700614 – SELinux is preventing acpid from 'read' accesses on the chr_file event4.

Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.

Bug 700614 - SELinux is preventing acpid from 'read' accesses on the chr_file event4.

Summary: SELinux is preventing acpid from 'read' accesses on the chr_file event4.

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	rawhide
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	medium
Target Milestone:	---
Assignee:	Miroslav Grepl
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:	setroubleshoot_trace_hash:352b07c5c13...
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2011-04-28 19:41 UTC by Clyde E. Kunkel
Modified:	2014-01-13 16:57 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2011-11-21 16:42:41 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
SElinux alert text (2.39 KB, text/plain) 2014-01-12 15:13 UTC, zimon	no flags	Details
syslog: selinux complains about acpid access vialition when pwc device is unplugged and re-plugged (3.21 KB, text/plain) 2014-01-12 16:00 UTC, zimon	no flags	Details
View All

Description Clyde E. Kunkel 2011-04-28 19:41:16 UTC

SELinux is preventing acpid from 'read' accesses on the chr_file event4.

*****  Plugin device (91.4 confidence) suggests  *****************************

If you want to allow acpid to have read access on the event4 chr_file
Then you need to change the label on event4 to a type of a similar device.
Do
# semanage fcontext -a -t SIMILAR_TYPE 'event4'
# restorecon -v 'event4'

*****  Plugin catchall (9.59 confidence) suggests  ***************************

If you believe that acpid should be allowed read access on the event4 chr_file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep acpid /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:apmd_t:s0
Target Context                system_u:object_r:device_t:s0
Target Objects                event4 [ chr_file ]
Source                        acpid
Source Path                   acpid
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.9.16-15.fc16
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed)
                              2.6.39-0.rc4.git8.0.fc16.x86_64 #1 SMP Tue Apr 26
                              20:25:03 UTC 2011 x86_64 x86_64
Alert Count                   6
First Seen                    Sat 23 Apr 2011 10:01:12 AM EDT
Last Seen                     Thu 28 Apr 2011 03:35:18 PM EDT
Local ID                      c37af328-0255-433e-a2e3-cf02b09f7848

Raw Audit Messages
type=AVC msg=audit(1304019318.480:231): avc:  denied  { read } for  pid=1310 comm="acpid" name="event4" dev=devtmpfs ino=460954 scontext=system_u:system_r:apmd_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file


Hash: acpid,apmd_t,device_t,chr_file,read

audit2allow

#============= apmd_t ==============
allow apmd_t device_t:chr_file read;

audit2allow -R

#============= apmd_t ==============
allow apmd_t device_t:chr_file read;

Comment 1 Miroslav Grepl 2011-04-29 05:36:02 UTC

How is labeled /dev/mouse/event4 now?

# ls -Z /dev/input/event4

Were you plugging in a mouse or doing suspend/resume?

Comment 2 Clyde E. Kunkel 2011-04-29 13:37:47 UTC

$ sudo ls -Z /dev/input/event4
crw-r-----. root root system_u:object_r:event_device_t:s0 /dev/input/event4


No new events.  I do have usb mouse and keyboard on an external kvm switch and perhaps I caught an event switching to/from another system.  Will try several switchs and see what happens.  I have seen, for many months now, usb mouse events in dmesg as a result of kvm switching.

Comment 3 Daniel Walsh 2011-04-29 15:13:40 UTC

This is a race condition, where udev is not relabeling the device when it gets created fast enough before apmd gets ahold of the device.

I would hope the new kernel_t filename trans rules would fix this problem.

Comment 4 zimon 2014-01-12 15:13:22 UTC

Created attachment 848938 [details]
SElinux alert text

I got this today. Maybe started after upgrading from Fedora 19 to Fedora 20. And it is repeatable for me, happens every time now. Haven't rebooted and checked after that though.

"Jan 12 17:03:11 mylocalhost setroubleshoot: SELinux is preventing /usr/sbin/acpid from read access on the chr_file event21."

It happens, if I unplug a USB camera in /dev/video0 (or /dev/video1, i have twho), and then re-attach it. The webcams do not work either after this unplub-plug-cycle.

The same happens if I remove the driver (modprobe -r pwc) and then reload it.

SElinux alert attached.

And if the webcams are tried to be used after this unplug-plug-cyckle (and acpid complain), they do not work:

"
$ cvlc v4l2:///dev/video0
VLC media player 2.1.2 Rincewind (revision 2.1.2-0-ga4c4876)
[0x1a2f2b8] dummy interface: using the dummy interface module...
libv4l2: error turning on stream: No space left on device
[0x7f93c4000e68] v4l2 demux error: cannot start streaming: No space left on device
[0x7f93c4000e68] v4l2 demux error: not a radio tuner device
libv4l2: error turning on stream: No space left on device
[0x7f93c4000e48] v4l2 access error: cannot start streaming: No space left on device
[0x7f93cc008c88] main input error: open of `v4l2:///dev/video0' failed
[0x7f93cc008c88] main input error: Your input can't be opened
[0x7f93cc008c88] main input error: VLC is unable to open the MRL 'v4l2:///dev/video0'. Check the log for details.
libv4l2: error turning on stream: No space left on device
[0x7f93c4000e48] v4l2 demux error: cannot start streaming: No space left on device
[0x7f93c4000e48] v4l2 demux error: not a radio tuner device
libv4l2: error turning on stream: No space left on device
[0x7f93c4000e48] v4l2 access error: cannot start streaming: No space left on device
[0x7f93cc005eb8] main input error: open of `v4l2:///dev/video0' failed
[0x7f93cc005eb8] main input error: Your input can't be opened
[0x7f93cc005eb8] main input error: VLC is unable to open the MRL 'v4l2:///dev/video0'. Check the log for details.
libv4l2: error turning on stream: No space left on device
[0x7f93c4000e28] v4l2 demux error: cannot start streaming: No space left on device
....and so on...
"

Comment 5 zimon 2014-01-12 16:00:37 UTC

Created attachment 848939 [details]
syslog: selinux complains about acpid access vialition when pwc device is unplugged and re-plugged

Rebooting the machine didn't fix the sealert issue, it still complains about acpid read access on the chr_file event if I unplug and plug the webcam. But this time pwc camera does work after the unplug-cycle, although the selinux whining.

"Jan 12 17:48:25 mylocalhost dbus[1071]: [system] Successfully activated service 'org.fedoraproject.Setroubleshootd'"

This is the device btw which causes that acpid selinux alert issue:
"
$ v4l2-ctl --all -d /dev/video1
Driver Info (not using libv4l2):
	Driver name   : pwc
	Card type     : Logitech QuickCam Pro 4000
	Bus info      : usb-0000:00:1d.0-1.2.4.2
	Driver version: 3.12.6
	Capabilities  : 0x85000001
		Video Capture
		Read/Write
		Streaming
		Device Capabilities
	Device Caps   : 0x05000001
		Video Capture
		Read/Write
		Streaming
Priority: 2
Video input : 0 (Camera: ok)
Format Video Capture:
	Width/Height  : 640/480
	Pixel Format  : 'YU12'
	Field         : None
	Bytes per Line: 640
	Size Image    : 460800
	Colorspace    : SRGB
Streaming Parameters Video Capture:
	Capabilities     : timeperframe
	Frames per second: 15.000 (15/1)
	Read buffers     : 2

User Controls
....
"

Comment 6 Miroslav Grepl 2014-01-13 12:38:28 UTC

Could you attach raw AVC message?

Comment 7 zimon 2014-01-13 13:05:56 UTC

It was (I think) already in my first message as an attachment in the end:
https://bugzilla.redhat.com/attachment.cgi?id=848938
"
Raw Audit Messages
type=AVC msg=audit(1389538991.602:54110): avc:  denied  { read } for  pid=1055 comm="acpid" name="event21" dev="devtmpfs" ino=3514871 scontext=system_u:system_r:apmd_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file


type=SYSCALL msg=audit(1389538991.602:54110): arch=x86_64 syscall=open success=no exit=EACCES a0=7fff7a3cf2b0 a1=80800 a2=7fff7a3cf2b0 a3=3c items=0 ppid=1 pid=1055 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm=acpid exe=/usr/sbin/acpid subj=system_u:system_r:apmd_t:s0 key=(null)

Hash: acpid,apmd_t,device_t,chr_file,read
"

Comment 8 Daniel Walsh 2014-01-13 16:21:48 UTC

We have filetrans rules for the first 20... This is a race condition.

Comment 9 Miroslav Grepl 2014-01-13 16:57:32 UTC

commit 85e70c44ceec161c858554c6d3f2d79d3954341a
Author: Miroslav Grepl <mgrepl>
Date:   Mon Jan 13 17:57:05 2014 +0100

    Add filename trans also for event21

Note You need to log in before you can comment on or make changes to this bug.