Description of problem: SELinux is preventing /usr/sbin/hcid (bluetooth_t) from reading /usr/share/hwdata/oui.txt (hwdata_t). The context is correct on oui.txt; running 'restorecon -v' did not change anything. Raw audit messages: type=AVC msg=audit(1218567016.482:69): avc: denied { read } for pid=2597 comm="hcid" name="oui.txt" dev=dm-0 ino=5507542 scontext=system_u:system_r:bluetooth_t:s0 tcontext=system_u:object_r:hwdata_t:s0 tclass=file type=SYSCALL msg=audit(1218567016.482:69): arch=c000003e syscall=2 success=no exit=-13 a0=7f4ae26a96b6 a1=0 a2=0 a3=0 items=0 ppid=1 pid=2597 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="hcid" exe="/usr/sbin/hcid" subj=system_u:system_r:bluetooth_t:s0 key=(null) Version-Release number of selected component (if applicable): bluez-utils-3.20-7.fc8.x86_64 kdebluetooth-1.0-0.37.beta8.fc8.x86_64 selinux-policy-3.0.8-111.fc8.noarch selinux-policy-targeted-3.0.8-111.fc8.noarch How reproducible: Every time Steps to Reproduce: 1. Log in to KDE & launch KBluetooth 2. Right-click on the KBluetooth icon in the System Tray and go to Configuration -> Devices 3. Watch setroubleshoot pop up a window describing the denial Actual results: SElinux prevents hcid from reading oui.txt Expected results: Policy should allow hcid to read oui.txt Additional info:
# audit2allow -M mypol -l -i /var/log/audit/audit.log # semodule -i mypol.pp Fixed in selinux-policy-3.0.8-113.fc8
You probably have something similar in selinux-policy-3.0.8-113.fc8, but here was my policy to fix this: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ policy_module(bluetooth_hwdata,1.1); require { type bluetooth_t; type hwdata_t; } allow bluetooth_t hwdata_t:file r_file_perms; ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
If you used audit2allow -R you should have gotten miscfiles_read_hwdata(bluetooth_t)
Ahh, I didn't use the -R flag. I started with audit2allow -M mypol -l -i /var/log/audit/audit.log as you recommended in comment #1 and it gave me allow bluetooth_t hwdata_t:file read; I loaded the module, tried again, and SELinux blocked it again, this time on getattr. But rather than running audit2allow again, I looked in some other policies I'd experimented with in the past and tried the r_file_perms macro which allowed it to work. Did you mean selinux-policy-3.0.8-114.fc8 in comment #1? It doesn't look like -113 has the fix.
Yes I lied. That is why it is often better to user audit2allow -R to get the interface for full access rather then getting them one at a time.
Closing all bugs that have been in modified for over a month. Please reopen if the bug is not actually fixed.