Bug 298601 - AVC denied for dellWirelessCtl when called from HAL
AVC denied for dellWirelessCtl when called from HAL
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
All Linux
medium Severity high
: ---
: ---
Assigned To: Daniel Walsh
Fedora Extras Quality Assurance
Depends On:
  Show dependency treegraph
Reported: 2007-09-20 13:05 EDT by Michael E Brown
Modified: 2008-01-30 14:19 EST (History)
2 users (show)

See Also:
Fixed In Version: Current
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2008-01-30 14:19:28 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Michael E Brown 2007-09-20 13:05:43 EDT
Description of problem:

AVC denial for HAL callout to dellWirelessCtl. This will prevent HAL from
enabling the wireless radio on Dell laptops.

type=AVC msg=audit(1190300167.303:34): avc:  denied  { read } for  pid=3510
comm="dellWirelessCtl" name="mem" dev=tmpfs ino=2233
tcontext=system_u:object_r:memory_device_t:s0 tclass=chr_file

Version-Release number of selected component (if applicable):

How reproducible:

This was reported to me by somebody else... will need to get the reproduce steps
and post them separately. It probably is called when networkmanager tries to
enable the wireless radio.

Talked on IRC, and dellWirelessCtl needs to have a policy that allows it access
to /dev/mem as well as a few files under /sys/.
Comment 1 Michael E Brown 2007-09-20 13:06:54 EDT
Sorry, truncated the last paragraph when I was transcribing...

Talked to walters@redhat.com on IRC and he suggested opening a bug.
Comment 2 Colin Walters 2007-09-20 14:21:24 EDT
Looking at the HAL policy, we already grant it read-write access to raw disk
devices.  It seems of limited utility to define separate domains for callout
programs which need further specific privileges like raw memory access (sonypic
and mac), and now dellWirelessCtl.

So my basic suggestion would be to merge all three into a highly privileged
hal_callout_t domain.
Comment 3 Daniel Walsh 2007-09-21 14:00:57 EDT
Actually I would like to try to go the other way, and figure out which hal exes
require r/w raw disk, and only give the privs to that exe.


Fixed in selinux-policy-3.0.8-6.fc8
Comment 4 Daniel Walsh 2008-01-30 14:19:28 EST
Bulk closing all bugs in Fedora updates in the modified state.  If you bug is
not fixed, please reopen.

Note You need to log in before you can comment on or make changes to this bug.