Running strict/enforcing, latest Rawhide packages including latest
from Dan's tree (selinux-policy-strict-1.17.18-2).
Running 'lsusb' as root fails, but '/sbin/lsusb' as user works.
[root@fedora ~]# lsusb
cannot open /proc/bus/usb, Permission denied (13)
Works in permissive mode. Here are the avc's from permissive mode:
Sep 18 20:45:36 fedora kernel: audit(1095565536.018:0): avc: denied
{ read } for pid=13020 exe=/sbin/lsusb dev=usbfs ino=2335
scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:usbfs_t
tclass=dir
Sep 18 20:45:36 fedora kernel: audit(1095565536.018:0): avc: denied
{ getattr } for pid=13020 exe=/sbin/lsusb path=/proc/bus/usb
dev=usbfs ino=2335 scontext=root:sysadm_r:sysadm_t
tcontext=system_u:object_r:usbfs_t tclass=dir
Sep 18 20:45:36 fedora kernel: audit(1095565536.019:0): avc: denied
{ search } for pid=13020 exe=/sbin/lsusb dev=usbfs ino=2335
scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:usbfs_t
tclass=dir
Sep 18 20:45:36 fedora kernel: audit(1095565536.019:0): avc: denied
{ read } for pid=13020 exe=/sbin/lsusb name=001 dev=usbfs ino=6351
scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:usbfs_t
tclass=file
These look like:
r_dir_file(sysadm_t, usbfs_t)
r_dir_file($1_t, usbfs_t) is in user_macros.te.
Should it be in base_user_macros.te? Included in admin_macros.te?
tom
--
Tom London
