From: russell@coker.com.au (Russell Coker) Date: Thu, 15 Feb 2018 23:36:51 +1100 Subject: [refpolicy] udisks2 and /dev/mem In-Reply-To: References: <2454785.LnChbr6P9C@liv> Message-ID: <2164891.hfskaxh8Hi@liv> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Thursday, 15 February 2018 10:40:34 PM AEDT Nicolas Iooss wrote: > On Wed, Feb 14, 2018 at 5:03 AM, Russell Coker via refpolicy > > wrote: > > type=AVC msg=audit(1518580690.273:39): avc: denied { read } for pid=566 > > comm="udisksd" name="mem" dev="devtmpfs" ino=1027 > > scontext=system_u:system_r:devicekit_disk_t:s0 > > tcontext=system_u:object_r:memory_device_t:s0 tclass=chr_file permissive=0 > > > > Does anyone know why udisksd from the udisks2 package needs to access > > /dev/ > > mem? > > Hi, > I quickly searched the package source and grepped the libraries used > by udisksd in order to find which one would access /dev/mem and found > nothing. When I install udisks2 in a simple virtual machine which has > /dev/mem (the kernels I use are built without CONFIG_DEVMEM), this AVC > does not appear. This currently only happens on my laptop. I haven't seen it happen on a VM. It might be related to some aspect of the configuration of my laptop, encrypted disks or something. Although it doesn't occur on my workstation with encrypted disks. > Therefore I can only make a blind guess that a udisksd component is > crawling /dev and performs a call to access("/dev/mem") to test > whether this file is readable. Did you have a "type=SYSCALL" entry > next to the AVC in audit.log, which would tell whether the denied > access was caused by access() or open()? It's openat. Thanks for suggesting looking for the syscall, it explains why my grep for /dev/mem in udisks2 and all the shared objects it loads didn't turn up any matches. I'll try and get udisks2 to run under gdb and see what that reveals. # ausearch --format interpret -a 39 ---- type=PROCTITLE msg=audit(14/02/18 14:58:10.273:39) : proctitle=/usr/lib/ udisks2/udisksd type=SYSCALL msg=audit(14/02/18 14:58:10.273:39) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=0xffffffffffffff9c a1=0x7fd666a6bc29 a2=O_RDONLY a3=0x0 items=0 ppid=1 pid=566 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=udisksd exe=/usr/lib/udisks2/udisksd subj=system_u:system_r:devicekit_disk_t:s0 key=(null) type=AVC msg=audit(14/02/18 14:58:10.273:39) : avc: denied { read } for pid=566 comm=udisksd name=mem dev="devtmpfs" ino=1027 scontext=system_u:system_r:devicekit_disk_t:s0 tcontext=system_u:object_r:memory_device_t:s0 tclass=chr_file permissive=0 -- My Main Blog http://etbe.coker.com.au/ My Documents Blog http://doc.coker.com.au/