Re: fc-5 and selinux

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Le jeudi 23 mars 2006 à 11:02 -0500, Daniel J Walsh a écrit :
> Eric Tanguy wrote:
> > Le mercredi 22 mars 2006 à 20:49 +0100, Eric Tanguy a écrit :
> >   
> >> Le mercredi 22 mars 2006 à 10:08 -0500, Daniel J Walsh a écrit :
> >>     
> >>> Eric Tanguy wrote:
> >>>       
> >>>> Le mardi 21 mars 2006 à 14:28 -0500, Daniel J Walsh a écrit :
> >>>>   
> >>>>         
> >>>>> Tanguy Eric wrote:
> >>>>>     
> >>>>>           
> >>>>>> I think it's a selinux problem :
> >>>>>> i can't use my usb scanner unless i'm root
> >>>>>> i can't mount cdrom and ext3 usb partition unless i'm root
> >>>>>>
> >>>>>> How can i use this in simple user ?
> >>>>>> Eric
> >>>>>>
> >>>>>>
> >>>>>>   
> >>>>>>       
> >>>>>>             
> >>>>> Are you seeing AVC messages in /var/log/messages? /var/log/audit/audit.log?
> >>>>>
> >>>>> You can see if it is SELinux causing the problems by executing 
> >>>>> setenforce 0 as root, and then see if the devices work correctly.
> >>>>>
> >>>>> Dan
> >>>>>
> >>>>>     
> >>>>>           
> >>>> When i plug my usb scanneri found this in dmesg :
> >>>> usb 3-2: new high speed USB device using ehci_hcd and address 8
> >>>> usb 3-2: configuration #1 chosen from 1 choice
> >>>> audit(1143014471.120:170): avc:  denied  { getattr } for  pid=2699
> >>>> comm="pam_console_app" name="008" dev=tmpfs ino=20684
> >>>> scontext=system_u:system_r:pam_console_t:s0-s0:c0.c255
> >>>> tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file
> >>>>
> >>>> as user : scanimage -L
> >>>> device `v4l:/dev/video1' is a Noname Creative NX virtual device
> >>>> device `v4l:/dev/video0' is a Noname BT878 video (Pinnacle PCTV Stud
> >>>> virtual device
> >>>>
> >>>> sudo scanimage -L
> >>>> Password:
> >>>> device `v4l:/dev/video1' is a Noname Creative NX virtual device
> >>>> device `v4l:/dev/video0' is a Noname BT878 video (Pinnacle PCTV Stud
> >>>> virtual device
> >>>> device `snapscan:libusb:003:008' is a EPSON EPSON Scanner flatbed
> >>>> scanner
> >>>>
> >>>> if i plug a usb disk containing a usb fat32 partition and a ext3
> >>>> partition :
> >>>>
> >>>> i can see in dmesg : 
> >>>> Initializing USB Mass Storage driver...
> >>>> scsi0 : SCSI emulation for USB Mass Storage devices
> >>>> usb-storage: device found at 9
> >>>> usb-storage: waiting for device to settle before scanning
> >>>> usbcore: registered new driver usb-storage
> >>>> USB Mass Storage support registered.
> >>>>   Vendor: HDS72258  Model: 0VLAT20           Rev: V32O
> >>>>   Type:   Direct-Access                      ANSI SCSI revision: 00
> >>>> SCSI device sda: 160836480 512-byte hdwr sectors (82348 MB)
> >>>> sda: Write Protect is off
> >>>> sda: Mode Sense: 03 00 00 00
> >>>> sda: assuming drive cache: write through
> >>>> SCSI device sda: 160836480 512-byte hdwr sectors (82348 MB)
> >>>> sda: Write Protect is off
> >>>> sda: Mode Sense: 03 00 00 00
> >>>> sda: assuming drive cache: write through
> >>>>  sda: sda1 sda2
> >>>> sd 0:0:0:0: Attached scsi disk sda
> >>>> usb-storage: device scan complete
> >>>> sd 0:0:0:0: Attached scsi generic sg0 type 0
> >>>> audit(1143014745.045:172): avc:  denied  { getattr } for  pid=2826
> >>>> comm="pam_console_app" name="008" dev=tmpfs ino=20684
> >>>> scontext=system_u:system_r:pam_console_t:s0-s0:c0.c255
> >>>> tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file
> >>>> audit(1143014745.117:173): avc:  denied  { getattr } for  pid=2830
> >>>> comm="pam_console_app" name="008" dev=tmpfs ino=20684
> >>>> scontext=system_u:system_r:pam_console_t:s0-s0:c0.c255
> >>>> tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file
> >>>>
> >>>> as user in my desktop only the fat32 partition is mounted
> >>>>
> >>>> if i plug my usb cd/dvd reader writer with the fc5 dvd in it .
> >>>> I found in dmesg : 
> >>>> usb 3-1: new high speed USB device using ehci_hcd and address 10
> >>>> usb 3-1: configuration #1 chosen from 1 choice
> >>>> scsi1 : SCSI emulation for USB Mass Storage devices
> >>>> usb-storage: device found at 10
> >>>> usb-storage: waiting for device to settle before scanning
> >>>> audit(1143014878.670:179): avc:  denied  { getattr } for  pid=2913
> >>>> comm="pam_console_app" name="008" dev=tmpfs ino=20684
> >>>> scontext=system_u:system_r:pam_console_t:s0-s0:c0.c255
> >>>> tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file
> >>>>   Vendor: PLEXTOR   Model: DVDR   PX-708A    Rev: 1.09
> >>>>   Type:   CD-ROM                             ANSI SCSI revision: 00
> >>>>  1:0:0:0: Attached scsi generic sg1 type 5
> >>>> usb-storage: device scan complete
> >>>> sr0: scsi3-mmc drive: 40x/40x writer cd/rw xa/form2 cdda tray
> >>>> sr 1:0:0:0: Attached scsi CD-ROM sr0
> >>>> audit(1143014883.606:180): avc:  denied  { getattr } for  pid=2926
> >>>> comm="pam_console_app" name="008" dev=tmpfs ino=20684
> >>>> scontext=system_u:system_r:pam_console_t:s0-s0:c0.c255
> >>>> tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file
> >>>> audit(1143014883.682:181): avc:  denied  { getattr } for  pid=2951
> >>>> comm="pam_console_app" name="008" dev=tmpfs ino=20684
> >>>> scontext=system_u:system_r:pam_console_t:s0-s0:c0.c255
> >>>> tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file
> >>>> audit(1143014921.500:182): avc:  denied  { getattr } for  pid=2258
> >>>> comm="hald" name="/" dev=sda2 ino=2 scontext=system_u:system_r:hald_t:s0
> >>>> tcontext=system_u:object_r:file_t:s0 tclass=dir
> >>>> audit(1143014921.688:183): avc:  denied  { getattr } for  pid=2967
> >>>> comm="hal-system-stor" name="/" dev=sda2 ino=2
> >>>> scontext=system_u:system_r:hald_t:s0
> >>>> tcontext=system_u:object_r:file_t:s0 tclass=dir
> >>>> audit(1143014921.688:184): avc:  denied  { getattr } for  pid=2967
> >>>> comm="hal-system-stor" name="/" dev=sda2 ino=2
> >>>> scontext=system_u:system_r:hald_t:s0
> >>>> tcontext=system_u:object_r:file_t:s0 tclass=dir
> >>>> audit(1143014921.692:185): avc:  denied  { search } for  pid=2971
> >>>> comm="touch" name="/" dev=sda2 ino=2
> >>>> scontext=system_u:system_r:hald_t:s0
> >>>> tcontext=system_u:object_r:file_t:s0 tclass=dir
> >>>> audit(1143014921.692:186): avc:  denied  { search } for  pid=2971
> >>>> comm="touch" name="/" dev=sda2 ino=2
> >>>> scontext=system_u:system_r:hald_t:s0
> >>>> tcontext=system_u:object_r:file_t:s0 tclass=dir
> >>>> audit(1143014921.692:187): avc:  denied  { getattr } for  pid=2967
> >>>> comm="hal-system-stor" name="/" dev=sda2 ino=2
> >>>> scontext=system_u:system_r:hald_t:s0
> >>>> tcontext=system_u:object_r:file_t:s0 tclass=dir
> >>>>
> >>>> and the dvd is not mounted.
> >>>>
> >>>> Eric
> >>>>
> >>>>
> >>>>   
> >>>>         
> >>> You seem to have a labeing problem since you have files labeled with 
> >>> file_t?  Can you relabel your system
> >>> touch /.autorelabel; reboot
> >>>
> >>> Clear your log files and run the machine in permissive mode.
> >>>
> >>> setenforce 0
> >>>
> >>> Plug in your scanner and make sure it works.
> >>>
> >>> Not can you send the AVC messages.
> >>>
> >>> You can also execute
> >>>
> >>> grep pam_console /var/log/audit/audit.log | audit2allow -M scanner
> >>>
> >>> semodule -i scanner.pp
> >>>
> >>> Which will update your policy to allow it to use the scanner in 
> >>> enforcing mode while we update policy.
> >>>
> >>>
> >>> Dan
> >>>       
> >> I already try to relabel the system and the problem is the same.
> >> In enforcing mode the scanner works fine if it is already plugged at the
> >> boot but does not work if i unplug it and replug it.
> >> If i disable selinux all work fine.
> >> I didn't try in permissive mode.
> >> I will try it and send you the avc messages
> >> from /var/log/audit/audit.log
> >>
> >> this is one point but i had no answers about usb disk and usb cdrom ?
> >> Eric
> >>
> >>     
> > First of al, i can't find /var/log/audit/audit.log : 
> > $ls -la /var/log/
> > total 1912
> > drwxr-xr-x 10 root root   4096 mar 22 22:51 .
> > drwxr-xr-x 23 root root   4096 mar 21 16:20 ..
> > -rw-r-----  1 root root   2135 mar 22 22:51 acpid
> > -rw-------  1 root root  24192 mar 21 09:48 anaconda.log
> > -rw-------  1 root root 146974 mar 21 09:48 anaconda.syslog
> > -rw-------  1 root root  39011 mar 21 09:48 anaconda.xlog
> > -rw-------  1 root root      0 mar 21 10:20 boot.log
> > -rw-------  1 root utmp      0 mar 21 09:38 btmp
> > -rw-------  1 root root  50186 mar 22 22:51 cron
> > drwxr-xr-x  2 lp   sys    4096 mar 21 10:24 cups
> > -rw-r--r--  1 root root  19090 mar 22 22:50 dmesg
> > drwxr-xr-x  2 root root   4096 mar 22 22:51 gdm
> > drwx------  2 root root   4096 fév 12 00:12 httpd
> > drwxrwx---  2 root ircd   4096 fév 15 01:16 ircd
> > -rw-r--r--  1 root root 146292 mar 22 22:51 lastlog
> > drwxr-xr-x  2 root root   4096 mar 21 09:38 mail
> > -rw-------  1 root root  20773 mar 22 22:51 maillog
> > -rw-------  1 root root 829727 mar 22 22:55 messages
> > drwx------  2 root root   4096 fév 12 09:49 ppp
> > -rw-r--r--  1 root root  68029 mar 22 21:42 prelink.log
> > -rw-r--r--  1 root root  31300 mar 22 21:42 rpmpkgs
> > drwx------  2 root root   4096 fév 13 17:36 samba
> > -rw-r--r--  1 root root  64863 mar 21 18:36 scrollkeeper.log
> > -rw-------  1 root root 155455 mar 22 22:53 secure
> > -rw-------  1 root root      0 mar 21 10:20 spooler
> > drwxr-xr-x  2 root root   4096 mar  1 16:29 vbox
> > -rw-rw-r--  1 root utmp 143616 mar 22 22:54 wtmp
> > -rw-r--r--  1 root root  42470 mar 22 22:51 Xorg.0.log
> > -rw-r--r--  1 root root  42525 mar 22 22:34 Xorg.0.log.old
> > -rw-r--r--  1 root root  16530 mar 22 22:47 yum.log
> >
> > Why there is no /var/log/audit in my sustem ?
> >
> > I tried the scanner is permissive mode and it works fine as user :
> > Mar 22 22:52:05 bureau bonobo-activation-server (root-2663): Duff env.
> > var ''
> > Mar 22 22:54:09 bureau kernel: usb 3-2: USB disconnect, address 2
> > Mar 22 22:54:12 bureau kernel: usb 3-2: new high speed USB device using
> > ehci_hcd and address 8
> > Mar 22 22:54:13 bureau kernel: usb 3-2: configuration #1 chosen from 1
> > choice
> > Mar 22 22:54:13 bureau kernel: audit(1143064453.308:18): avc:  denied
> > { getattr } for  pid=2776 comm="pam_console_app" name="008" dev=tmpfs
> > ino=13410 scontext=system_u:system_r:pam_console_t:s0-s0:c0.c255
> > tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file
> >
> > Eric
> >
> >   
> auditd is disabled by default in FC5.  You can install the audit daemon 
> and it will work like it did in devel.
Ok i installed it.

> 
> pam_console has those privs in the updated policy.
> Dan
why (when) this policy will be available as update ?
Eric

-- 
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list

[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux