Bugzilla (bugzilla.redhat.com) will be under maintenance for infrastructure upgrades and will not be available on July 31st between 12:30 AM - 05:30 AM UTC. We appreciate your understanding and patience. You can follow status.redhat.com for details.
Bug 458867 - SELinux is preventing hcid (bluetooth_t) "read" to ./oui.txt (hwdata_t)
Summary: SELinux is preventing hcid (bluetooth_t) "read" to ./oui.txt (hwdata_t)
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 8
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2008-08-12 19:07 UTC by Jeff Bastian
Modified: 2008-11-17 22:05 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2008-11-17 22:05:33 UTC
Type: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Jeff Bastian 2008-08-12 19:07:10 UTC 
Description of problem:
SELinux is preventing /usr/sbin/hcid (bluetooth_t) from reading /usr/share/hwdata/oui.txt (hwdata_t).  The context is correct on oui.txt; running 'restorecon -v' did not change anything.

Raw audit messages:
type=AVC msg=audit(1218567016.482:69): avc:  denied  { read } for  pid=2597 comm="hcid" name="oui.txt" dev=dm-0 ino=5507542 scontext=system_u:system_r:bluetooth_t:s0 tcontext=system_u:object_r:hwdata_t:s0 tclass=file
type=SYSCALL msg=audit(1218567016.482:69): arch=c000003e syscall=2 success=no exit=-13 a0=7f4ae26a96b6 a1=0 a2=0 a3=0 items=0 ppid=1 pid=2597 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="hcid" exe="/usr/sbin/hcid" subj=system_u:system_r:bluetooth_t:s0 key=(null)


Version-Release number of selected component (if applicable):
bluez-utils-3.20-7.fc8.x86_64
kdebluetooth-1.0-0.37.beta8.fc8.x86_64
selinux-policy-3.0.8-111.fc8.noarch
selinux-policy-targeted-3.0.8-111.fc8.noarch


How reproducible:
Every time

Steps to Reproduce:
1. Log in to KDE & launch KBluetooth
2. Right-click on the KBluetooth icon in the System Tray and go to
   Configuration -> Devices
3. Watch setroubleshoot pop up a window describing the denial
  
Actual results:
SElinux prevents hcid from reading oui.txt

Expected results:
Policy should allow hcid to read oui.txt

Additional info:
Comment 1 Daniel Walsh 2008-08-12 20:16:04 UTC 
# audit2allow -M mypol -l -i /var/log/audit/audit.log
# semodule -i mypol.pp

Fixed in selinux-policy-3.0.8-113.fc8
Comment 2 Jeff Bastian 2008-08-12 20:35:03 UTC 
You probably have something similar in selinux-policy-3.0.8-113.fc8, but here was my policy to fix this:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
policy_module(bluetooth_hwdata,1.1);

require {
        type bluetooth_t;
        type hwdata_t;
}

allow bluetooth_t hwdata_t:file r_file_perms;
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Comment 3 Daniel Walsh 2008-08-13 15:44:31 UTC 
If you used audit2allow -R you should have gotten

miscfiles_read_hwdata(bluetooth_t)
Comment 4 Jeff Bastian 2008-08-13 16:19:44 UTC 
Ahh, I didn't use the -R flag.  I started with
  audit2allow -M mypol -l -i /var/log/audit/audit.log
as you recommended in comment #1 and it gave me
  allow bluetooth_t hwdata_t:file read;

I loaded the module, tried again, and SELinux blocked it again, this time on getattr.

But rather than running audit2allow again, I looked in some other policies I'd experimented with in the past and tried the r_file_perms macro which allowed it to work.


Did you mean selinux-policy-3.0.8-114.fc8 in comment #1?  It doesn't look like -113 has the fix.
Comment 5 Daniel Walsh 2008-08-13 16:31:06 UTC 
Yes I lied.

That is why it is often better to user audit2allow -R to get the interface for full access rather then getting them one at a time.
Comment 6 Daniel Walsh 2008-11-17 22:05:33 UTC 
Closing all bugs that have been in modified for over a month.  Please reopen if the bug is not actually fixed.
Note You need to log in before you can comment on or make changes to this bug.