Bug 267821

Summary: SELinux prevents ivtv firmware from loading
Product: [Fedora] Fedora Reporter: Anthony Messina <amessina>
Component: selinux-policy-targetedAssignee: Daniel Walsh <dwalsh>
Status: CLOSED WONTFIX QA Contact: Ben Levenson <benl>
Severity: low Docs Contact:
Priority: medium    
Version: 7   
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: All   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-09-04 17:14:24 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Anthony Messina 2007-08-30 16:19:01 UTC 
Description of problem:
Aug 30 10:41:41 mythtv-fe1 kernel: audit(1188488355.106:9): avc:  denied  { read
} for  pid=1183 comm="firmware_helper" name="v4l-cx2341x-init.mpg" dev=sda3
ino=4570792 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023
tcontext=system_u:object_r:modules_object_t:s0 tclass=file
Aug 30 10:41:41 mythtv-fe1 kernel: ivtv0: unable to open firmware
v4l-cx2341x-init.mpg (must be 155648 bytes)
Aug 30 10:41:41 mythtv-fe1 kernel: ivtv0: did you put the firmware in the
hotplug firmware directory?
Aug 30 10:41:41 mythtv-fe1 kernel: ivtv0: Initialized Hauppauge WinTV PVR-350,
card #0

I'm not sure if this firmware file should have a different context, or if the
firmware_helper should be able to load it.

Version-Release number of selected component (if applicable):
selinux-policy-targeted-2.6.4-38.fc7

-rwxr-xr-x  root root system_u:object_r:modules_object_t v4l-cx2341x-init.mpg

How reproducible:
Every time

Steps to Reproduce:
1. modprobe ivtv
2.
3.
  
Actual results:
see above description

Expected results:
firmware_helper should be able to access and load firmware.
Comment 1 Daniel Walsh 2007-08-31 10:18:03 UTC 
Where is this file located?  Why does it have this context?

Files in /lib/firmware should be labeled lib_t.

restorecon the file to see if it fixes the label
Comment 2 Anthony Messina 2007-08-31 10:57:26 UTC 
in the /lib/firmware directory, i have:
lrwxrwxrwx  root root system_u:object_r:lib_t v4l-cx2341x-init.mpg ->
/lib/modules/v4l-cx2341x-init.mpg

then in /lib/modules, i have:
-rwxr-xr-x  root root system_u:object_r:modules_object_t v4l-cx2341x-init.mpg

i'm guessing that, due to the symlink having a different (the proper) context,
but the actual file in /lib/modules having the wrong context -- that's why the
issue exists.

manually changing the context to lib_t in /lib/modules allows the firmware to be
loaded.

should i report this to the packager and have him change the context of the
actual file in /lib/modules to lib_t, or is there a better way to manage this?
Comment 3 Daniel Walsh 2007-09-01 11:14:40 UTC 
I guess the question to ask is why is this file stored in /lib/modules?  If it
is not a kernel module it should be installed in /lib/firmware and everything
would just work.
Comment 4 Anthony Messina 2007-09-01 12:30:43 UTC 
Seeing as though this issue is "fixed" when the context lib_t is applied, I
consider it closed from the Fedora end and have reported it to the ivtv package
maintainer: http://bugzilla.atrpms.net/show_bug.cgi?id=1274