Digital camera problem

Paul Howarth paul at city-fan.org
Fri Apr 7 16:39:46 UTC 2006 

Aad Rijnberg wrote:
> On Friday 07 April 2006 14:48, Gerry Tool wrote:
>> Aad Rijnberg wrote:
>>> Hello,
>>>
>>> since a week I have installed FC5; everything works OK, but today I was
>>> trying to upload some pictures on my digital camera via USB to the PC and
>>> the connection could not be established. I suspect SELinux.
>>>
>>> I use Digikam for photo management, and did auto detection of the camera
>>> which succeeded to make the proper selection (Canon PowerShot 510 (normal
>>> mode) ). This means that it can connect to the camera somehow. When I
>>> then selected the camera (via Camera->Canon PowerShot 510 (normal mode))
>>> to get a window with thumbnails it came up with a message :
>>> "Failed to connect to camera. Please make sure its connected properly and
>>> turned on. Would you like to try again?"
>>>
>>> I looked in /var/log/messages, and came across the following line:
>>> Apr  7 13:25:47 localhost kernel: audit(1144409147.815:368): avc:  denied
>>> { search } for  pid=2897 comm="cat" name="console" dev=dm-4 ino=393220
>>> scontext=system_u:system_r:hald_t:s0
>>> tcontext=system_u:object_r:pam_var_console_t:s0 tclass=dir
>>>
>>> Any suggestions?
>>>
>>> Aad
>> Have you tried to use System > Administration > Security Level and
>> Firewall to set SELinux permissive?
> 
> I disabled it but initially it did not make a difference. After I rebooted, I 
> tried again, and then I could connect to the camera again. So this more or 
> less proves that it was due to SELinux settings.
> 
> I would like to use SELinux in Enforcing mode, and find a solution to the 
> problem. Does anybody have a clue on how to pursue?

If you booted with SELinux completely disabled, you'll need to relabel 
your system when you next boot with SELinux enabled (put SELinux in 
permissive mode for this). This may take a long time.

If you just did "setenforce 0" to temporarily turn off SELinux 
enforcement to check whether a problem was SELinux-related, you wouldn't 
need to do this.

To make changes to SELinux policy to fix this issue, you should:

* Put SELinux in permissive mode (setenforce 0)
* Note the exact time (date)
* Run your application (which should work since SELinux is in permissive 
mode)
* Note the exact time again (date)
* Look in /var/log/messages for all "avc:  denied" messages between the 
two times you noted
* Follow the instructions at 
http://fedoraproject.org/wiki/SELinux/LoadableModules/Audit2allow for 
making and enabling a local SELinux policy module to allow the things 
that were denied between the two times you noted
* Put SELinux back in enforcing mode (setenforce 1)
* Try running the program again. It should still work.

* If there is nothing "unusual" about what you are doing, you could post 
a description of what you were doing, along with the generated .te 
policy module that fixes it, to fedora-selinux-list. It might then get 
included in the main policy and solve the problem for other people 
before they come across it.

Paul.

More information about the users mailing list