On Thu, 2005-03-31 at 17:39 -0500, Dmitry Torokhov wrote: > I have a FC3 with day-before-yesterday pull from Linus and > selinux-policy-targeted installed from rawhide. Everything seems to be > working fine ecxept for my wireless card (prism54), which can't get > it's firmware loaded. It looks like selinux policy prevents firmware > loader to create "firmware" class device. I get avc denied search > message for process /sbin/ip (which is ifconfig_t) and tcontext is > sysfs_t. It looks like the rights are inherited from "ip" markings > whereas I would say that firmware loader is should operate in > completely different context. Module initialization runs in the context of the process that performs the insertion. There is no other context at that point; if the module creates kernel threads and reparents/daemonize's them, they will pick up the kernel's context for subsequent operations. In the short term (i.e. until FC3 policy gets updated to allow this), you can customize your policy sources, e.g.: yum install selinux-policy-targeted-sources cd /etc/selinux/targeted/src/policy audit2allow -d -l -o domains/misc/local.te <review domains/misc/local.te and remove anything you didn't want to allow> make load -- Stephen Smalley <sds@xxxxxxxxxxxxx> National Security Agency
