On Friday 07 April 2006 18:39, Paul Howarth wrote:
> Aad Rijnberg wrote:
> > On Friday 07 April 2006 14:48, Gerry Tool wrote:
> >> Aad Rijnberg wrote:
> >>> Hello,
> >>>
> >>> since a week I have installed FC5; everything works OK, but today I was
> >>> trying to upload some pictures on my digital camera via USB to the PC
> >>> and the connection could not be established. I suspect SELinux.
> >>>
> >>> I use Digikam for photo management, and did auto detection of the
> >>> camera which succeeded to make the proper selection (Canon PowerShot
> >>> 510 (normal mode) ). This means that it can connect to the camera
> >>> somehow. When I then selected the camera (via Camera->Canon PowerShot
> >>> 510 (normal mode)) to get a window with thumbnails it came up with a
> >>> message :
> >>> "Failed to connect to camera. Please make sure its connected properly
> >>> and turned on. Would you like to try again?"
> >>>
> >>> I looked in /var/log/messages, and came across the following line:
> >>> Apr 7 13:25:47 localhost kernel: audit(1144409147.815:368): avc:
> >>> denied { search } for pid=2897 comm="cat" name="console" dev=dm-4
> >>> ino=393220 scontext=system_u:system_r:hald_t:s0
> >>> tcontext=system_u:object_r:pam_var_console_t:s0 tclass=dir
> >>>
> >>> Any suggestions?
> >>>
> >>> Aad
> >>
> >> Have you tried to use System > Administration > Security Level and
> >> Firewall to set SELinux permissive?
> >
> > I disabled it but initially it did not make a difference. After I
> > rebooted, I tried again, and then I could connect to the camera again. So
> > this more or less proves that it was due to SELinux settings.
> >
> > I would like to use SELinux in Enforcing mode, and find a solution to the
> > problem. Does anybody have a clue on how to pursue?
>
> If you booted with SELinux completely disabled, you'll need to relabel
> your system when you next boot with SELinux enabled (put SELinux in
> permissive mode for this). This may take a long time.
> If you just did "setenforce 0" to temporarily turn off SELinux
> enforcement to check whether a problem was SELinux-related, you wouldn't
> need to do this.
I just set it to permissive mode from Menu -> Administration -> Security Level
and Firewall within KDE (GNOME has other menu names). Apparently after reboot
it remembers that setting, because it was still in permissive mode. I tested
my camera connection, and after that I directly set the SELinux mode to
Enforcing again.
> To make changes to SELinux policy to fix this issue, you should:
> * Put SELinux in permissive mode (setenforce 0)
> * Note the exact time (date)
> * Run your application (which should work since SELinux is in permissive
> mode)
> * Note the exact time again (date)
> * Look in /var/log/messages for all "avc: denied" messages between the
> two times you noted
> * Follow the instructions at
> http://fedoraproject.org/wiki/SELinux/LoadableModules/Audit2allow for
> making and enabling a local SELinux policy module to allow the things
> that were denied between the two times you noted
> * Put SELinux back in enforcing mode (setenforce 1)
> * Try running the program again. It should still work.
>
> * If there is nothing "unusual" about what you are doing, you could post
> a description of what you were doing, along with the generated .te
> policy module that fixes it, to fedora-selinux-list. It might then get
> included in the main policy and solve the problem for other people
> before they come across it.
>
> Paul.
OK, Paul thanks for pointing me to this information. I will check it out, and
post a fix if appropriate.
Aad
