Bug 458867 - SELinux is preventing hcid (bluetooth_t) "read" to ./oui.txt (hwdata_t)
SELinux is preventing hcid (bluetooth_t) "read" to ./oui.txt (hwdata_t)
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
All Linux
low Severity low
: ---
: ---
Assigned To: Daniel Walsh
Fedora Extras Quality Assurance
Depends On:
  Show dependency treegraph
Reported: 2008-08-12 15:07 EDT by Jeff Bastian
Modified: 2008-11-17 17:05 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2008-11-17 17:05:33 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Jeff Bastian 2008-08-12 15:07:10 EDT
Description of problem:
SELinux is preventing /usr/sbin/hcid (bluetooth_t) from reading /usr/share/hwdata/oui.txt (hwdata_t).  The context is correct on oui.txt; running 'restorecon -v' did not change anything.

Raw audit messages:
type=AVC msg=audit(1218567016.482:69): avc:  denied  { read } for  pid=2597 comm="hcid" name="oui.txt" dev=dm-0 ino=5507542 scontext=system_u:system_r:bluetooth_t:s0 tcontext=system_u:object_r:hwdata_t:s0 tclass=file
type=SYSCALL msg=audit(1218567016.482:69): arch=c000003e syscall=2 success=no exit=-13 a0=7f4ae26a96b6 a1=0 a2=0 a3=0 items=0 ppid=1 pid=2597 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="hcid" exe="/usr/sbin/hcid" subj=system_u:system_r:bluetooth_t:s0 key=(null)

Version-Release number of selected component (if applicable):

How reproducible:
Every time

Steps to Reproduce:
1. Log in to KDE & launch KBluetooth
2. Right-click on the KBluetooth icon in the System Tray and go to
   Configuration -> Devices
3. Watch setroubleshoot pop up a window describing the denial
Actual results:
SElinux prevents hcid from reading oui.txt

Expected results:
Policy should allow hcid to read oui.txt

Additional info:
Comment 1 Daniel Walsh 2008-08-12 16:16:04 EDT
# audit2allow -M mypol -l -i /var/log/audit/audit.log
# semodule -i mypol.pp

Fixed in selinux-policy-3.0.8-113.fc8
Comment 2 Jeff Bastian 2008-08-12 16:35:03 EDT
You probably have something similar in selinux-policy-3.0.8-113.fc8, but here was my policy to fix this:


require {
        type bluetooth_t;
        type hwdata_t;

allow bluetooth_t hwdata_t:file r_file_perms;
Comment 3 Daniel Walsh 2008-08-13 11:44:31 EDT
If you used audit2allow -R you should have gotten

Comment 4 Jeff Bastian 2008-08-13 12:19:44 EDT
Ahh, I didn't use the -R flag.  I started with
  audit2allow -M mypol -l -i /var/log/audit/audit.log
as you recommended in comment #1 and it gave me
  allow bluetooth_t hwdata_t:file read;

I loaded the module, tried again, and SELinux blocked it again, this time on getattr.

But rather than running audit2allow again, I looked in some other policies I'd experimented with in the past and tried the r_file_perms macro which allowed it to work.

Did you mean selinux-policy-3.0.8-114.fc8 in comment #1?  It doesn't look like -113 has the fix.
Comment 5 Daniel Walsh 2008-08-13 12:31:06 EDT
Yes I lied.

That is why it is often better to user audit2allow -R to get the interface for full access rather then getting them one at a time.
Comment 6 Daniel Walsh 2008-11-17 17:05:33 EST
Closing all bugs that have been in modified for over a month.  Please reopen if the bug is not actually fixed.

Note You need to log in before you can comment on or make changes to this bug.