First Last Prev Next    This bug is not in your last search results.
Bug 458867 - SELinux is preventing hcid (bluetooth_t) "read" to ./oui.txt (hwdata_t)
SELinux is preventing hcid (bluetooth_t) "read" to ./oui.txt (hwdata_t)
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
8
All Linux
low Severity low
: ---
: ---
Assigned To: Daniel Walsh
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-08-12 15:07 EDT by Jeff Bastian
Modified: 2008-11-17 17:05 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-11-17 17:05:33 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

  None (edit)
Description Jeff Bastian 2008-08-12 15:07:10 EDT 
Description of problem:
SELinux is preventing /usr/sbin/hcid (bluetooth_t) from reading /usr/share/hwdata/oui.txt (hwdata_t).  The context is correct on oui.txt; running 'restorecon -v' did not change anything.

Raw audit messages:
type=AVC msg=audit(1218567016.482:69): avc:  denied  { read } for  pid=2597 comm="hcid" name="oui.txt" dev=dm-0 ino=5507542 scontext=system_u:system_r:bluetooth_t:s0 tcontext=system_u:object_r:hwdata_t:s0 tclass=file
type=SYSCALL msg=audit(1218567016.482:69): arch=c000003e syscall=2 success=no exit=-13 a0=7f4ae26a96b6 a1=0 a2=0 a3=0 items=0 ppid=1 pid=2597 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="hcid" exe="/usr/sbin/hcid" subj=system_u:system_r:bluetooth_t:s0 key=(null)


Version-Release number of selected component (if applicable):
bluez-utils-3.20-7.fc8.x86_64
kdebluetooth-1.0-0.37.beta8.fc8.x86_64
selinux-policy-3.0.8-111.fc8.noarch
selinux-policy-targeted-3.0.8-111.fc8.noarch


How reproducible:
Every time

Steps to Reproduce:
1. Log in to KDE & launch KBluetooth
2. Right-click on the KBluetooth icon in the System Tray and go to
   Configuration -> Devices
3. Watch setroubleshoot pop up a window describing the denial
  
Actual results:
SElinux prevents hcid from reading oui.txt

Expected results:
Policy should allow hcid to read oui.txt

Additional info:
Comment 1 Daniel Walsh 2008-08-12 16:16:04 EDT 
# audit2allow -M mypol -l -i /var/log/audit/audit.log
# semodule -i mypol.pp

Fixed in selinux-policy-3.0.8-113.fc8
Comment 2 Jeff Bastian 2008-08-12 16:35:03 EDT 
You probably have something similar in selinux-policy-3.0.8-113.fc8, but here was my policy to fix this:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
policy_module(bluetooth_hwdata,1.1);

require {
        type bluetooth_t;
        type hwdata_t;
}

allow bluetooth_t hwdata_t:file r_file_perms;
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Comment 3 Daniel Walsh 2008-08-13 11:44:31 EDT 
If you used audit2allow -R you should have gotten

miscfiles_read_hwdata(bluetooth_t)
Comment 4 Jeff Bastian 2008-08-13 12:19:44 EDT 
Ahh, I didn't use the -R flag.  I started with
  audit2allow -M mypol -l -i /var/log/audit/audit.log
as you recommended in comment #1 and it gave me
  allow bluetooth_t hwdata_t:file read;

I loaded the module, tried again, and SELinux blocked it again, this time on getattr.

But rather than running audit2allow again, I looked in some other policies I'd experimented with in the past and tried the r_file_perms macro which allowed it to work.


Did you mean selinux-policy-3.0.8-114.fc8 in comment #1?  It doesn't look like -113 has the fix.
Comment 5 Daniel Walsh 2008-08-13 12:31:06 EDT 
Yes I lied.

That is why it is often better to user audit2allow -R to get the interface for full access rather then getting them one at a time.
Comment 6 Daniel Walsh 2008-11-17 17:05:33 EST 
Closing all bugs that have been in modified for over a month.  Please reopen if the bug is not actually fixed.
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.