Bug 458867
| Summary: | SELinux is preventing hcid (bluetooth_t) "read" to ./oui.txt (hwdata_t) | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Jeff Bastian <jbastian> |
| Component: | selinux-policy | Assignee: | Daniel Walsh <dwalsh> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | low | Docs Contact: | |
| Priority: | low | ||
| Version: | 8 | CC: | rvokal |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2008-11-17 22:05:33 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
# audit2allow -M mypol -l -i /var/log/audit/audit.log # semodule -i mypol.pp Fixed in selinux-policy-3.0.8-113.fc8 You probably have something similar in selinux-policy-3.0.8-113.fc8, but here was my policy to fix this:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
policy_module(bluetooth_hwdata,1.1);
require {
type bluetooth_t;
type hwdata_t;
}
allow bluetooth_t hwdata_t:file r_file_perms;
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
If you used audit2allow -R you should have gotten miscfiles_read_hwdata(bluetooth_t) Ahh, I didn't use the -R flag. I started with audit2allow -M mypol -l -i /var/log/audit/audit.log as you recommended in comment #1 and it gave me allow bluetooth_t hwdata_t:file read; I loaded the module, tried again, and SELinux blocked it again, this time on getattr. But rather than running audit2allow again, I looked in some other policies I'd experimented with in the past and tried the r_file_perms macro which allowed it to work. Did you mean selinux-policy-3.0.8-114.fc8 in comment #1? It doesn't look like -113 has the fix. Yes I lied. That is why it is often better to user audit2allow -R to get the interface for full access rather then getting them one at a time. Closing all bugs that have been in modified for over a month. Please reopen if the bug is not actually fixed. |
Description of problem: SELinux is preventing /usr/sbin/hcid (bluetooth_t) from reading /usr/share/hwdata/oui.txt (hwdata_t). The context is correct on oui.txt; running 'restorecon -v' did not change anything. Raw audit messages: type=AVC msg=audit(1218567016.482:69): avc: denied { read } for pid=2597 comm="hcid" name="oui.txt" dev=dm-0 ino=5507542 scontext=system_u:system_r:bluetooth_t:s0 tcontext=system_u:object_r:hwdata_t:s0 tclass=file type=SYSCALL msg=audit(1218567016.482:69): arch=c000003e syscall=2 success=no exit=-13 a0=7f4ae26a96b6 a1=0 a2=0 a3=0 items=0 ppid=1 pid=2597 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="hcid" exe="/usr/sbin/hcid" subj=system_u:system_r:bluetooth_t:s0 key=(null) Version-Release number of selected component (if applicable): bluez-utils-3.20-7.fc8.x86_64 kdebluetooth-1.0-0.37.beta8.fc8.x86_64 selinux-policy-3.0.8-111.fc8.noarch selinux-policy-targeted-3.0.8-111.fc8.noarch How reproducible: Every time Steps to Reproduce: 1. Log in to KDE & launch KBluetooth 2. Right-click on the KBluetooth icon in the System Tray and go to Configuration -> Devices 3. Watch setroubleshoot pop up a window describing the denial Actual results: SElinux prevents hcid from reading oui.txt Expected results: Policy should allow hcid to read oui.txt Additional info: