We are working on the Fedora SELinux FAQ

Antonio Olivares olivares14031 at yahoo.com
Sat Jan 23 18:26:20 UTC 2010 

>http://sradvan.fedorapeople.org/SELinux_FAQ/#id2654720
> 

Great questions John!  I applaud your questions and you have given me valor and courage to ask other questions.

Dialup and Modem questions 
CC'd to Phillipe Vouters, maintainer of Intel 536/537 family of modems, and Marvin Stodolsky maintainer of scanModem script.  

http://vouters.dyndns.org/
http://linmodems.technion.ac.il/

Since I had not let them know about this, 
* selinux getting in the way of /dev/536ep, /dev/martian, /dev/slamr0, ..., etc.  
Devices created and used for dialout with respective drivers.  


I use dialup on Fedora, I don't use NetworkManager, kppp gui dialers.  I like plain old wvdial.  I don't see any problems or complaints.  

Q:  Why does selinux complain when I start using a gui to dialout on my dialout connection?  

I see it when I use /dev/536ep for Intel 536 Modem using Kppp, I got the following complaint:


Summary:

SELinux is preventing /sbin/consoletype "read write" access to device
/dev/536ep.

Detailed Description:

[consoletype has a permissive type (consoletype_t). This access was not denied.]

SELinux has denied consoletype "read write" access to device /dev/536ep.
/dev/536ep is mislabeled, this device has the default label of the /dev
directory, which should not happen. All Character and/or Block Devices should
have a label. You can attempt to change the label of the file using restorecon
-v '/dev/536ep'. If this device remains labeled device_t, then this is a bug in
SELinux policy. Please file a bg report. If you look at the other similar
devices labels, ls -lZ /dev/SIMILAR, and find a type that would work for
/dev/536ep, you can use chcon -t SIMILAR_TYPE '/dev/536ep', If this fixes the
problem, you can make this permanent by executing semanage fcontext -a -t
SIMILAR_TYPE '/dev/536ep' If the restorecon changes the context, this indicates
that the application that created the device, created it without using SELinux
APIs. If you can figure out which application created the device, please file a
bug report against this application.

Allowing Access:

Attempt restorecon -v '/dev/536ep' or chcon -t SIMILAR_TYPE '/dev/536ep'

Additional Information:

Source Context                unconfined_u:system_r:consoletype_t:s0
Target Context                system_u:object_r:device_t:s0
Target Objects                /dev/536ep [ chr_file ]
Source                        consoletype
Source Path                   /sbin/consoletype
Port                          <Unknown>
Host                          localhost.localdomain
Source RPM Packages           initscripts-9.02-1
Target RPM Packages           
Policy RPM                    selinux-policy-3.6.32-41.fc12
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   device
Host Name                     localhost.localdomain
Platform                      Linux localhost.localdomain
                              2.6.31.6-145.fc12.i686.PAE #1 SMP Sat Nov 21
                              16:12:37 EST 2009 i686 i686
Alert Count                   4
First Seen                    Sun 13 Dec 2009 09:17:50 PM CST
Last Seen                     Sun 13 Dec 2009 09:21:15 PM CST
Local ID                      d08c40b6-e21a-43f9-b076-b15955131bce
Line Numbers                  

Raw Audit Messages            

node=localhost.localdomain type=AVC msg=audit(1260760875.661:322): avc:  denied  { read write } for  pid=14823 comm="consoletype" path="/dev/536ep" dev=tmpfs ino=12344 scontext=unconfined_u:system_r:consoletype_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file

node=localhost.localdomain type=AVC msg=audit(1260760875.661:322): avc:  denied  { read write } for  pid=14823 comm="consoletype" path="socket:[10132603]" dev=sockfs ino=10132603 scontext=unconfined_u:system_r:consoletype_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_dgram_socket

node=localhost.localdomain type=SYSCALL msg=audit(1260760875.661:322): arch=40000003 syscall=11 success=yes exit=0 a0=9f191d8 a1=9f19238 a2=9f11f08 a3=9f19238 items=0 ppid=14822 pid=14823 auid=500 uid=0 gid=500 euid=0 suid=0 fsuid=0 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="consoletype" exe="/sbin/consoletype" subj=unconfined_u:system_r:consoletype_t:s0 key=(null)


I know that *selinux is permitting* the action, but why is it complaining?  

Users don't care that 
[consoletype has a permissive type (consoletype_t). This access was not denied.]

if there is wrong labeling, they just want to use the computer and get online.  Why does selinux have too many of these things?  

It appears to happen with martian modem on Fedora also, *but only if I use gui like KPPP*, so since I use wvdial most of the time, I have not bothered to contact selinux list to ask for this.  

Also, since fedora does not have DVD playback out of the box *by default*, one can add rpmfusion reposistories to fix this, there are projects like xine-lib that already come with Fedora but crippled.  

Q: 
If one compiles xine-lib from source, selinux interferes and denies many chmods that used by xine install scripts, I have gotten around by disabling/not enforcing selinux to install these, but why do we have to contact xine-lib developers to fix this?, not everyone out there uses selinux so they would ignore these.

Q: Why are there too many numerous complains with nspluginwrapper/nspluginviewer:

Good that it is here:
http://fedoraproject.org/wiki/Flash
but is it there in FAQ?  

SELinux problems 
In some cases, nspluginwrapper produces SELinux AVC errors, some of which may prevent viewing Flash content. Changing the relevant SELinux boolean may resolve this problem, but eliminates a great deal of additional security when using nspluginwrapper. To make the change, run the following command: 
su -c 'setsebool -P allow_unconfined_nsplugin_transition=0'


Also nsplugin viewer :(

http://old.nabble.com/SELinux-is-preventing-npviewer.bin-(nsplugin_t)-"read"-to-controlC0-(sound_device_t).-td15815169.html

I have seen *too many complains*, that I have run away from using Flash and not use it.  Also with Firefox 
exec_mem stack?  errors.  I have also moved away from using it.  I am content to using Konqueror.  At one point I was using Opera and it also encountered problems, but the fix suggested by setroubleshooter fixed them :), operapluginwrapper or something like that.

Q:  How does selinux address native HTML 5 implementations if any?

A friend of mine told me that HTML 5 cures many illnesses with flash and other proprietary crap out there, how does selinux deal with HTML 5?

Q:  How does selinux treat gnash (the free/open source alternative to adobe flash)?

Thank you very much for your time.  Although I expect many of these questions to go to /dev/null, I am asking to know more and find out if *not everything out there* will be in permissive mode and one has to take care of our own problems on a case by case basis?

Regards,

Antonio

More information about the selinux mailing list