From: nicolas.iooss@m4x.org (Nicolas Iooss) Date: Thu, 15 Feb 2018 12:40:34 +0100 Subject: [refpolicy] udisks2 and /dev/mem In-Reply-To: <2454785.LnChbr6P9C@liv> References: <2454785.LnChbr6P9C@liv> Message-ID: To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Wed, Feb 14, 2018 at 5:03 AM, Russell Coker via refpolicy wrote: > type=AVC msg=audit(1518580690.273:39): avc: denied { read } for pid=566 > comm="udisksd" name="mem" dev="devtmpfs" ino=1027 > scontext=system_u:system_r:devicekit_disk_t:s0 > tcontext=system_u:object_r:memory_device_t:s0 tclass=chr_file permissive=0 > > Does anyone know why udisksd from the udisks2 package needs to access /dev/ > mem? Hi, I quickly searched the package source and grepped the libraries used by udisksd in order to find which one would access /dev/mem and found nothing. When I install udisks2 in a simple virtual machine which has /dev/mem (the kernels I use are built without CONFIG_DEVMEM), this AVC does not appear. Therefore I can only make a blind guess that a udisksd component is crawling /dev and performs a call to access("/dev/mem") to test whether this file is readable. Did you have a "type=SYSCALL" entry next to the AVC in audit.log, which would tell whether the denied access was caused by access() or open()? Nicolas