Bug 298601

Summary: AVC denied for dellWirelessCtl when called from HAL
Product: [Fedora] Fedora Reporter: Michael E Brown <mebrown>
Component: selinux-policyAssignee: Daniel Walsh <dwalsh>
Status: CLOSED CURRENTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: medium    
Version: rawhideCC: matt_domsch, walters
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Current Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-01-30 19:19:28 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Michael E Brown 2007-09-20 17:05:43 UTC 
Description of problem:

AVC denial for HAL callout to dellWirelessCtl. This will prevent HAL from
enabling the wireless radio on Dell laptops.

type=AVC msg=audit(1190300167.303:34): avc:  denied  { read } for  pid=3510
comm="dellWirelessCtl" name="mem" dev=tmpfs ino=2233
scontext=system_u:system_r:hald_t:s0
tcontext=system_u:object_r:memory_device_t:s0 tclass=chr_file

Version-Release number of selected component (if applicable):


How reproducible:

This was reported to me by somebody else... will need to get the reproduce steps
and post them separately. It probably is called when networkmanager tries to
enable the wireless radio.

Talked on IRC, and dellWirelessCtl needs to have a policy that allows it access
to /dev/mem as well as a few files under /sys/.
Comment 1 Michael E Brown 2007-09-20 17:06:54 UTC 
Sorry, truncated the last paragraph when I was transcribing...

Talked to walters on IRC and he suggested opening a bug.
Comment 2 Colin Walters 2007-09-20 18:21:24 UTC 
Looking at the HAL policy, we already grant it read-write access to raw disk
devices.  It seems of limited utility to define separate domains for callout
programs which need further specific privileges like raw memory access (sonypic
and mac), and now dellWirelessCtl.

So my basic suggestion would be to merge all three into a highly privileged
hal_callout_t domain.
Comment 3 Daniel Walsh 2007-09-21 18:00:57 UTC 
Actually I would like to try to go the other way, and figure out which hal exes
require r/w raw disk, and only give the privs to that exe.

Anyways.

Fixed in selinux-policy-3.0.8-6.fc8
Comment 4 Daniel Walsh 2008-01-30 19:19:28 UTC 
Bulk closing all bugs in Fedora updates in the modified state.  If you bug is
not fixed, please reopen.