Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 230628 - SELinux rejects ub
Summary: SELinux rejects ub
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 6
Hardware: x86_64
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Ben Levenson
URL:
Whiteboard:
Depends On: 230322
Blocks:
TreeView+ depends on / blocked
 
Reported: 2007-03-01 21:21 UTC by Pete Zaitcev
Modified: 2007-11-30 22:11 UTC (History)
3 users (show)

Fixed In Version: Current
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2007-08-22 14:12:15 UTC


Attachments (Terms of Use)

Description Pete Zaitcev 2007-03-01 21:21:31 UTC
Hi, Dan:

Fedora has a capability to switch between ub and sd in runtime,
so please consider if a workaround for this would be feasible.
Since sd is the primary driver and ub is a workaround, this is a low
priority, but would be very nice to have.

-- Pete

+++ This bug was initially created as a clone of Bug #230322 +++

Version-Release number of selected component (if applicable):
2.6.19-1.2911.fc6 #1 SMP

-- Additional comment from zaitcev@redhat.com on 2007-02-28 13:00 EST --

BTW, what does happen if you boot with libusual.bias="ub" in grub.conf?

-- Additional comment from jonathan.underwood@gmail.com on 2007-03-01 06:07 EST --
Hi Pete, thanks for your response. Adding libusual.bias="ub" fixes the problem,
once I had disabled SElinux.  I'm not sure that the problem is specific to the
usb-storeage layer though, as I am also seeing soft lockups when vmware tries to
create its virtual ethernet interfaces.  These also disappear with
libusual.bias="ub"

[Just to put your mind at rest though - the problem originally reported in this
bug is present with an untainted kernel (i.e. without the vmware module loaded).]


As an aside, if there are any plans to enable libusual.bias="ub" out of the box,
then I guess the SElinux issue will need fixing up. The SElinux messages
displayed are:
 audit(1172746861.823:7): avc:  denied  { read } for  pid=5340
comm="hald-probe-volu" name="uba1" dev=tmpfs ino=20335
scontext=system_u:system_r:hald_t:s0 tcontext=system_u:object_r:device_t:s0
tclass=blk_file
audit(1172746861.824:8): avc:  denied  { ioctl } for  pid=5340
comm="hald-probe-volu" name="uba1" dev=tmpfs ino=20335
scontext=system_u:system_r:hald_t:s0 tcontext=system_u:object_r:device_t:s0
tclass=blk_file
SELinux: initialized (dev uba1, type vfat), uses genfs_contexts
audit(1172746862.109:9): avc:  denied  { getattr } for  pid=4470 comm="hald"
name="uba1" dev=tmpfs ino=20335 scontext=system_u:system_r:hald_t:s0
tcontext=system_u:object_r:device_t:s0 tclass=blk_file

-- Additional comment from zaitcev@redhat.com on 2007-03-01 16:15 EST --
Thanks for the testing, Jonathan. I'll clone this bug for Dan Walsh regarding
the SElinux issue.

Comment 1 Daniel Walsh 2007-03-01 21:27:04 UTC
The problem here is the devices are labeled incorrectly.  They are labeled 
as device_t.  uba1 should probably be labeled usb_device_t?

Comment 2 Daniel Walsh 2007-03-01 21:33:17 UTC
If you execute this command does everything work?

semanage fcontext -a -t removable_device_t -f '-b' '/dev/ub[a-z][0-9]+'

you might have to run

restorecon -v /dev/ub*

Current policy only matches
dev/ub[a-z]

Comment 3 Pete Zaitcev 2007-03-01 21:45:01 UTC
Adding Jon to cc:, to try the test (see comment #2).


Comment 4 Jonathan Underwood 2007-03-02 11:53:31 UTC
I tried re-enabling SElinux and running those two commands, but it didn't work,
I still see this in dmesg:

audit(1172836335.532:20): avc:  denied  { read } for  pid=16589
comm="hald-probe-volu" name="uba1" dev=tmpfs ino=834181
scontext=system_u:system_r:hald_t:s0 tcontext=system_u:object_r:device_t:s0
tclass=blk_file

and the drive isn't mounted.

Comment 5 Daniel Walsh 2007-03-02 15:04:59 UTC
I believe you need to reboot or restart udev. since udev is not rereading the
file_context file.

Comment 6 Jonathan Underwood 2007-03-02 15:24:22 UTC
Thanks Daniel - I rebooted having run those two commands. On reboot I added
libusual.bias="ub" to the kernel options line, and sure enough plugging in a usb
key causes it to be mounted and the contents displayed, with no SElinux
grumbling at all.

Comment 7 Daniel Walsh 2007-03-02 17:03:18 UTC
Fixed in selinux-policy-2.4.6-42

Comment 8 Daniel Walsh 2007-08-22 14:12:15 UTC
Fixed in current release


Note You need to log in before you can comment on or make changes to this bug.