>http://sradvan.fedorapeople.org/SELinux_FAQ/#id2654720 > Great questions John! I applaud your questions and you have given me valor and courage to ask other questions. Dialup and Modem questions CC'd to Phillipe Vouters, maintainer of Intel 536/537 family of modems, and Marvin Stodolsky maintainer of scanModem script. http://vouters.dyndns.org/ http://linmodems.technion.ac.il/ Since I had not let them know about this, * selinux getting in the way of /dev/536ep, /dev/martian, /dev/slamr0, ..., etc. Devices created and used for dialout with respective drivers. I use dialup on Fedora, I don't use NetworkManager, kppp gui dialers. I like plain old wvdial. I don't see any problems or complaints. Q: Why does selinux complain when I start using a gui to dialout on my dialout connection? I see it when I use /dev/536ep for Intel 536 Modem using Kppp, I got the following complaint: Summary: SELinux is preventing /sbin/consoletype "read write" access to device /dev/536ep. Detailed Description: [consoletype has a permissive type (consoletype_t). This access was not denied.] SELinux has denied consoletype "read write" access to device /dev/536ep. /dev/536ep is mislabeled, this device has the default label of the /dev directory, which should not happen. All Character and/or Block Devices should have a label. You can attempt to change the label of the file using restorecon -v '/dev/536ep'. If this device remains labeled device_t, then this is a bug in SELinux policy. Please file a bg report. If you look at the other similar devices labels, ls -lZ /dev/SIMILAR, and find a type that would work for /dev/536ep, you can use chcon -t SIMILAR_TYPE '/dev/536ep', If this fixes the problem, you can make this permanent by executing semanage fcontext -a -t SIMILAR_TYPE '/dev/536ep' If the restorecon changes the context, this indicates that the application that created the device, created it without using SELinux APIs. If you can figure out which application created the device, please file a bug report against this application. Allowing Access: Attempt restorecon -v '/dev/536ep' or chcon -t SIMILAR_TYPE '/dev/536ep' Additional Information: Source Context unconfined_u:system_r:consoletype_t:s0 Target Context system_u:object_r:device_t:s0 Target Objects /dev/536ep [ chr_file ] Source consoletype Source Path /sbin/consoletype Port <Unknown> Host localhost.localdomain Source RPM Packages initscripts-9.02-1 Target RPM Packages Policy RPM selinux-policy-3.6.32-41.fc12 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name device Host Name localhost.localdomain Platform Linux localhost.localdomain 2.6.31.6-145.fc12.i686.PAE #1 SMP Sat Nov 21 16:12:37 EST 2009 i686 i686 Alert Count 4 First Seen Sun 13 Dec 2009 09:17:50 PM CST Last Seen Sun 13 Dec 2009 09:21:15 PM CST Local ID d08c40b6-e21a-43f9-b076-b15955131bce Line Numbers Raw Audit Messages node=localhost.localdomain type=AVC msg=audit(1260760875.661:322): avc: denied { read write } for pid=14823 comm="consoletype" path="/dev/536ep" dev=tmpfs ino=12344 scontext=unconfined_u:system_r:consoletype_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file node=localhost.localdomain type=AVC msg=audit(1260760875.661:322): avc: denied { read write } for pid=14823 comm="consoletype" path="socket:[10132603]" dev=sockfs ino=10132603 scontext=unconfined_u:system_r:consoletype_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_dgram_socket node=localhost.localdomain type=SYSCALL msg=audit(1260760875.661:322): arch=40000003 syscall=11 success=yes exit=0 a0=9f191d8 a1=9f19238 a2=9f11f08 a3=9f19238 items=0 ppid=14822 pid=14823 auid=500 uid=0 gid=500 euid=0 suid=0 fsuid=0 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="consoletype" exe="/sbin/consoletype" subj=unconfined_u:system_r:consoletype_t:s0 key=(null) I know that *selinux is permitting* the action, but why is it complaining? Users don't care that [consoletype has a permissive type (consoletype_t). This access was not denied.] if there is wrong labeling, they just want to use the computer and get online. Why does selinux have too many of these things? It appears to happen with martian modem on Fedora also, *but only if I use gui like KPPP*, so since I use wvdial most of the time, I have not bothered to contact selinux list to ask for this. Also, since fedora does not have DVD playback out of the box *by default*, one can add rpmfusion reposistories to fix this, there are projects like xine-lib that already come with Fedora but crippled. Q: If one compiles xine-lib from source, selinux interferes and denies many chmods that used by xine install scripts, I have gotten around by disabling/not enforcing selinux to install these, but why do we have to contact xine-lib developers to fix this?, not everyone out there uses selinux so they would ignore these. Q: Why are there too many numerous complains with nspluginwrapper/nspluginviewer: Good that it is here: http://fedoraproject.org/wiki/Flash but is it there in FAQ? SELinux problems In some cases, nspluginwrapper produces SELinux AVC errors, some of which may prevent viewing Flash content. Changing the relevant SELinux boolean may resolve this problem, but eliminates a great deal of additional security when using nspluginwrapper. To make the change, run the following command: su -c 'setsebool -P allow_unconfined_nsplugin_transition=0' Also nsplugin viewer :( http://old.nabble.com/SELinux-is-preventing-npviewer.bin-(nsplugin_t)-"read"-to-controlC0-(sound_device_t).-td15815169.html I have seen *too many complains*, that I have run away from using Flash and not use it. Also with Firefox exec_mem stack? errors. I have also moved away from using it. I am content to using Konqueror. At one point I was using Opera and it also encountered problems, but the fix suggested by setroubleshooter fixed them :), operapluginwrapper or something like that. Q: How does selinux address native HTML 5 implementations if any? A friend of mine told me that HTML 5 cures many illnesses with flash and other proprietary crap out there, how does selinux deal with HTML 5? Q: How does selinux treat gnash (the free/open source alternative to adobe flash)? Thank you very much for your time. Although I expect many of these questions to go to /dev/null, I am asking to know more and find out if *not everything out there* will be in permissive mode and one has to take care of our own problems on a case by case basis? Regards, Antonio -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
