[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Problems with firmware loader and selinux



On Thu, 2005-03-31 at 17:39 -0500, Dmitry Torokhov wrote:
> I have a FC3 with day-before-yesterday pull from Linus and
> selinux-policy-targeted installed from rawhide. Everything seems to be
> working fine ecxept for my wireless card (prism54), which can't get
> it's firmware loaded. It looks like selinux policy prevents firmware
> loader to create "firmware" class device. I get avc denied search
> message for process /sbin/ip (which is ifconfig_t) and tcontext is
> sysfs_t. It looks like the rights are inherited from "ip" markings
> whereas I would say that firmware loader is should operate in
> completely different context.

Module initialization runs in the context of the process that performs
the insertion.  There is no other context at that point; if the module
creates kernel threads and reparents/daemonize's them, they will pick up
the kernel's context for subsequent operations.  In the short term (i.e.
until FC3 policy gets updated to allow this), you can customize your
policy sources, e.g.:
	yum install selinux-policy-targeted-sources
	cd /etc/selinux/targeted/src/policy
	audit2allow -d -l -o domains/misc/local.te
	<review domains/misc/local.te and remove anything you didn't want to allow>
	make load

-- 
Stephen Smalley <sds tycho nsa gov>
National Security Agency


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]