Running targeted/enforcing, latest Rawhide.
Noticed this in /var/log/messages, before auditd is started I guess:
Jun 29 06:43:48 localhost kernel: audit(1151588567.562:102): avc: denied { getattr } for pid=1526 comm="pam_console_app" name="usbdev5.5_ep02" dev=tmpfs ino=5143 scontext=system_u:system_r:pam_console_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file Jun 29 06:43:48 localhost kernel: audit(1151588567.562:103): avc: denied { getattr } for pid=1526 comm="pam_console_app" name="usbdev5.5_ep81" dev=tmpfs ino=5120 scontext=system_u:system_r:pam_console_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file Jun 29 06:43:48 localhost kernel: audit(1151588567.562:104): avc: denied { getattr } for pid=1526 comm="pam_console_app" name="usbdev5.5_ep00" dev=tmpfs ino=5068 scontext=system_u:system_r:pam_console_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file
<< actually many, many copies of these....>>
tom
On Thu, 2006-06-29 at 06:52 -0700, Tom London wrote:
Running targeted/enforcing, latest Rawhide.
Noticed this in /var/log/messages, before auditd is started I guess:
Jun 29 06:43:48 localhost kernel: audit(1151588567.562:102): avc: denied { getattr } for pid=1526 comm="pam_console_app" name="usbdev5.5_ep02" dev=tmpfs ino=5143 scontext=system_u:system_r:pam_console_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file
pam_console_apply must be able to get and set attributes (ownership and mode) on all device nodes which should be accessible by console user.
On 6/29/06, Tomas Mraz tmraz@redhat.com wrote:
On Thu, 2006-06-29 at 06:52 -0700, Tom London wrote:
Running targeted/enforcing, latest Rawhide.
Noticed this in /var/log/messages, before auditd is started I guess:
Jun 29 06:43:48 localhost kernel: audit(1151588567.562:102): avc: denied { getattr } for pid=1526 comm="pam_console_app" name="usbdev5.5_ep02" dev=tmpfs ino=5143 scontext=system_u:system_r:pam_console_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file
pam_console_apply must be able to get and set attributes (ownership and mode) on all device nodes which should be accessible by console user. -- Tomas Mraz tmraz@redhat.com
Should pam_console_apply have access to all 'device_t' or are new 'device types' for the 'pam-controlled' ones appropriate?
tom
Tom London wrote:
Running targeted/enforcing, latest Rawhide.
Noticed this in /var/log/messages, before auditd is started I guess:
Jun 29 06:43:48 localhost kernel: audit(1151588567.562:102): avc: denied { getattr } for pid=1526 comm="pam_console_app" name="usbdev5.5_ep02" dev=tmpfs ino=5143 scontext=system_u:system_r:pam_console_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file \
The problem is usbdev5.5_ep02 is not labeled correctly. Is this a real device? What kind of device is is?
Jun 29 06:43:48 localhost kernel: audit(1151588567.562:103): avc: denied { getattr } for pid=1526 comm="pam_console_app" name="usbdev5.5_ep81" dev=tmpfs ino=5120 scontext=system_u:system_r:pam_console_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file Jun 29 06:43:48 localhost kernel: audit(1151588567.562:104): avc: denied { getattr } for pid=1526 comm="pam_console_app" name="usbdev5.5_ep00" dev=tmpfs ino=5068 scontext=system_u:system_r:pam_console_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file
<< actually many, many copies of these....>>
tom
On 7/8/06, Daniel J Walsh dwalsh@redhat.com wrote:
Tom London wrote:
Running targeted/enforcing, latest Rawhide.
Noticed this in /var/log/messages, before auditd is started I guess:
Jun 29 06:43:48 localhost kernel: audit(1151588567.562:102): avc: denied { getattr } for pid=1526 comm="pam_console_app" name="usbdev5.5_ep02" dev=tmpfs ino=5143 scontext=system_u:system_r:pam_console_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file \
The problem is usbdev5.5_ep02 is not labeled correctly. Is this a real device? What kind of device is is?
Jun 29 06:43:48 localhost kernel: audit(1151588567.562:103): avc: denied { getattr } for pid=1526 comm="pam_console_app" name="usbdev5.5_ep81" dev=tmpfs ino=5120 scontext=system_u:system_r:pam_console_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file Jun 29 06:43:48 localhost kernel: audit(1151588567.562:104): avc: denied { getattr } for pid=1526 comm="pam_console_app" name="usbdev5.5_ep00" dev=tmpfs ino=5068 scontext=system_u:system_r:pam_console_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file
<< actually many, many copies of these....>>
Happens every time I boot. Appears to depend on the usb devices I have connected at the time (I have 2 'docks' for my laptop, so the USB setup is not the same).
In this case, 'lsusb' says: Bus 005 Device 005: ID 04b8:010a Seiko Epson Corp. Perfection 1640SU Bus 005 Device 004: ID 0461:4d03 Primax Electronics, Ltd Kensington Mouse-in-a-box Bus 005 Device 002: ID 04b3:4484 IBM Corp. Bus 005 Device 001: ID 0000:0000 Bus 002 Device 001: ID 0000:0000 Bus 003 Device 003: ID 0483:2016 SGS Thomson Microelectronics Fingerprint Reader Bus 003 Device 001: ID 0000:0000 Bus 001 Device 001: ID 0000:0000 Bus 004 Device 001: ID 0000:0000
So I'm guessing usbdev5.5_ep* is pointing at this.
tom
On Sat, 2006-07-08 at 13:15 -0700, Tom London wrote:
On 7/8/06, Daniel J Walsh dwalsh@redhat.com wrote:
Tom London wrote:
Running targeted/enforcing, latest Rawhide.
Noticed this in /var/log/messages, before auditd is started I guess:
Jun 29 06:43:48 localhost kernel: audit(1151588567.562:102): avc: denied { getattr } for pid=1526 comm="pam_console_app" name="usbdev5.5_ep02" dev=tmpfs ino=5143 scontext=system_u:system_r:pam_console_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file \
The problem is usbdev5.5_ep02 is not labeled correctly. Is this a real device? What kind of device is is?
Jun 29 06:43:48 localhost kernel: audit(1151588567.562:103): avc: denied { getattr } for pid=1526 comm="pam_console_app" name="usbdev5.5_ep81" dev=tmpfs ino=5120 scontext=system_u:system_r:pam_console_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file Jun 29 06:43:48 localhost kernel: audit(1151588567.562:104): avc: denied { getattr } for pid=1526 comm="pam_console_app" name="usbdev5.5_ep00" dev=tmpfs ino=5068 scontext=system_u:system_r:pam_console_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file
<< actually many, many copies of these....>>
Happens every time I boot. Appears to depend on the usb devices I have connected at the time (I have 2 'docks' for my laptop, so the USB setup is not the same).
In this case, 'lsusb' says: Bus 005 Device 005: ID 04b8:010a Seiko Epson Corp. Perfection 1640SU Bus 005 Device 004: ID 0461:4d03 Primax Electronics, Ltd Kensington Mouse-in-a-box Bus 005 Device 002: ID 04b3:4484 IBM Corp. Bus 005 Device 001: ID 0000:0000 Bus 002 Device 001: ID 0000:0000 Bus 003 Device 003: ID 0483:2016 SGS Thomson Microelectronics Fingerprint Reader Bus 003 Device 001: ID 0000:0000 Bus 001 Device 001: ID 0000:0000 Bus 004 Device 001: ID 0000:0000
So I'm guessing usbdev5.5_ep* is pointing at this.
It is the scanner device so it should have a scanner_device_t type. pam_console_apply actually accesses /dev/usb/scanner* or /dev/scanner* symlink which points to the device node.
On 7/10/06, Tomas Mraz tmraz@redhat.com wrote:
On Sat, 2006-07-08 at 13:15 -0700, Tom London wrote:
On 7/8/06, Daniel J Walsh dwalsh@redhat.com wrote: Happens every time I boot. Appears to depend on the usb devices I have connected at the time (I have 2 'docks' for my laptop, so the USB setup is not the same).
In this case, 'lsusb' says: Bus 005 Device 005: ID 04b8:010a Seiko Epson Corp. Perfection 1640SU Bus 005 Device 004: ID 0461:4d03 Primax Electronics, Ltd Kensington Mouse-in-a-box Bus 005 Device 002: ID 04b3:4484 IBM Corp. Bus 005 Device 001: ID 0000:0000 Bus 002 Device 001: ID 0000:0000 Bus 003 Device 003: ID 0483:2016 SGS Thomson Microelectronics Fingerprint Reader Bus 003 Device 001: ID 0000:0000 Bus 001 Device 001: ID 0000:0000 Bus 004 Device 001: ID 0000:0000
So I'm guessing usbdev5.5_ep* is pointing at this.
It is the scanner device so it should have a scanner_device_t type. pam_console_apply actually accesses /dev/usb/scanner* or /dev/scanner* symlink which points to the device node. -- Tomas Mraz tmraz@redhat.com
Here is the output from 'ls -lZ /dev/scanner*': lrwxrwxrwx root root system_u:object_r:device_t /dev/scanner-usbdev1.5 -> bus/usb/001/005 lrwxrwxrwx root root system_u:object_r:device_t /dev/scanner-usbdev1.5_ep00 -> usbdev1.5_ep00 lrwxrwxrwx root root system_u:object_r:device_t /dev/scanner-usbdev1.5_ep02 -> usbdev1.5_ep02 lrwxrwxrwx root root system_u:object_r:device_t /dev/scanner-usbdev1.5_ep81 -> usbdev1.5_ep81
All /dev/usbdev* files are labeled as device_t.
tom
Tom London wrote:
On 7/10/06, Tomas Mraz tmraz@redhat.com wrote:
On Sat, 2006-07-08 at 13:15 -0700, Tom London wrote:
On 7/8/06, Daniel J Walsh dwalsh@redhat.com wrote: Happens every time I boot. Appears to depend on the usb devices I have connected at the time (I have 2 'docks' for my laptop, so the USB setup is not the same).
In this case, 'lsusb' says: Bus 005 Device 005: ID 04b8:010a Seiko Epson Corp. Perfection 1640SU Bus 005 Device 004: ID 0461:4d03 Primax Electronics, Ltd Kensington Mouse-in-a-box Bus 005 Device 002: ID 04b3:4484 IBM Corp. Bus 005 Device 001: ID 0000:0000 Bus 002 Device 001: ID 0000:0000 Bus 003 Device 003: ID 0483:2016 SGS Thomson Microelectronics
Fingerprint Reader
Bus 003 Device 001: ID 0000:0000 Bus 001 Device 001: ID 0000:0000 Bus 004 Device 001: ID 0000:0000
So I'm guessing usbdev5.5_ep* is pointing at this.
It is the scanner device so it should have a scanner_device_t type. pam_console_apply actually accesses /dev/usb/scanner* or /dev/scanner* symlink which points to the device node. -- Tomas Mraz tmraz@redhat.com
Here is the output from 'ls -lZ /dev/scanner*': lrwxrwxrwx root root system_u:object_r:device_t /dev/scanner-usbdev1.5 -> bus/usb/001/005 lrwxrwxrwx root root system_u:object_r:device_t /dev/scanner-usbdev1.5_ep00 -> usbdev1.5_ep00 lrwxrwxrwx root root system_u:object_r:device_t /dev/scanner-usbdev1.5_ep02 -> usbdev1.5_ep02 lrwxrwxrwx root root system_u:object_r:device_t /dev/scanner-usbdev1.5_ep81 -> usbdev1.5_ep81
All /dev/usbdev* files are labeled as device_t.
tom
If I add the following /dev/usbdev.* -c gen_context(system_u:object_r:usb_device_t,s0)
Will it fix the problem?
selinux@lists.fedoraproject.org
-
Daniel J Walsh -
Tom London -
Tomas Mraz