkgs
drwx------ 2 root root 4096 fév 13 17:36 samba
-rw-r--r-- 1 root root 64863 mar 21 18:36 scrollkeeper.log
-rw------- 1 root root 155455 mar 22 22:53 secure
-rw------- 1 root root 0 mar 21 10:20 spooler
drwxr-xr-x 2 root root 4096 mar 1 16:29 vbox
-rw-rw-r-- 1 root utmp 143616 mar 22 22:54 wtmp
-rw-r--r-- 1 root root 42470 mar 22 22:51 Xorg.0.log
-rw-r--r-- 1 root root 42525 mar 22 22:34 Xorg.0.log.old
-rw-r--r-- 1 root root 16530 mar 22 22:47 yum.log
Why there is no /var/log/audit in my sustem ?
I tried the scanner is permissive mode and it works fine as user :
Mar 22 22:52:05 bureau bonobo-activation-server (root-2663): Duff env.
var ''
Mar 22 22:54:09 bureau kernel: usb 3-2: USB disconnect, address 2
Mar 22 22:54:12 bureau kernel: usb 3-2: new high speed USB device using
ehci_hcd and address 8
Mar 22 22:54:13 bureau kernel: usb 3-2: configuration #1 chosen from 1
choice
Mar 22 22:54:13 bureau kernel: audit(1143064453.308:18): avc: denied
{ getattr } for pid=2776 comm="pam_console_app" name="008" dev=tmpfs
ino=13410 scontext=system_u:system_r:pam_console_t:s0-s0:c0.c255
tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file
Eric
auditd is disabled by default in FC5. You can install the audit daemon
and it will work like it did in devel.
pam_console has those privs in the updated policy.
Dan
--
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
