Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 159540 - new parted requires ability to read /sys
Summary: new parted requires ability to read /sys
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: rawhide
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2005-06-03 21:11 UTC by Chris Lumens
Modified: 2007-11-30 22:11 UTC (History)
2 users (show)

Fixed In Version: 1.23.18-1
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2005-09-04 23:47:56 UTC


Attachments (Terms of Use)

Description Chris Lumens 2005-06-03 21:11:58 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.8) Gecko/20050512 Fedora/1.0.4-2 Firefox/1.0.4

Description of problem:
Future versions of parted are going to be using files under /sys/block/<device> to get information about that device (for instance, the model and manufacturer name).  Currently, this is not allowed by targeted policy resulting in an EACCESS when attempting to read:

type=AVC msg=audit(1117829236.044:1047962): avc:  denied  { read } for  pid=3201 comm="parted" name=device dev=sysfs ino=3402 scontext=root:system_r:fsadm_t tcontext=system_u:object_r:sysfs_t tclass=lnk_file

Here, the file I am trying to read is /sys/block/sda/device/vendor.

Paul Nasrat has come up with the following patch to the policy to allow parted to read from /sys:

--- fsadm.te    2005-05-28 01:23:13.000000000 -0400
+++ /home/clumens/fsadm.te      2005-06-03 16:20:28.000000000 -0400
@@ -19,7 +19,7 @@
 general_domain_access(fsadm_t)

 # for swapon
-allow fsadm_t sysfs_t:dir { search getattr };
+allow fsadm_t sysfs_t:dir { search getattr read };

 # Read system information files in /proc.
 r_dir_file(fsadm_t, proc_t)
@@ -43,13 +43,15 @@
 allow fsadm_t device_t:dir r_dir_perms;
 allow fsadm_t device_t:lnk_file r_file_perms;

+# Read /sys files and links
+allow fsadm_t sysfs_t:{ file lnk_file } r_file_perms;
+
 uses_shlib(fsadm_t)

 type fsadm_exec_t, file_type, sysadmfile, exec_type;
 domain_auto_trans(initrc_t, fsadm_exec_t, fsadm_t)


Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
1. Apply patches from parted CVS, rebuild and install.
2. Run new parted watch as it falls back on older code (you'll see a warning about using a deprecated scsi ioctl in dmesg).
  

Additional info:

Comment 1 Daniel Walsh 2005-06-06 15:12:42 UTC
Fixed in selinux-policy-targeted-1.23.18-1



Note You need to log in before you can comment on or make changes to this bug.