Problems with firmware loader and selinux
Stephen Smalley
sds at tycho.nsa.gov
Fri Apr 1 13:26:18 UTC 2005
On Thu, 2005-03-31 at 17:39 -0500, Dmitry Torokhov wrote:
> I have a FC3 with day-before-yesterday pull from Linus and
> selinux-policy-targeted installed from rawhide. Everything seems to be
> working fine ecxept for my wireless card (prism54), which can't get
> it's firmware loaded. It looks like selinux policy prevents firmware
> loader to create "firmware" class device. I get avc denied search
> message for process /sbin/ip (which is ifconfig_t) and tcontext is
> sysfs_t. It looks like the rights are inherited from "ip" markings
> whereas I would say that firmware loader is should operate in
> completely different context.
Module initialization runs in the context of the process that performs
the insertion. There is no other context at that point; if the module
creates kernel threads and reparents/daemonize's them, they will pick up
the kernel's context for subsequent operations. In the short term (i.e.
until FC3 policy gets updated to allow this), you can customize your
policy sources, e.g.:
yum install selinux-policy-targeted-sources
cd /etc/selinux/targeted/src/policy
audit2allow -d -l -o domains/misc/local.te
<review domains/misc/local.te and remove anything you didn't want to allow>
make load
--
Stephen Smalley <sds at tycho.nsa.gov>
National Security Agency
More information about the fedora-selinux-list
mailing list