Bug 458867
Summary: | SELinux is preventing hcid (bluetooth_t) "read" to ./oui.txt (hwdata_t) | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Jeff Bastian <jbastian> |
Component: | selinux-policy | Assignee: | Daniel Walsh <dwalsh> |
Status: | CLOSED CURRENTRELEASE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | low | Docs Contact: | |
Priority: | low | ||
Version: | 8 | CC: | rvokal |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2008-11-17 22:05:33 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Jeff Bastian
2008-08-12 19:07:10 UTC
# audit2allow -M mypol -l -i /var/log/audit/audit.log # semodule -i mypol.pp Fixed in selinux-policy-3.0.8-113.fc8 You probably have something similar in selinux-policy-3.0.8-113.fc8, but here was my policy to fix this: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ policy_module(bluetooth_hwdata,1.1); require { type bluetooth_t; type hwdata_t; } allow bluetooth_t hwdata_t:file r_file_perms; ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ If you used audit2allow -R you should have gotten miscfiles_read_hwdata(bluetooth_t) Ahh, I didn't use the -R flag. I started with audit2allow -M mypol -l -i /var/log/audit/audit.log as you recommended in comment #1 and it gave me allow bluetooth_t hwdata_t:file read; I loaded the module, tried again, and SELinux blocked it again, this time on getattr. But rather than running audit2allow again, I looked in some other policies I'd experimented with in the past and tried the r_file_perms macro which allowed it to work. Did you mean selinux-policy-3.0.8-114.fc8 in comment #1? It doesn't look like -113 has the fix. Yes I lied. That is why it is often better to user audit2allow -R to get the interface for full access rather then getting them one at a time. Closing all bugs that have been in modified for over a month. Please reopen if the bug is not actually fixed. |