Re: dmesg avcs

[Daniel J Walsh <dwalsh redhat com>]

Josh Boyer wrote:

> This is my first stab at working with selinux, so be gentle ;).
>
> I am getting these avc messages when I run dmesg:
>
> avc:  denied  { use } for  pid=2674 exe=/bin/dmesg path=/dev/pts/2 dev= ino=4 
> scontext=root:system_r:dmesg_t tcontext=jwboyer:user_r:user_t tclass=fd
>
> avc:  denied  { read write } for  pid=2674 exe=/bin/dmesg path=/dev/pts/2 dev= 
> ino=4 scontext=root:system_r:dmesg_t tcontext=root:object_r:user_devpts_t 
> tclass=chr_file
>
> So in the dmesg.te file, i defined the following rules:
>
> allow dmesg_t user_devpts_t:chr_file { read write getattr };
> allow dmesg_t user_t:fd { use };
>
> does that look correct?  from my understanding, the 2 rules i added allow the 
> dmesg_t domain read, write, and getattr access to pts char files...
>
>  
Yes, but this might not be necessary.  If the dmesg code was working 
correctly and you saw these messages you might want to dontaudit them. 

dontaudit dmesg_t userdomain:fd { use }; 
Would eliminate the terminal error for all userdomains (user, staff and 
sysadm).

> josh
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list redhat com
> http://www.redhat.com/mailman/listinfo/fedora-selinux-list
>