From: nicolas.iooss@m4x.org (Nicolas Iooss)
Date: Thu, 15 Feb 2018 12:40:34 +0100
Subject: [refpolicy] udisks2 and /dev/mem
In-Reply-To: <2454785.LnChbr6P9C@liv>
References: <2454785.LnChbr6P9C@liv>
Message-ID: <CAJfZ7==rZfDkbOm1iUGbhVsy9CLOaLQAg3ajk8+LYKVUnH0=sQ@mail.gmail.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Wed, Feb 14, 2018 at 5:03 AM, Russell Coker via refpolicy
<refpolicy@oss.tresys.com> wrote:
> type=AVC msg=audit(1518580690.273:39): avc:  denied  { read } for  pid=566
> comm="udisksd" name="mem" dev="devtmpfs" ino=1027
> scontext=system_u:system_r:devicekit_disk_t:s0
> tcontext=system_u:object_r:memory_device_t:s0 tclass=chr_file permissive=0
>
> Does anyone know why udisksd from the udisks2 package needs to access /dev/
> mem?

Hi,
I quickly searched the package source and grepped the libraries used
by udisksd in order to find which one would access /dev/mem and found
nothing. When I install udisks2 in a simple virtual machine which has
/dev/mem (the kernels I use are built without CONFIG_DEVMEM), this AVC
does not appear.

Therefore I can only make a blind guess that a udisksd component is
crawling /dev and performs a call to access("/dev/mem") to test
whether this file is readable. Did you have a "type=SYSCALL" entry
next to the AVC in audit.log, which would tell whether the denied
access was caused by access() or open()?

Nicolas