Bug 298601 - AVC denied for dellWirelessCtl when called from HAL
Summary: AVC denied for dellWirelessCtl when called from HAL
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: rawhide
Hardware: All
OS: Linux
medium
high
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2007-09-20 17:05 UTC by Michael E Brown
Modified: 2008-01-30 19:19 UTC (History)
2 users (show)

Fixed In Version: Current
Clone Of:
Environment:
Last Closed: 2008-01-30 19:19:28 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)

Description Michael E Brown 2007-09-20 17:05:43 UTC
Description of problem:

AVC denial for HAL callout to dellWirelessCtl. This will prevent HAL from
enabling the wireless radio on Dell laptops.

type=AVC msg=audit(1190300167.303:34): avc:  denied  { read } for  pid=3510
comm="dellWirelessCtl" name="mem" dev=tmpfs ino=2233
scontext=system_u:system_r:hald_t:s0
tcontext=system_u:object_r:memory_device_t:s0 tclass=chr_file

Version-Release number of selected component (if applicable):


How reproducible:

This was reported to me by somebody else... will need to get the reproduce steps
and post them separately. It probably is called when networkmanager tries to
enable the wireless radio.

Talked on IRC, and dellWirelessCtl needs to have a policy that allows it access
to /dev/mem as well as a few files under /sys/.

Comment 1 Michael E Brown 2007-09-20 17:06:54 UTC
Sorry, truncated the last paragraph when I was transcribing...

Talked to walters on IRC and he suggested opening a bug.

Comment 2 Colin Walters 2007-09-20 18:21:24 UTC
Looking at the HAL policy, we already grant it read-write access to raw disk
devices.  It seems of limited utility to define separate domains for callout
programs which need further specific privileges like raw memory access (sonypic
and mac), and now dellWirelessCtl.

So my basic suggestion would be to merge all three into a highly privileged
hal_callout_t domain.


Comment 3 Daniel Walsh 2007-09-21 18:00:57 UTC
Actually I would like to try to go the other way, and figure out which hal exes
require r/w raw disk, and only give the privs to that exe.

Anyways.

Fixed in selinux-policy-3.0.8-6.fc8

Comment 4 Daniel Walsh 2008-01-30 19:19:28 UTC
Bulk closing all bugs in Fedora updates in the modified state.  If you bug is
not fixed, please reopen.


Note You need to log in before you can comment on or make changes to this bug.