Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 700614
Summary: | SELinux is preventing acpid from 'read' accesses on the chr_file event4. | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Clyde E. Kunkel <clydekunkel7734> | ||||||
Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> | ||||||
Status: | CLOSED CURRENTRELEASE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||||
Severity: | medium | Docs Contact: | |||||||
Priority: | unspecified | ||||||||
Version: | rawhide | CC: | dwalsh, jamescape777, mgrepl, zimon | ||||||
Target Milestone: | --- | ||||||||
Target Release: | --- | ||||||||
Hardware: | x86_64 | ||||||||
OS: | Linux | ||||||||
Whiteboard: | setroubleshoot_trace_hash:352b07c5c13d27464c46dc3d757ed23e5e0f6c3056b8d6ee00322818822d2581 | ||||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||||
Doc Text: | Story Points: | --- | |||||||
Clone Of: | Environment: | ||||||||
Last Closed: | 2011-11-21 16:42:41 UTC | Type: | --- | ||||||
Regression: | --- | Mount Type: | --- | ||||||
Documentation: | --- | CRM: | |||||||
Verified Versions: | Category: | --- | |||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||
Embargoed: | |||||||||
Attachments: |
|
Description
Clyde E. Kunkel
2011-04-28 19:41:16 UTC
How is labeled /dev/mouse/event4 now? # ls -Z /dev/input/event4 Were you plugging in a mouse or doing suspend/resume? $ sudo ls -Z /dev/input/event4 crw-r-----. root root system_u:object_r:event_device_t:s0 /dev/input/event4 No new events. I do have usb mouse and keyboard on an external kvm switch and perhaps I caught an event switching to/from another system. Will try several switchs and see what happens. I have seen, for many months now, usb mouse events in dmesg as a result of kvm switching. This is a race condition, where udev is not relabeling the device when it gets created fast enough before apmd gets ahold of the device. I would hope the new kernel_t filename trans rules would fix this problem. Created attachment 848938 [details]
SElinux alert text
I got this today. Maybe started after upgrading from Fedora 19 to Fedora 20. And it is repeatable for me, happens every time now. Haven't rebooted and checked after that though.
"Jan 12 17:03:11 mylocalhost setroubleshoot: SELinux is preventing /usr/sbin/acpid from read access on the chr_file event21."
It happens, if I unplug a USB camera in /dev/video0 (or /dev/video1, i have twho), and then re-attach it. The webcams do not work either after this unplub-plug-cycle.
The same happens if I remove the driver (modprobe -r pwc) and then reload it.
SElinux alert attached.
And if the webcams are tried to be used after this unplug-plug-cyckle (and acpid complain), they do not work:
"
$ cvlc v4l2:///dev/video0
VLC media player 2.1.2 Rincewind (revision 2.1.2-0-ga4c4876)
[0x1a2f2b8] dummy interface: using the dummy interface module...
libv4l2: error turning on stream: No space left on device
[0x7f93c4000e68] v4l2 demux error: cannot start streaming: No space left on device
[0x7f93c4000e68] v4l2 demux error: not a radio tuner device
libv4l2: error turning on stream: No space left on device
[0x7f93c4000e48] v4l2 access error: cannot start streaming: No space left on device
[0x7f93cc008c88] main input error: open of `v4l2:///dev/video0' failed
[0x7f93cc008c88] main input error: Your input can't be opened
[0x7f93cc008c88] main input error: VLC is unable to open the MRL 'v4l2:///dev/video0'. Check the log for details.
libv4l2: error turning on stream: No space left on device
[0x7f93c4000e48] v4l2 demux error: cannot start streaming: No space left on device
[0x7f93c4000e48] v4l2 demux error: not a radio tuner device
libv4l2: error turning on stream: No space left on device
[0x7f93c4000e48] v4l2 access error: cannot start streaming: No space left on device
[0x7f93cc005eb8] main input error: open of `v4l2:///dev/video0' failed
[0x7f93cc005eb8] main input error: Your input can't be opened
[0x7f93cc005eb8] main input error: VLC is unable to open the MRL 'v4l2:///dev/video0'. Check the log for details.
libv4l2: error turning on stream: No space left on device
[0x7f93c4000e28] v4l2 demux error: cannot start streaming: No space left on device
....and so on...
"
Created attachment 848939 [details]
syslog: selinux complains about acpid access vialition when pwc device is unplugged and re-plugged
Rebooting the machine didn't fix the sealert issue, it still complains about acpid read access on the chr_file event if I unplug and plug the webcam. But this time pwc camera does work after the unplug-cycle, although the selinux whining.
"Jan 12 17:48:25 mylocalhost dbus[1071]: [system] Successfully activated service 'org.fedoraproject.Setroubleshootd'"
This is the device btw which causes that acpid selinux alert issue:
"
$ v4l2-ctl --all -d /dev/video1
Driver Info (not using libv4l2):
Driver name : pwc
Card type : Logitech QuickCam Pro 4000
Bus info : usb-0000:00:1d.0-1.2.4.2
Driver version: 3.12.6
Capabilities : 0x85000001
Video Capture
Read/Write
Streaming
Device Capabilities
Device Caps : 0x05000001
Video Capture
Read/Write
Streaming
Priority: 2
Video input : 0 (Camera: ok)
Format Video Capture:
Width/Height : 640/480
Pixel Format : 'YU12'
Field : None
Bytes per Line: 640
Size Image : 460800
Colorspace : SRGB
Streaming Parameters Video Capture:
Capabilities : timeperframe
Frames per second: 15.000 (15/1)
Read buffers : 2
User Controls
....
"
Could you attach raw AVC message? It was (I think) already in my first message as an attachment in the end: https://bugzilla.redhat.com/attachment.cgi?id=848938 " Raw Audit Messages type=AVC msg=audit(1389538991.602:54110): avc: denied { read } for pid=1055 comm="acpid" name="event21" dev="devtmpfs" ino=3514871 scontext=system_u:system_r:apmd_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file type=SYSCALL msg=audit(1389538991.602:54110): arch=x86_64 syscall=open success=no exit=EACCES a0=7fff7a3cf2b0 a1=80800 a2=7fff7a3cf2b0 a3=3c items=0 ppid=1 pid=1055 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm=acpid exe=/usr/sbin/acpid subj=system_u:system_r:apmd_t:s0 key=(null) Hash: acpid,apmd_t,device_t,chr_file,read " We have filetrans rules for the first 20... This is a race condition. commit 85e70c44ceec161c858554c6d3f2d79d3954341a Author: Miroslav Grepl <mgrepl> Date: Mon Jan 13 17:57:05 2014 +0100 Add filename trans also for event21 |